Detecting Capability Leaks in Android-Based Smartphones
Detecting Capability Leaks in Android-based Smartphones Michael Grace, Yajin Zhou, Zhi Wang, Xuxian Jiang North Carolina State University 890 Oval Drive, Raleigh, NC 27695 {mcgrace, yajin_zhou, zhi_wang, xuxian_jiang}@ncsu.edu ABSTRACT ily accessed and downloaded to run on smartphones from various app Recent years have witnessed increased popularity and adoption of stores [5]. For example, it has been reported [21] that Google’s An- smartphones partially due to the functionalities and convenience of- droid Market already hosts 150,000 apps as of February, 2011 and fered to their users (e.g., the ability to run third-party applications). the number of available apps has tripled in less than 9 months. More- To manage the amount of access given to smartphone applications, over, not only official smartphone platform vendors such as Apple Android provides a permission-based security model, which requires and Google are providing respective app stores to host hundreds of each application to explicitly request permissions before it can be in- thousands of apps, but also third-party vendors including Amazon are stalled to run. In this paper, we systematically analyze eight flagship competing in this market by providing separate channels for mobile Android smartphones from leading manufacturers, including HTC, users to browse and install apps. Motorola, and Samsung and found out that the stock phone images Not surprisingly, mobile users are increasingly relying on smart- do not properly enforce the permission model. Several privileged phones to store and handle personal data. Inside the phone, we can permissions that protect the access to sensitive user data and danger- find current (or past) geo-location information about the user [7], ous features on the phones are unsafely exposed to other applications phone call logs of placed and received calls, an address book with var- which do not need to request them for the actual use, a security vi- ious contact information, as well as cached emails and photos taken olation termed capability leak in this paper.
[Show full text]