Lintent: Towards Security Type-Checking of Android Applications

Bugliesi, Michele; Calzavara, Stefano; Spanò, Alvise

doi:10.1007/978-3-642-38592-6_20

Cited by 19 publications

(23 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

Section: Privilege Escalationmentioning

confidence: 99%

“…In such models, extra controls are implemented in order to prevent the called instance from being used as a deputy of an unprivileged component [22]. The issues just discussed were originally presented in [22,28,31] but referred to earlier versions of the Android platform and used different approaches to perform their analysis. Since our formalism fully captures both the interaction between components and the execution of API calls in the Android system we are convinced that the latest versions of the platform are still vulnerable to this kind of privilege escalation problems.…”

Section: Privilege Escalationmentioning

confidence: 99%

“…Given an expression defined in this language, if a type can be inferred for it, the operation being modelled is in compliance with some desirable security properties concerning the integrity and confidentiality of the information being exchanged. Analogously, Armando et al [14] and Bugliesi et al [22] present a type and effect system in which they model basic Android components and the semantics of some operations. Although these three publications follow similar approaches, they all define different new languages, which are focused on the features being analyzed in each work.…”

Section: Related Workmentioning

confidence: 99%

“…Some of them [26,38] point out the rigidity of the permission system regarding the installation of new applications in the device. Other studies [22,31] have shown that many aspects of Android security, like avoiding privilege escalation, depend on the correct construction of applications by their developers. Additionally, it has been pointed out [31,32] that the mechanism of permission delegation offered by the system has characteristics that require further analysis in order to ensure that no new vulnerabilities are added when a permission is delegated.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Formal Analysis of Android's Permission-Based Security Model

Betarte¹,

Campo²,

Luna³

et al. 2016

SACS

View full text Add to dashboard Cite

In this work we present a comprehensive formal specification of an idealized formulation of Android's permission model. Permissions in Android are basically tags that developers declare in their applications, more precisely in the so-called application manifest, to gain access to sensitive resources. Several analyses have recently been carried out concerning the security of the Android system. Few of them, however, pay attention to the formal aspects of the permission enforcing framework. We provide a complete and uniform formulation of several security properties using the higher order logic of the Calculus of Inductive Constructions and sketch the proofs that have been developed and verified using the Coq proof assistant. We also analyze how the changes introduced in the latest version of Android, that allows to manage permissions at runtime, impact the presented model.

show abstract

Section: Privilege Escalationmentioning

confidence: 99%

Section: Privilege Escalationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Formal Analysis of Android's Permission-Based Security Model

Betarte¹,

Campo²,

Luna³

et al. 2016

SACS

View full text Add to dashboard Cite

show abstract

“…The modules of security architecture are implemented and deployed according to their responsibility. The usage and access module monitors the access to the FIGURE 7 Tiny4412 development board supporting ARM TrustZone that have been verified using the proof assistant of Coq., 44 Armando et al, 45 and Bugliesi et al 46 who presented a type and effect system in which they model basic Android's components and some operations.…”

Section: Experimental and Comparison Evaluationmentioning

confidence: 99%

Towards a multilayered permission‐based access control for extending Android security

Chang¹,

Jiang²,

Chen

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

This paper discusses security issues on the user equipment, which is the "last mile" of social networks. One of the main Achilles' heel of social networks is not the organization of networks themselves, but the user devices, typically Android ones. The existing system of privileges makes it easy to infiltrate the network via applications installed on users' devices. Conventional signature-based and static analysis methods are vulnerable. Access to privacy-and security-relevant parts of the application programming interface is controlled by the corresponding permission in a manifest file. While requesting access to permissions, it may offer opportunities to malicious codes, which will cause security issues. Few works among permission analysis, however, pay attention to the prevention of permission leakage on both hardware and software frameworks. In this paper we tackle the challenge of providing our multilayered permission-based security extension scheme on Android platforms. We propose a usage and access control model and an effective method of preventing permission leakage based on ARM TrustZone security extension mechanism. In contrast to previous work, the proposed security architecture provides a permission-based mandatory access control on Android middleware, Linux kernel, and hardware layers. The evaluation results demonstrate the effectiveness of the proposed scheme in mitigating permission leakage vulnerabilities.

show abstract

Realization of a user‐centric, privacy preserving permission framework for Android

Nauman

Khan

Othman

et al. 2014

Security Comm Networks

View full text Add to dashboard Cite

Android has been steadily gaining market share, and the number of available applications is increasing at a healthy pace. Because of the myriad of third‐party applications, privacy concerns are starting to surface in the community. Application developers usually request access to more system resources than are strictly required for their apps. However, the stock Android permission model does not allow users to selectively grant permissions. This is a well‐known issue, but existing solutions to this problem are either too abstract or require detailed changes to the core model—making it difficult for both developers and users to accept them. In this paper, we present a fine‐grained, user‐centric permission model for Android that allows users to selectively grant permissions to applications that they install. Our model allows specification of permissions based on application and system attributes as well as simple yes or no policies. The model is kept as simple as possible, and its open source implementation is highly usable for the average end user. It requires minimal backward compatible changes to the core permission model and is shown to be highly efficient in terms of performance overhead. We present our model and point interested readers to our freely available changeset to help them use, evaluate, and improve our permission model. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

Lintent: Towards Security Type-Checking of Android Applications

Cited by 19 publications

References 10 publications

Formal Analysis of Android's Permission-Based Security Model

Formal Analysis of Android's Permission-Based Security Model

Towards a multilayered permission‐based access control for extending Android security

Realization of a user‐centric, privacy preserving permission framework for Android

Contact Info

Product

Resources

About