Resolving the predicament of android custom permissions
Abstract
Android leverages a set of system permissions to
protect platform resources. At the same time, it allows untrusted
third-party applications to declare their own custom permissions
to regulate access to app components. However, Android treats
custom permissions the same way as system permissions even
though they are declared by entities of different trust levels. In
this work, we describe two new classes of vulnerabilities that arise
from the ‘predicament’ created by mixing system and custom
permissions in Android. These have been acknowledged as serious
security flaws by Google and we demonstrate how they can be
exploited in practice to gain unauthorized access to platform
resources and to compromise popular Android apps. To address
the shortcomings of the system, we propose a new modular
design called Cusper for the Android permission model. Cusper
separates the management of system and custom permissions and
introduces a backward-compatible naming convention for custom
permissions to prevent custom permission spoofing. We validate
the correctness of Cusper by 1) introducing the first formal
model of Android runtime permissions, 2) extending it to describe
Cusper, and 3) formally showing that key security properties
that can be violated in the current permission model are always
satisfied in Cusper. To demonstrate Cusper’s practicality, we
implemented it in the Android platform and showed that it is
both effective and efficient.
protect platform resources. At the same time, it allows untrusted
third-party applications to declare their own custom permissions
to regulate access to app components. However, Android treats
custom permissions the same way as system permissions even
though they are declared by entities of different trust levels. In
this work, we describe two new classes of vulnerabilities that arise
from the ‘predicament’ created by mixing system and custom
permissions in Android. These have been acknowledged as serious
security flaws by Google and we demonstrate how they can be
exploited in practice to gain unauthorized access to platform
resources and to compromise popular Android apps. To address
the shortcomings of the system, we propose a new modular
design called Cusper for the Android permission model. Cusper
separates the management of system and custom permissions and
introduces a backward-compatible naming convention for custom
permissions to prevent custom permission spoofing. We validate
the correctness of Cusper by 1) introducing the first formal
model of Android runtime permissions, 2) extending it to describe
Cusper, and 3) formally showing that key security properties
that can be violated in the current permission model are always
satisfied in Cusper. To demonstrate Cusper’s practicality, we
implemented it in the Android platform and showed that it is
both effective and efficient.
