Augmenting the android app permission system using dynamic analysis


                                             
Android’s app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained runtime permission system, users currently lack the required resources for deciding whether a specific permission request is actually intended for the app itself or is requested by possibly dangerous third-party libraries. In this paper we present Reaper, a novel dynamic analysis system that traces the permissions requested by apps in real time and distinguishes those requested by the app’s core functionality from those requested by third-party libraries linked with the app. Our study on over 5K popular apps demonstrates the large extent to which personally identifiable information is being accessed by libraries and highlights the privacy risks that users face. Reaper enhances the functionality of Android’s run time permission model without and provides the  information that can enable users to  deny permissions that are not part of an app’s core functionality.
Modern smartphones have become a treasure trove of sensitive user data and personally identifiable information (PII) that is regularly collected and exfiltrated by Android applications. At the same time, the limitations of Android’s permission system have been explored extensively and various modifications have been proposed. The privacy risks that arise from permission management are further exacerbated by the dominating role that third-party libraries have achieved in the Android app ecosystem by providing a revenue stream for developers. On average, 41% of an app’s code is contributed by common libraries.
• As users cannot differentiate between permission requests needed for the core functionality of the app and requests from third-party libraries, they cannot make informed decisions regarding which permissions should be granted to each app.  A fine-grained access control permission system should notify users of the origin of a permission request and explicitly state if it is needed by the app’s core functionality or an integrated third-party library. We use Reaper, a system for dynamically analyzing apps and inferring the origin of permission protected calls (PPCs) through inline hooking that enables passive monitoring of the internals of the Android operating system. A dynamic analysis framework requires an efficient tool for traversing the graph of each app with sufficient coverage.
• We develop UI Harvester, an automation tool that utilizes hooks in the Android rendering process for identifying interactive elements and their properties, for traversing the app’s graph without a priori knowledge of the app’s functionality or visual characteristics. UI Harvester introduces negligible overhead and improves coverage.
• Permission Harvester is responsible for the main functionality of Reaper, as it hooks PPCs at run time and extracts the current stack trace. Even though PPCs protect device resources,  users do not have complete knowledge of Android’s documentation and internals and are  concerned with apps accessing personally identifiable information. Permission Harvester also monitors PII access regardless of whether the call is protected by a permission or not. Extracted stack traces are processed for identifying the origin of calls that are protected by permissions or access PII. This approach is not affected by encryption techniques that may attempt to hide the presence of third-party libraries and the exfiltration of PII.  This system can be incorporated as part of the Android Open Source Project for enriching the contextual information shown to users.  
• We use Reaper to analyze over 5K popular Android apps, and find several alarming results regarding the extent of third-party libraries’ use of permissions and permission-protected calls. For 90% of the apps third-parties initiate more permission protected calls than the core app itself. We find that on average 65% of used permissions are needed by third-party libraries, and 34% of the apps never issue PPCs from their core code as the requested permissions originate solely from library code. 
• We develop Reaper, a real-time permission analysis system that infers the origin of calls to permission-protected resources or non-permission-protected sensitive PII. Our system can augment Android’s runtime permission system by enriching the contextual information provided to users.
. • We use Reaper to explore the interaction between libraries and Android’s permission system in depth.  Our findings shed light on the alarming extent to which libraries dominate such calls, and motivate the need for incorporating origin information in permission requests.
• We experimentally evaluate our system and find that the overhead introduced is minimal, rendering it suitable for analyzing apps at a large-scale, or integrating in user devices
Architecture Used:-

Comments

Post a Comment

Popular posts from this blog

Image
                                              ML in cyber security Machine learning techniques have been applied in many areas of science due to their unique properties like adaptability, scalability, and potential to rapidly adjust to new and unknown challenges. Cyber security is a fast growing field demanding a great deal of attention because of remarkable progresses in social networks, cloud and web technologies, online banking, mobile environment, smart grid, etc. Diverse machine learning methods have been successfully deployed to address such wide-ranging problems in computer security. This paper discusses and highlights different applications of machine learning in cyber security. This study covers phishing detection, network intrusion detection, testing security properties of protocols, authentication with keystroke dynamics, cryptography, human i...
Read more
Image
The Blue Brain Human brain is the most valuable creation of God. The man is called intelligent because of the brain. The brain translates the information delivered by the impulses, which then enables the person to react. But we loss the knowledge of a brain when the body is destroyed after the death of man. Today scientists are in research to create an artificial brain that can think, response, take decision, and keep anything in memory. The main aim is to upload human brain into machine. So that man can think, take decision without any effort. After the death of the body, the virtual brain will act as the man .So, even after the death of a person we will not lose the knowledge, intelligence, personalities, feelings and memories of that man that can be used for the development of the human society. No one has ever understood the complexity of human brain. It is complex than any circuitry in the world. As we know, the technology is growing faster than ever thing. IBM is now in research ...
Read more
Image
AI :Use in Biomedical field Understanding the relationship between symptoms and diagnosis is important for the diagnostic process. A health knowledge graph is a representation of the connections between symptoms and diseases and can help with diagnosis prediction tasks. Chen and Agrawal et al present results evaluating health knowledge graphs and looking at what features are important for accurate diagnosis prediction. They identify major sources of error including unmeasured confounders and sample size and discuss new methods of robust medical knowledge extraction from electronic health records. Diagnosing a disease is not always straightforward; some disease states require multiple tests and longitudinal evaluation before a diagnosis is established. Artificial intelligence may play a role in helping diagnose a disease state sooner by learning predictive patterns that humans may miss. For example, Alzheimer’s disease is a neurodegenerative disorder marked with progr...
Read more