Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android
This addresses security risks for Android users by reducing attack surfaces, though it is incremental as it builds on existing permission-based models.
The paper tackles the problem of permission gaps in Android applications, where apps have more permissions than needed, by developing a static analysis approach to detect these gaps, finding that a significant portion of apps in two datasets suffer from this issue.
A common security architecture, called the permission-based security model (used e.g. in Android and Blackberry), entails intrinsic risks. For instance, applications can be granted more permissions than they actually need, what we call a "permission gap". Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, we present an approach to detecting permission gaps using static analysis. Our prototype implementation in the context of Android shows that the static analysis must take into account a significant amount of platform-specific knowledge. Using our tool on two datasets of Android applications, we found out that a non negligible part of applications suffers from permission gaps, i.e. does not use all the permissions they declare.