Permission management control is becoming a primary concern due to the always growing privacy and data concerns, and even more specifically on mobile devices. With Marshmallow, and based on the AppOp project under KitKat, Android users now have (partial) control over permissions requested by the applications they installed, instead of the “I agree or I do not install the app” case.
However, by giving the user the control over permission granting, the Android System had to implement the concept of permission granting, which opened up the opportunity for new security issues and exploits. Besides, the review of the Android permission model implied the need to specify algorithms to ensure Android security policy backward compatibility for non-updated applications. In this talk, we present the limit of the Android permission policy, due to wrong or incomplete API implementation for developers, incorrect display algorithm at system information level, backward compatibility inconsistency and finally incorrect permissions revocation algorithms.
The presentation of the permission model will also let the audience get a better understanding of how permissions are implemented and what are potential new subjects to consider, both as security experts and Android users. We will also explain how this correlates with new threats, plugin and virtualization based, that we see more and more often since the end of the year 2016.
Due to the required initial knowledge regarding Android and Android Permission management, the talk will be structured as follow: