2021 IEEE Symposium on Security and Privacy

Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings

Rui Li∗†, Wenrui Diao∗†(B), Zhou Li‡, Jianqi Du∗†, and Shanqing Guo∗† ∗School of Cyber Science and Technology, Shandong University [email protected], [email protected], [email protected], [email protected] †Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University ‡University of California, Irvine, [email protected]

Abstract—Permission is the fundamental security mechanism custom permissions [7], and use them to regulate the sharing of for protecting user data and privacy on Android. Given its their resources and capabilities with other apps. Since custom importance, security researchers have studied the design and permission is not related to system capabilities by design, usage of permissions from various aspects. However, most of the previous research focused on the security issues of system its range of action is supposed to be confined by the app permissions. Overlooked by many researchers, an app can use defining it. Therefore, in theory, dangerous operations cannot custom permissions to share its resources and capabilities with be executed through custom permissions, which may be the other apps. However, the security implications of using custom reason that custom permissions are overlooked by the security permissions have not been fully understood. community. In this paper, we systematically evaluate the design and implementation of Android custom permissions. Notably, we built To the best of our knowledge, the study of Tuncay et an automatic fuzzing tool, called CUPERFUZZER, to detect custom al. [41] is the only work focusing on the security of custom permissions related vulnerabilities existing in the Android OS. permissions. They manually discovered two privilege escala- CUPERFUZZER treats the operations of the permission mecha- tion attacks that exploit the permission upgrade and naming nism as a black-box and executes massive targeted test cases to trigger privilege escalation. In the experiments, CUPERFUZZER convention flaws, respectively. Currently, according to the discovered 2,384 effective cases with 30 critical paths successfully. Android Security Bulletins, their discovered vulnerabilities Through investigating these vulnerable cases and analyzing the have been fixed. Unfortunately, we find that, though both source code of Android OS, we further identified a series of severe attacks have been blocked, custom permission based attacks design shortcomings lying in the Android permission framework, can still be achieved with alternative execution paths bypassing including dangling custom permission, inconsistent permission- group mapping, custom permission elevating, and inconsistent the fix (more details are given in Section III). This preliminary permission definition. Exploiting any of these shortcomings, a investigation motivates us to explore whether the design of malicious app can obtain dangerous system permissions without Android custom permissions still has other flaws and how to user consent and further access unauthorized platform resources. find these flaws automatically. On top of these observations, we propose some general design guidelines to secure custom permissions. Our findings have been Our Work. In this work, we systematically evaluate the design acknowledged by the Android security team and rated as High and implementation of Android custom permissions. Notably, severity. we explored the design philosophy of custom permissions I.INTRODUCTION and measured their usage status based on a large-scale APK As the most popular mobile platform, Android provides dataset. We also built an automatic light-weight fuzzing tool rich APIs and features to support third-party apps develop- called CUPERFUZZER to discover custom permission related ments. For security concerns, Android also designs a series privilege escalation vulnerabilities. Different from the previous of mechanisms to prevent malicious behaviors. Among these approaches of permission system modeling [36], [26], CU- mechanisms, permission is the fundamental one of Android PERFUZZER treats the operations of the Android permission OS: any app must request specific permissions to access the mechanism as a black-box and dynamically generates massive corresponding sensitive user data and system resources. test cases for fuzzing. In other words, it does not rely on prior On account of the importance of the permission mechanism, knowledge of the internal permission mechanism and avoids its design and usage have been studied by lots of previous missing inconspicuous system components. After solving a research from many aspects, such as permission models [49], series of technical challenges, CUPERFUZZER achieves fully [25], [31], permission usage [33], [46], [32], and malware automated seed generation, test case construction, parallel detection [35], [48], [23]. Along with the continuous upgrade execution, and result verification. Running on four Pixel 2 of Android OS, the underlying architecture of the permission phones equipped with Android 9 / 10, finally, CUPERFUZZER mechanism becomes more and more complicated. Its current discovered 2,384 successful exploit cases after executing design and implementation are seemingly complete enough. 40,195 fuzzing tests. However, overlooked by most of the previous research, These effective cases were further converted to 30 critical Android allows apps to define their own permissions, say paths, say the least necessary operations triggering a privilege

© 2021, Rui Li. Under license to IEEE. 70 DOI 10.1109/SP40001.2021.00070 escalation issue. Combined with the analysis on the source we discuss some limitations of our work. SectionIX reviews code of Android OS, we identified four severe design short- related work, and SectionX concludes this paper. comings1 in the Android permission framework. II.ANDROID CUSTOM PERMISSIONS • DS#1: Dangling custom permission: causing granting apps nonexistent custom permissions. In this section, we provide the necessary background of • DS#2: Inconsistent permission-group mapping: causing Android custom permissions and further discuss their usage obtaining incorrect permission-group members list. in the wild based on a large-scale measurement. • DS#3: Custom permission elevating: causing elevating a custom permission to a dangerous system permission. A. Android Permission Mechanism • DS#4: Inconsistent permission definition: causing break- In Android, sensitive APIs and system resources are pro- ing the integrity of custom permission definitions. tected by the permission mechanism. To access them, apps A malicious app can exploit any of the above design short- must declare the corresponding permissions in their manifest comings to obtain dangerous system permissions without files and ask users to authorize. In Android 10 (API level 29), user consent. As showcases, we present four concrete attacks the permission control functionalities are mainly implemented to demonstrate their fatal consequences. Attack demos are in PackageManager [11] and PermissionController [13]. available at https://sites.google.com/view/custom-permission. Permissions are mainly divided into three protection levels: , , and . The system grants apps Responsible Disclosure. We reported our findings to the normal signature dangerous and permissions at the install time. The Android security team, and all reported issues have been normal signature difference is that permissions can only be used confirmed with positive severity rating [19], as shown below. signature by the apps signed by the same certificate as the app that • DS#1: rated as High severity, assigned CVE-2021-0307. defines the permission [16]. On the other hand, users can • DS#2: rated as High severity, assigned CVE-2020-0418. choose to grant or deny dangerous permissions at runtime. • DS#3: rated as High severity, assigned CVE-2021-0306. Therefore, dangerous permissions are also called runtime per- • DS#4: rated as High severity, assigned CVE-2021-0317. missions, and accordingly, normal and signature permissions To mitigate the current security risks, we propose some im- are called install-time permissions. Install-time permissions mediate improvements and discuss general design guidelines cannot be revoked by users once they are granted, on the to secure custom permissions on Android. contrary, runtime permissions can be revoked at any time. Contributions. The main contributions of this paper are: All dangerous permissions belong to permission groups. For example, both READ_SMS and RECEIVE_SMS belong to • Tool Design and Implementation. We designed and im- the group. Also, permissions are granted on plemented an automatic black-box fuzzing tool, CUPER- SMS dangerous a group basis. If an app requests permissions FUZZER, to discover custom permission related privilege dangerous belonging to the same permission group, once the user grants escalation vulnerabilities in Android. one, the others will be granted automatically without user • Real-world Experiments. We deployed CUPERFUZZER confirmation. Note that any permission can be assigned to a under the real-world settings and conducted massive permission group regardless of protection level [15]. fuzzing analysis. In the end, it discovered 2,384 privilege escalation cases with 30 critical paths. From an internal view, to an app, the processes of grant and revocation of a permission are essentially changing the corre- • New Design Shortcomings. We identified four severe design shortcomings lying in the Android permission sponding granting status parameter, mGranted (boolean vari- framework. Malicious apps can exploit these flaws to ob- able), maintained by PermissionController (runtime per- missions) and (install-time per- tain dangerous system permissions without user consent. PermissionManagerService missions). is set as to grant a permission and • Systematic Study. We explored the design philosophy of mGranted True custom permissions and measured their usage in the wild. False to revoke a permission. Besides, the granting status of permissions are also recorded by runtime-permissions.xml2 After digging into the essence of discovered design flaws, 3 we discussed the general guidelines to secure Android (runtime permissions) and packages.xml (install-time per- custom permissions. missions) for persistent storage. Roadmap. The rest of this paper is organized as follows. B. Custom Permissions SectionII provides the necessary background of Android In essence, system permissions (also called platform per- custom permissions. Section III gives a motivation case and missions) are the permissions defined by system apps located threat model used in this paper. SectionIV introduces the in system folders (/system/), such as framework-res.apk detailed design of CUPERFUZZER, and SectionV presents the (package name: android), to protect specific system resources. experiment results. The design flaws of custom permissions are For instance, an app must have CALL_PHONE permission to analyzed in SectionVI . In Section VII, we propose the mitiga- make a phone call. For third-party apps, they can define their tion solutions and general design guidelines. In Section VIII, 2Location: /data/system/users/0/runtime-permissions.xml 1In the following sections, we use DS#1, DS#2, DS#3, and DS#4 for short. 3Location: /data/system/packages.xml

71 own permissions as well, called custom permissions, to share TABLE I: Protection levels of custom permissions. their resources and capabilities with other apps. Protection Level Amount Percentage normal 26,330 32.09% 1