skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: PolyScope: Multi-Policy Access Control Analysis to Compute Authorized Attack Operations in Android Systems
Android’s filesystem access control provides a foundation for system integrity. It combines mandatory (e.g., SEAndroid) and discretionary (e.g., Unix permissions) access control, protecting both the Android platform from Android/OEM ser- vices and Android/OEM services from third-party applications. However, OEMs often introduce vulnerabilities when they add market-differentiating features and fail to correctly reconfigure this complex combination of policies. In this paper, we propose the PolyScope tool to triage Android systems for vulnerabilities using their filesystem access control policies by: (1) identifying the resources that subjects are authorized to use that may be modified by their adversaries, both with and without policy manipulations, and (2) determining the attack operations on those resources that are actually available to adversaries to reveal the specific cases that need vulnerability testing. A key insight is that adversaries may exploit discretionary elements in Android access control to expand the permissions available to themselves and/or vic- tims to launch attack operations, which we call permission expansion. We apply PolyScope to five Google and five OEM Android releases and find that permission expansion increases the privilege available to launch attacks, sometimes by more than 10x, but a significant fraction (about 15-20%) cannot be converted into attack operations due to other system configurations. Based on this analysis, we describe two previously unknown vulnerabilities and show how PolyScope helps OEMs triage the complex combination of access control policies down to attack operations worthy of testing.  more » « less
Award ID(s):
1816282
PAR ID:
10341902
Author(s) / Creator(s):
Editor(s):
Michael Bailey and Rachel Greenblatt
Date Published:
Journal Name:
30th USENIX Security Symposium
Page Range / eLocation ID:
2579--2596
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, Intelligent Human Computer Interaction. IHCI 2021. Lecture Notes in Computer Science, vol 13184. Springer, Cham)
    Kim, JH.; Singh, M.; Khan, J.; Tiwary, U.S.; Sur, M.; Singh, D. (Ed.)
    Cyberattacks and malware infestation are issues that surround most operating systems (OS) these days. In smartphones, Android OS is more susceptible to malware infection. Although Android has introduced several mechanisms to avoid cyberattacks, including Google Play Protect, dynamic permissions, and sign-in control notifications, cyberattacks on Android-based phones are prevalent and continuously increasing. Most malware apps use critical permissions to access resources and data to compromise smartphone security. One of the key reasons behind this is the lack of knowledge for the usage of permissions in users. In this paper, we introduce Permission-Educator, a cloud-based service to educate users about the permissions associated with the installed apps in an Android-based smartphone. We developed an Android app as a client that allows users to categorize the installed apps on their smartphones as system or store apps. The user can learn about permissions for a specific app and identify the app as benign or malware through the interaction of the client app with the cloud service. We integrated the service with a web server that facilitates users to upload any Android application package file, i.e. apk, to extract information regarding the Android app and display it to the user. 
    more » « less
  2. ; ; ; ; ; ; ; (, The Workshop on Technology and Consumer Protection (ConPro ’19))
    It is commonly assumed that the availability of “free” mobile apps comes at the cost of consumer privacy, and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by investigating the degree to which “free” apps and their paid premium versions differ in their bundled code, their declared permissions, and their data collection behaviors and privacy practices. We compare pairs of free and paid apps using a combination of static and dynamic analysis. We also examine the differences in the privacy policies within pairs. We rely on static analysis to determine the requested permissions and third-party SDKs in each app; we use dynamic analysis to detect sensitive data collected by remote services at the network traffic level; and we compare text versions of privacy policies to identify differences in the disclosure of data collection behaviors. In total, we analyzed 1,505 pairs of free Android apps and their paid counterparts, with free apps randomly drawn from the Google Play Store’s category-level top charts. Our results show that over our corpus of free and paid pairs, there is no clear evidence that paying for an app will guarantee protection from extensive data collection. Specifically, 48% of the paid versions reused all of the same third-party libraries as their free versions, while 56% of the paid versions inherited all of the free versions’ Android permissions to access sensitive device resources (when considering free apps that include at least one third-party library and request at least one Android permission). Additionally, our dynamic analysis reveals that 38% of the paid apps exhibit all of the same data collection and transmission behaviors as their free counterparts. Our exploration of privacy policies reveals that only 45% of the pairs provide a privacy policy of some sort, and less than 1% of the pairs overall have policies that differ between free and paid versions. 
    more » « less
  3. ; (, IEEE CNS'22)
    Android controls the majority of the global OS market. Android Open Source Project (AOSP) is a very complex system with many layers including the apps, the Application Framework, the middle-ware, the customized Linux kernel, and the trusted components. Although security is implemented in every layer, the Application Framework forms an important of the attack surface due to managing the user interface and permissions. Android security has evolved over the years. The security flaws that have been found in the Application Framework led to a redesign of Android permissions. Part of this evolution includes fixes to the vulnerabilities that are publicly released in the monthly Android security bulletins. In this study, we analyze the CVEs listed in the Android security bulletin within the last 6 years. We focus on the Android application framework and investigate several research questions relating to 1) the security relevant components, 2) the type and amount of testing information for the security patches, and 3) the adequacy of the tests designed to test these patches. Our findings indicate that Android security testing practices can be further improved by designing security bulletin update specific tests, and by improving code coverage of patched files. 
    more » « less
  4. ; ; ; ; ; (, 28th USENIX Security Symposium)
    Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels. Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy. In this work, we make use of our infrastructure that runs hundreds of thousands of apps in an instrumented environment. This testing environment includes mechanisms to monitor apps' runtime behaviour and network traffic. We look for evidence of side and covert channels being used in practice by searching for sensitive data being sent over the network for which the sending app did not have permissions to access it. We then reverse engineer the apps and third-party libraries responsible for this behaviour to determine how the unauthorized access occurred. We also use software fingerprinting methods to measure the static prevalence of the technique that we discover among other apps in our corpus. Using this testing environment and method, we uncovered a number of side and covert channels in active use by hundreds of popular apps and third-party SDKs to obtain unauthorized access to both unique identifiers as well as geolocation data. We have responsibly disclosed our findings to Google and have received a bug bounty for our work. 
    more » « less
  5. ; ; ; ; (, 2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC))
    As a new format of mobile application, mini-programs, which function within a larger app and are built with HTML, CSS, and JavaScript web technology, have become the way to do almost everything in China. Many researchers have done the ecosystem or developing study, while the permission problem has not been investigated yet. In this paper, we present our studies on the permission management of mini-programs and conduct a systematic study on 9 popular mobile host app ecosystems that host over 7 million mini-programs. After testing over 2,580 APIs, we extracted a common abstract model for mini-programs’ permission control and revealed six categories of potential security vulnerabilities due to improper permission management. It is alarming that the current popular mobile app ecosystems (i.e., host apps) under study have at least one security vulnerability due to the mini-programs’ improper permission management. We present the corresponding attack methods to dissect these potential weaknesses further to exploit the discovered vulnerabilities. To prove that the revealed vulnerabilities may cause severe consequences in real-world use, we show three kinds of attacks without privileges or cracking the host apps. We have responsibly disclosed the newly discovered vulnerabilities, and two CVEs were issued. Finally, we put forward systematic suggestions to strengthen the standardization of mini-programs. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email