research-article

Cross-language Android permission specification

Authors:

Muhammad Ejaz Ahmed,

Yang XiangAuthors Info & Claims

ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Pages 772 - 783

https://doi.org/10.1145/3540250.3549142

Published: 09 November 2022 Publication History

Abstract

The Android system manages access to sensitive APIs by permission enforcement. An application (app) must declare proper permissions before invoking specific Android APIs. However, there is no official documentation providing the complete list of permission-protected APIs and the corresponding permissions to date. Researchers have spent significant efforts extracting such API protection mapping from the Android API framework, which leverages static code analysis to determine if specific permissions are required before accessing an API. Nevertheless, none of them has attempted to analyze the protection mapping in the native library (i.e., code written in C and C++), an essential component of the Android framework that handles communication with the lower-level hardware, such as cameras and sensors. While the protection mapping can be utilized to detect various security vulnerabilities in Android apps, such as permission over-privilege, imprecise mapping will lead to false results in detecting such security vulnerabilities. To fill this gap, we thereby propose to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection. We develop a prototype system, named NatiDroid, to facilitate the cross-language static analysis and compare its performance with two state-of-the-practice tools, termed Axplorer and Arcade. We evaluate NatiDroid on more than 11,000 Android apps, including system apps from custom Android ROMs and third-party apps from the Google Play. Our NatiDroid can identify up to 464 new API-permission mappings, in contrast to the worst-case results derived from both Axplorer and Arcade, where approximately 71% apps have at least one false positive in permission over-privilege. We have disclosed all the potential vulnerabilities detected to the stakeholders.

References

[1]

1999. Soot - Java Analysis Framework. http://sable.github.io/soot/

[2]

2000. Clang: A C language family frontend for LLVM. https://clang.llvm.org

[3]

2000. Introduction to the Clang AST. https://clang.llvm.org/docs/IntroductionToTheClangAST.html

[4]

2006. WALA: T.J. Watson Libraries for Analysis. https://github.com/wala/WALA

[5]

2008. Developer Guides | Android Developers. https://developer.android.com/guide

[6]

2012. Soong Build System. https://source.android.com/setup/build

[7]

2021. Android Open Source Project. https://source.android.com

[8]

2021. Google Play - Camera360 Photo Editor + Camera & Beauty Selfies. https://play.google.com/store/apps/details?id=vStudio.Android.Camera360

[9]

Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. 2018. Precise Android API protection mapping derivation and reasoning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1151–1164. https://doi.org/10.1145/3243734.3243842

Digital Library

[10]

Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace. 2015. Hare hunting in the wild Android: A study on the threat of hanging attribute references. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1248–1259. https://doi.org/10.1145/2810103.2813648

Digital Library

[11]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM SIGPLAN Notices, 49, 6 (2014), 259–269. https://doi.org/10.1145/2666356.2594299

Digital Library

[12]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the Android permission specification. In Proceedings of the 2012 ACM conference on Computer and Communications Security. 217–228. https://doi.org/10.1145/2382196.2382222

Digital Library

[13]

Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On Demystifying the Android Application Framework:$Re-Visiting$ Android Permission Specification Analysis. In 25th USENIX security symposium (USENIX security 16). 1101–1118.

[14]

Xiao Chen, Wanli Chen, Kui Liu, Chunyang Chen, and Li Li. 2021. A comparative study of smartphone and smartwatch apps. In Proceedings of the 36th Annual ACM Symposium on Applied Computing. 1484–1493. https://doi.org/10.1145/3412841.3442023

Digital Library

[15]

Abdallah Dawoud and Sven Bugiel. 2021. Bringing balance to the force: Dynamic analysis of the android application framework. In NDSS. https://doi.org/10.14722/ndss.2021.23106

[16]

Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 73–84. https://doi.org/10.1145/2508859.2516693

Digital Library

[17]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and Communications Security. 627–638. https://doi.org/10.1145/2046707.2046779

Digital Library

[18]

Xiaotao Feng, Ruoxi Sun, Xiaogang Zhu, Minhui Xue, Sheng Wen, Dongxi Liu, Surya Nepal, and Yang Xiang. 2021. Snipuzz: Black-box fuzzing of iot firmware via message snippet inference. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 337–350. https://doi.org/10.1145/3460120.3484543

Digital Library

[19]

Yu Feng, Saswat Anand, Isil Dillig, and Alex Aiken. 2014. Apposcopy: Semantics-based detection of Android malware through static analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 576–587. https://doi.org/10.1145/2635868.2635869

Digital Library

[20]

Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security analysis of emerging smart home applications. In 2016 IEEE symposium on security and privacy (SP). 636–654. https://doi.org/10.1109/SP.2016.44

[21]

George Fourtounis, Leonidas Triantafyllou, and Yannis Smaragdakis. 2020. Identifying Java calls in native code via binary scanning. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 388–400. https://doi.org/10.1145/3395363.3397368

Digital Library

[22]

Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of Android applications in DroidSafe. In NDSS. 15, 110. https://doi.org/10.14722/ndss.2015.23089

[23]

Michael C Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock Android smartphones. In NDSS. 14, 19.

[24]

Jianjun Huang, Xiangyu Zhang, and Lin Tan. 2016. Detecting sensitive data disclosure via bi-directional text correlation analysis. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 169–180. https://doi.org/10.1145/2950290.2950348

Digital Library

[25]

Soo Hyeon Kim, Daewan Han, and Dong Hoon Lee. 2013. Predictability of android OpenSSL’s pseudo random number generator. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security. 659–668. https://doi.org/10.1145/2508859.2516706

Digital Library

[26]

Chaoran Li, Xiao Chen, Derui Wang, Sheng Wen, Muhammad Ejaz Ahmed, Seyit Camtepe, and Yang Xiang. 2021. Backdoor attack on machine learning based android malware detectors. IEEE Transactions on Dependable and Secure Computing, https://doi.org/10.1109/TDSC.2021.3094824

[27]

Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick Mcdaniel. 2014. I know what leaked in your pocket: Uncovering privacy leaks on Android Apps with Static Taint Analysis. arXiv preprint arXiv:1404.7431.

[28]

Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han. 2014. Mayhem in the push clouds: Understanding and mitigating security hazards in mobile push-messaging services. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 978–989. https://doi.org/10.1145/2660267.2660302

Digital Library

[29]

Baozheng Liu, Chao Zhang, Guang Gong, Yishun Zeng, Haifeng Ruan, and Jianwei Zhuge. 2020. $FANS$: Fuzzing Android Native System Services via Automated Interface Analysis. In 29th USENIX Security Symposium (USENIX Security 20). 307–323.

[30]

Kangjie Lu, Zhichun Li, Vasileios P Kemerlis, Zhenyu Wu, Long Lu, Cong Zheng, Zhiyun Qian, Wenke Lee, and Guofei Jiang. 2015. Checking more and alerting less: Detecting privacy leakages via enhanced data-flow analysis and peer voting. In NDSS. https://doi.org/10.14722/ndss.2015.23287

[31]

Mohammad Nauman, Sohail Khan, and Xinwen Zhang. 2010. Apex: Extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM symposium on Information, Computer and Communications Security. 328–332. https://doi.org/10.1145/1755688.1755732

Digital Library

[32]

Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective $Inter-Component$ Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis. In 22nd USENIX Security Symposium (USENIX Security 13). 543–558.

[33]

Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. $WHYPER$: Towards automating risk assessment of mobile applications. In 22nd USENIX Security Symposium (USENIX Security 13). 527–542.

[34]

Felix Pauck, Eric Bodden, and Heike Wehrheim. 2018. Do android taint analysis tools keep their promises? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 331–341. https://doi.org/10.1145/3236024.3236029

Digital Library

[35]

Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. Autocog: Measuring the description-to-permission fidelity in Android applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 1354–1365. https://doi.org/10.1145/2660267.2660287

Digital Library

[36]

Jordan Samhi, Jun Gao, Nadia Daoudi, Pierre Graux, Henri Hoyez, Xiaoyu Sun, Kevin Allix, and Bissyandé. 2022. JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis. In 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). https://doi.org/10.1145/3510003.3512766

Digital Library

[37]

Ruoxi Sun, Wei Wang, Minhui Xue, Gareth Tyson, Seyit Camtepe, and Damith C Ranasinghe. 2021. An empirical assessment of global COVID-19 contact tracing applications. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). 1085–1097. https://doi.org/10.1109/ICSE43902.2021.00101

Digital Library

[38]

Xiaoyu Sun, Xiao Chen, Kui Liu, Sheng Wen, Li Li, and John Grundy. 2021. Characterizing Sensor Leaks in Android Apps. In 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE). 498–509. https://doi.org/10.1109/ISSRE52982.2021.00058

[39]

Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. 214–224. https://doi.org/10.1145/1925805.1925818

Digital Library

[40]

Fengguo Wei, Sankardas Roy, and Xinming Ou. 2018. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of Android apps. ACM Transactions on Privacy and Security (TOPS), 21, 3 (2018), 1–32. https://doi.org/10.1145/3183575

Digital Library

[41]

Kunpeng Zhang, Xi Xiao, Xiaogang Zhu, Ruoxi Sun, Minhui Xue, and Sheng Wen. 2022. Path transitions tell more: Optimizing fuzzing schedules via runtime program states. In 2022 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). https://doi.org/10.1145/3510003.3510063

Digital Library

[42]

Hao Zhou, Haoyu Wang, Shuohan Wu, Xiapu Luo, Yajin Zhou, Ting Chen, and Ting Wang. 2021. Finding the Missing Piece: Permission Specification Analysis for Android NDK. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). 505–516. https://doi.org/10.1109/ASE51524.2021.9678843

Digital Library

[43]

Hao Zhou, Shuohan Wu, Xiapu Luo, Ting Wang, Yajin Zhou, Chao Zhang, and Haipeng Cai. 2022. NCScope: Hardware-Assisted Analyzer for Native Code in Android Apps. In Symposium on Software Testing and Analysis (ISSTA’22). https://doi.org/10.1145/3533767.3534410

Digital Library

Cited By

Samhi JJust RBissyandé TErnst MKlein JChristakis MPradel M(2024)Call Graph Soundness in Android Static AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680333(945-957)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680333
Kan SGao YZhong ZSui Y(2024)Cross-Language Taint Analysis: Generating Caller-Sensitive Native Code Specification for JavaIEEE Transactions on Software Engineering10.1109/TSE.2024.339225450:6(1518-1533)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3392254
Yang JLi HHe LXiang TJin Y(2024)MDADroidComputers and Security10.1016/j.cose.2024.104061146:COnline publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.104061
Show More Cited By

Index Terms

Cross-language Android permission specification

Index terms have been assigned to the content through auto-classification.

Recommendations

Benchmark Dalvik and Native Code for Android System
IBICA '11: Proceedings of the 2011 Second International Conference on Innovations in Bio-inspired Computing and Applications

Google's Android Native Development Kit (NDK) is a toolset that lets you embed components to use of native code in your Android applications. It makes possible for developers to easily compile in C/C++ for the Android development platform. Generally, ...
Messing with Android's Permission Model
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications

Permission models have become very common on smartphone operating systems to control the rights granted to installed third party applications (apps). Prior to installing an app, the user is typically presented with a dialog box showing the permissions ...
DEMO: Starving Permission-Hungry Android Apps Using SecuRank
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

We demonstrate SecuRank, a tool that can be employed by Android smartphone users to replace their currently installed apps with functionally-similar ones that require less sensitive access to their device. SecuRank works by using text mining on the app ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

November 2022

1822 pages

ISBN:9781450394130

DOI:10.1145/3540250

General Chair:
Abhik Roychoudhury
National University of Singapore, Singapore
,
Program Chairs:
Cristian Cadar
Imperial College London, UK
,
Miryung Kim
University of California at Los Angeles, USA

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ESEC/FSE '22

Sponsor:

ESEC/FSE '22: 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

November 14 - 18, 2022

Singapore, Singapore

Acceptance Rates

Overall Acceptance Rate 112 of 543 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
318
Total Downloads

Downloads (Last 12 months)92
Downloads (Last 6 weeks)9

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Samhi JJust RBissyandé TErnst MKlein JChristakis MPradel M(2024)Call Graph Soundness in Android Static AnalysisProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680333(945-957)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680333
Kan SGao YZhong ZSui Y(2024)Cross-Language Taint Analysis: Generating Caller-Sensitive Native Code Specification for JavaIEEE Transactions on Software Engineering10.1109/TSE.2024.339225450:6(1518-1533)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3392254
Yang JLi HHe LXiang TJin Y(2024)MDADroidComputers and Security10.1016/j.cose.2024.104061146:COnline publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.104061
Wang YCheung SYu HZhu ZWang YCheung SYu HZhu Z(2024)Exploring Cross Ecosystem Vulnerability ImpactsManaging Software Supply Chains10.1007/978-981-96-1797-5_7(149-177)Online publication date: 4-Dec-2024
https://doi.org/10.1007/978-981-96-1797-5_7
Sun XChen XLi LCai HGrundy JSamhi JBissyandé TKlein J(2023)Demystifying Hidden Sensitive Operations in Android AppsACM Transactions on Software Engineering and Methodology10.1145/357415832:2(1-30)Online publication date: 29-Mar-2023
https://dl.acm.org/doi/10.1145/3574158

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten