International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 15169-15178 © Research India Publications. http://www.ripublication.com Static Analysis Tool for Identification of Permission Misuse by Android Applications Karthick S PG Scholar, Department of Computer Science, Christ University, Hosur Road, Bengaluru, Karnataka, India. Orcid Id: 0000-0002-1176-4714 & Researcher Id: Q-2455-2017 Sumitra Binu Assistant Professor, Department of Computer Science, Christ University, Hosur Road, Bengaluru, Karnataka, India. Orcid Id: 0000-0001-7658-3829 Abstract for smartphones. At the first quarter of 2017, the total number of verified applications available in Google play store was 2.8 Android is one of the most important and widely used mobile Million [1], and a total number of Android operating system- operating systems in the world. The Android operating system based smartphones sold was 2.1 Billion [2]. It is predicted that utilizes the permission-based model, which permits Android the sales of Android-based smartphones will exceed 5 Billion applications to get user data, framework data, gadget data and by 2019 [2]. The market shares of Android OS in the last other assets of Smartphone. These permissions are quarter of 2016 was 86.2% whereas iOS, Windows, affirmations declared by the developer of an application. The BlackBerry, and others hold 12.9%, 0.6%, 0.1% and 0.2% permissions granted varies from one application to another, respectively [3]. These statistics throws light on the fact that depending on its functionality. During installation, the Android operating system has the most extensive market permissions to access the resources of the smartphone are when compared to other mobile operating systems. Android is requested by apps. Once the client grants the permission, the an open-source operating system based on Linux-Kernel apps are allowed to access the granted resources as per its released by Google under Apache license targeted for requirement. Android OS is susceptible to different security smartphones and tablets. iOS (iPhone OS) created by Apple issues owing to the loopholes in security. This paper mainly Inc. is utilized just by Apple gadgets, such as iPhone, iPad, focuses on identifying how the permissions granted to a and iPod touch. It is the second most prevalent operating specific application is misused by another application using system alongside Android. SharedUserID. The paper also proposes a security tool that identifies a list of applications which are misusing the The rest of the paper is organized as follows: Section II permissions in a user's Android smartphone. The viability of describes related work. Section III and IV discuss various the tool is tested by using a Proof-of-Concept (PoC) security threats and security attacks in Android, respectively. implementation of the security tool. Section V examines how applications can misuse permissions using SharedUserID. Section VI includes a discussion of Keywords: Android, Over-claiming of Permissions, different types of Android Permissions and a brief comparison Permission Misuse, Security Attacks, Security Threats, of Android and iOS. Section VII discusses the proposed Security Tool App, SharedUserID. method for addressing permission escalation using SharedUserID. Section VIII and IX include the methodology and implementation of Security tool app. Section X concludes INTRODUCTION the work. A flexible operating system (OS) enables PDAs, tablets, PCs, and different devices to run applications and activities. Usage of smartphones are not only restricted to calling and RELATED WORK messaging services but also encompasses various tasks such Android is an open source operating system. In Android, it is as Internet banking, Online payment, etc. Though there are possible to install an application from unknown sources. An different types of mobile operating systems available in the application whose source is anonymous and is not verified can market, the most frequently utilized operating systems are be installed in the smartphone by unchecking the "Unknown Android, iOS, Windows and BlackBerry OS. Android is the Sources" option, available in the Settings. Google Play Store most widely used, amongst the mainstream operating systems 15169 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 24 (2017) pp. 15169-15178 © Research India Publications. http://www.ripublication.com is extensively used to publish applications worldwide. Even apps acquire the combination of permissions from all of the though it is widely used to download the validated apps, not SharedUserID apps installed on the particular platform [12]. all applications available in Google Play Store are completely In 2015, Ankita et al. identified various security threats like secure. As per the reports published by McAfee, the presence Virus, Worm, Trojan horse, Cyber-attack, Botnet, Rootkit, of three Android Malware was detected in many games and Privilege escalation vulnerability etc. [13]. In 2015, Faruki et apps uploaded on the play store [4]. Also, a vast majority of al. classified the Android permissions into normal and apps request for a host of permission to access information dangerous permissions. A developer must declare dangerous and functions that are not required and thereby misused. The permissions explicitly whereas normal permissions are main functionality of the application "FlashLight" released by granted automatically. They also identified Android threats Happy Hollow Studio available in Google Play Store [5] is to like version update threats, malicious apps to steal the provide flashlight. The permissions demanded by this personal information and security attacks like Trojan, application are Location, Photo/Media/Files, Camera, WiFi Backdoor, Worm, etc., [14]. In 2015, B. Rashidi et al. has Connection and Device ID & Call Information. The only mentioned that more than 70% of applications collect data that permission required to perform flashlight functionality is is irrelevant to their functionality [15]. In 2015, J.K Park et al. "Camera." However, this application requires the user to indicated that excessive authorization, abuse of app accept few more permissions which are entirely irrelevant for permissions and information leakage are possible by using its functioning. Hence, it can be understood that the fact that SharedUserID [16]. In 2016, Google has released a white the app is available in Google play store does not make it paper on Android Security [17], but there was no solution completely secure and that there are apps that over claims the mentioned for addressing the misusing of app permissions. permissions from the user. Sometimes, the same developer In 2017, Karthick et al. [18] in their work have deliberated on may develop more than one application with the same digital how Android apps can abuse the permissions using signature to sign these applications and SharedUserID set in SharedUserID and proposed a methodology to solve the AndroidManifest.xml file [6]. This kind of apps can cause the related problems. This paper is an extension of the work in misuse of permissions granted to one app by another app which a new algorithm is proposed to identify the applications which in turn can result in permission escalation attacks [6]. that misuse the app permissions using SharedUserID. The The security loopholes in Android Operating System are Proof of Concept (PoC) of the algorithm is implemented by being exploited by hackers to steal confidential information developing a Security Tool App which detects complete stored in the smartphones by using different malware information about the applications that exploit SharedUserID embedded in various apps. for accessing permissions not granted to them. SharedUserID is an attribute in the AndroidManifest.xml file. If this attribute In 2012, Barrera et al.in their work, has deliberated on how is assigned the same value for one or more applications and if the SharedUserID concept works [7]. In 2013, Sbirlea et al. the same certificate signs both the applications, then, they can indicated how SharedUserID concept is implemented [8]. In share the resources granted to each other [18]. 2013, Ahmad et al. proposed a comparative study between Android and iOS operating systems and claimed that iOS is Android versions 6.0 and above provides explicit notification more secure than Android [9]. In 2014, Kaur et al. proposed a to the user whenever an app tries to access dangerous security tool application called PeMo – Permission permissions. Thus, explicit notification is provided whenever Modificator, which is used to revoke granted irrelevant an app seeks to access sensitive resources such as contacts, permissions from installed applications [10]. In 2014, Z. Fang messages etc. and also it is possible to turn on or off the et al. thoroughly analyzed Android OS permissions issues and crucial permissions of each app in the app settings. However, countermeasures. Their findings included various permission Marshmallow 6.0 is available only on 7.5 percent of Android escalation attacks and existing countermeasures to solve those devices [21]. Nougat 7.0 is available only on 4.5% of Android problems [11]. In 2014, Ratazzi et al. in their work have devices, and Nougat 7.1 is available only on 0.4% of Android discussed the problem of permissions being misused by devices [21,22]. The Android OS updates are not available for Android apps using SharedUserID. During installation