文献信息
文献标题:Android Security Issues and Solutions(Android安全问题和解决方案)脯读音
文献作者:Karthick Sowndarajan,Sumitra Binu
文献出处:《International Conference on Innovative Mechanisms for Industry Applications (ICIMIA)》2017:686-689.
字数统计:英文2199单词,12157字符;中文3837汉字
外文文献
Android Security Issues and Solutions Abstract Android operating system us the permission-bad model which allows Android applications to access ur information, system information, device information and external resources of Smartphone. The developer needs to declare the permissions for the Android application. The ur needs to accept the permissions for successful installation of an Android application. The permissions are declarations. At the time of installation, if the permissions are allowed by the ur, the app can access resources and information anytime. It need not re-request for permissions again. Android OS is susceptible to various curity attacks due to its weakness in c
urity. This paper tells about the misu of app permissions using Shared Ur ID, how two-factor authentications fail due to inappropriate and improper usage of app permissions using spyware, data theft in Android applications, curity breaches or attacks in Android and analysis of Android, iOS and Windows operating system regarding its curity.
Keywords— Android; Permissions; Shared Ur ID; Security; Data Theft; Spyware; iOS; Windows.
I.INTRODUCTION
A versatile working framework (OS) is programming that permits cell phones,
tablet PCs, and different gadgets to run applications and projects. There are veral types of mobile operating system available in the market. The commonly ud mobile operating systems are Android, iOS, Windows and BlackBerry OS. The Android working framework is an open source and source code discharge by Google under Apache permit licen, bad on Linux-Kernel designed for smartphones and tablets. Android is one of the most popular operating systems for smartphones. At the last quarter of 2016, the total number of applications available in Google play store was 2.6 Million, and a total number of Android operating system-bad smartphones sold was 2.1 Billion. The market share of Android in the first quarter of 2016 was 84.1% whereas iOS, Windows, BlackBe
rry, and others hold 14.8%, 0.7%, 0.2% and 0.2% respectively. Therefore, it is clear that Android has the widest market when compared to others mobile operating systems. iOS (iPhone OS) developed by Apple Inc. and ud only by Apple devices such as iPhone, iPad, and iPod touch. It is the cond most popular operating system next to Android. In Android, other than google play store, it is possible to install the applications from unknown sources. But, in iOS, the apps can be only installed from AppStore. It is one of the major curity breaches in Android. Due to various curity breaches in Android, attackers already regard smartphone as the target to steal personal information using various malware. In 2013, Mohd Shahdi Ahmad et al. indicated the analysis of Android and iOS regarding curity and declared iOS more cure than Android. In 2014, A. Kaur et al. indicated that it is possible to revoke granted permissions from android application.
The rest of the paper organizes as Section II describes various curity attacks on Android such as permission escalation attack, confud deputy attack, direct collision attack, indirect collision attack and TOCTOU (Time Of Check and Time of U) attack. Section III describes different types of Android app permissions, over-claiming of app permissions, misu of app permissions using Shared Ur ID and failure of two-factor authentication in Android-bad smartphones due to spyware. Section IV prents the comparison of curity between Android and iOS. Section V prents the propod method to avoid misu of app permissions and the conclusion of the paper.
II.SECURITY ATTACKS IN ANDROID
A.Permission Escalation Attack
大雨的图片It allows a malicious application to collaborate with other applications so as to access critical resources without requesting for corresponding permissions explicitly.
B.Collision Attack
Android supports shared ur ID. It is a technique wherein two or more application share the same ur id so that they can access the permissions which are granted to each other. For example, If application A has permissions to READ_CONTACTS, READ_PHONE_STATUS and B has permissions to READ_MESSAGES, LOCATION_ACCESS, if both the applications u the same ur id SHAREDUSERID, then it is possible for application A to u the permissions granted to itlf and the permissions granted to B. Similarly, it is possible for application B to u the permissions granted to itlf and the permissions granted to A. Every Android application has unique ID that is its package name. Android supports shared Ur ID. It is an attribute l file. If this attribute assigned with the same value in two or more applications and if the same certificate signs the applications. They can access permissions granted to each other.
Collision attack has been classified as direct collision attack and indirect collision attack. A direct collision attack is where in application communicates directly. In Indirect collision attack application communicates via third party application or component.
C.Time of Check and Time of U Attack
The main reason for TOCTOU Attack is naming collision. No naming rule or constraint is applied to a new permission declaration. Moreover, permissions in Android are reprented as strings, and any two permissions with the same name string are treated as equivalent even if they belong to parate applications.
D.Spyware
Spyware is a type of malware. It is an apk file which is downloaded automatically when the ur visits malicious website and apps installed from unknown sources. In Android, other than google play store, it is possible to install the
applications from unknown sources. Spyware is one of the main reasons for major curity threats in Android operating system.
天馈系统
殷保华III.UNDERSTANDING PERMISSIONS
The Android operating system us the permission-bad model to access various resources and information. The permissions are not requests; they are declarations. The permissions are declared l file. Once the permissions are granted, the permissions remain static for Android versions less than 6. But, in Android versions, 7.0 and higher the app permissions are classified into normal permissions and dangerous permissions.
A.Normal Permissions
Normal permissions don't specifically hazard the client's privacy. Normal permissions need not be declared in l file. The permissions are granted automatically. Example:
小写换大写
KILL_BACKGROUND_PROCESSES
SET_WALLPAPER
UNINSTALL_SHORTCUT
WRITE_SYNC_SETTINGS
B.Dangerous Permissions
Dangerous Permissions can access critical resources of the mobile. Dangerous permissions can give the app access to the ur's confidential data. If app lists a normal permission in its manifest, the system grants the permission automatically. If app list a dangerous permission, the ur has to explicitly give approval for the app for the successful installation of the app. Example:
CONTACTS
如何保养>射手男巨蟹女READ_CONTACTS, WRITE_CONTACTS, GET_ACCOUNTS LOCATION
ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION SMS
SEND_SMS
RECEIVE_SMS, READ_SMS, RECEIVE_WAP_PUSH, RECEIVE_MMS STORAGE
READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE Android Marshmallow 6.0 has classified the permissions into normal and dangerous permissions. Whenever the app needs to u dangerous permissions, it explicitly asks the ur to confirm with the permission. Thus, Android 6.0 a
生命科学馆观后感nd higher versions provide explicit permission notification to access critical resources. But, Marshmallow is available only on 1.2 percent of Android devices. The Android operating system updates are not available for most of the older devices. Therefore, curity threats related to app permissions are still not solved.
C.Application Sandboxing
Android us application sandboxing which is ud to limit the application to access the resources. If an app needs to access the resources outside of its sandbox, it needs to request the appropriate permission.
D.Over-claiming of application permissions
The permissions which may not be required for the app, but the application request for the particular permission, this is called over claiming of permissions. It is the declaration to u irrelevant permissions that are not at all required for the application. It is the main reason for data theft in android application. The information is collected and nt to the concerned people. The developer’s of the app makes money by lling this information. Several third parties buy this information for various reasons like data mining etc., For example, in FlashLight Android app permission is given for
full internet access. It is irrelevant for flashlight application to have internet access. Ashmeet Kaur et al. developed a framework wherein it is possible to remove the unnecessary permissions from the app, once the app has been successfully installed.
E.Misu of App permissions and failure of two- factor authentication
Due to misu of various app permissions, it is possible for various curity threats. Among various threats, it is possible for Android applications to read messages, nd messages. SMS is a common and basic functionality in traditional
