Presentations - Limitations of Android permission system: packages, processes and user privacy

  • Location: Security Dome
  • Speaker: Julien Thomas
  • Date and time: 20. October 2017. 13:50 - 14:30

Permission management control is becoming a primary concern due to the always growing privacy and data concerns, and even more specifically on mobile devices. With Marshmallow, and based on the AppOp project under KitKat, Android users now have (partial) control over permissions requested by the applications they installed, instead of the “I agree or I do not install the app” case.

However, by giving the user the control over permission granting, the Android System had to implement the concept of permission granting, which opened up the opportunity for new security issues and exploits. Besides, the review of the Android permission model implied the need to specify algorithms to ensure Android security policy backward compatibility for non-updated applications. In this talk, we present the limit of the Android permission policy, due to wrong or incomplete API implementation for developers, incorrect display algorithm at system information level, backward compatibility inconsistency and finally incorrect permissions revocation algorithms.

The presentation of the permission model will also let the audience get a better understanding of how permissions are implemented and what are potential new subjects to consider, both as security experts and Android users. We will also explain how this correlates with new threats, plugin and virtualization based, that we see more and more often since the end of the year 2016.

Due to the required initial knowledge regarding Android and Android Permission management, the talk will be structured as follow:

 

  1. short introduction to the Android Permission concept and the relation between Manifest, Package, Processus (UID) and Group (GID)
  2. demo that illustrates some of the limitation
  3. introduction to Android Open Source Project source code
  4. introduction to source code limitations and associated demos
  5. analysis of the current status (distribution of the inconsistencies on the APKs of different stores, limitations of the existing security apps)
  6. future implications and side-applications of these UID-focused definitions and limitations
  7. conclusion

Sponsors:

Gold
Gold
Gold
Silver
Silver
Silver
Silver
Silver
Silver
Bronze
JOB
Technical