• PDF / 1,351,910 Bytes
• 18 Pages / 595.224 x 790.955 pts Page_size
• 33 Downloads / 209 Views

DOWNLOAD

REPORT

A Formal Specification of Access Control in Android with URI Permissions Samir Talegaon1 · Ram Krishnan1 Accepted: 10 September 2020 © Springer Science+Business Media, LLC, part of Springer Nature 2020

Abstract A formal specification of access control yields a deeper understanding of any operating system, and facilitates performing security analysis of the OS. In this paper, we provide a comprehensive formal specification of access control in Android (ACiA). Prior work is limited in scope, furthermore, recent developments in Android concerning dynamic runtime permissions require rethinking of its formalization. Our formal specification includes three parts, the user-initiated operations (UIOs) and app-initiated operations (AIOs) - which are distinguished based on the initiating entity, and the URI permissions which are utilized in sharing temporary access to data. We also studied the evolution of URI permissions from API 10 (Gingerbread) to API 22 (Lollipop), and a brief discussion on this is included in the paper. Formalizing ACiA allowed us to discover many peculiar behaviors pertaining to ACiA. In addition to that, we discovered two significant issues with permissions in Android which were reported to Google. Keywords Android · System permissions · URI permissions · Access control · Formal model

1 Introduction A formal specification of Access Control in Android (ACiA) facilitates a deeper understanding of the nature in which Android regulates app access to resources. Prior work on formalization of the perm mechanism exists, but is limited in its scope since most of it is based on the older install time perm system (Shin et al. 2010; Fragkaki et al. 2012; Betarte et al. 2015; Bagheri et al. 2015b). Hence, detailed analysis and testing needs to be conducted to build the model for ACiA (ACiAα ), to enable a systematic review for security vulnerabilities. Android contains a wide variety of software resources such as access to the Internet, contacts on the phone, pictures and videos etc., and hardware resources such as Bluetooth, NFC, WiFi, Camera etc. Android apps require the use of such resources, and they request access to them, from the Android OS. Android in turn, seeks user interaction to approve some of these requests and grant the necessary permissions to the apps (https://developer.  Samir Talegaon

[email protected] 1

The University of Texas at San Antonio, One UTSA Circle, San Antonio, TX 78249, USA

android.com/training/permissions/requesting/, Enck et al. 2009b) (see Fig. 1). These permissions, provide some protection against unauthorized access of app data, however, research suggests that it is inadequate (Bugiel et al. 2012; Enck et al. 2011; Chin et al. 2011; Davi et al. 2010; Grace et al. 2012; Enck et al. 2009b). This inadequacy can cause issues with privacy and security of the user’s data, and requires a formal approach towards that facilitates its analysis. As mentioned before, Android apps need to request permissions from the user, and this results in the user needing to interact with su

Recommend Documents

Formal Specification of Railway Control Systems

202 18 355KB

URI

186 113 2MB

Formal Specification Level Concepts, Methods, and Algorithms

155 44 7MB

Permissions

148 78 5MB

Restricting Permissions

144 16 8MB

Access Control

192 85 47MB

Malware Analysis Method Based Random Access Memory in Android

232 65 1MB

Tendermint Blockchain Synchronization: Formal Specification and Model Checking

170 112 28MB

Access Control

178 94 239KB

Access Control

186 70 2MB

Access Control

203 117 49MB

Reusable Formal Models for Threat Specification, Detection, and Treatment

202 81 21MB