Design of Authenticity for Android
In 2013, Android is accounting for more than 78% of smartphone sales to end users by operating system [1]. With the growing popularity of Android platforms, users can download many applications from various android markets (Google Play Market, secondary market, etc.). Unsurprisingly, Android has attracted a huge number of attacks. And there is a lot of malware which is not certified. Su [2] address that the current major app vendor markets do not provide ideal verification mechanisms to check for malicious behavior of applications. Therefore, application analysis is needed to bring software security to a higher level. Especially, most of android application security issues are related to abusing personal information. Malware sends information to anonymous server or sends so many SMS in order to billing unnecessary charges. Android platform adopts install-time permissions to protect sensitive resources from un-trusted apps. However, an install-time permission system is ineffective if developers routinely request more permissions than they require [3]. Thus, a lot of malware attacks occurred by this weakness of android permission system. To address these issues, many analysis techniques were researched [4, 5]. by feature similarity. They can sense vulnerability of applications fast, but most of static methods are difficult to identify permission usage because they are based on code pattern analysis only. And it is hard to represent the security characteristics of applications. Among characteristics which ISO25010 defines in its product quality model, security has authenticity sub-characteristic [6]. Authenticity is the identity of a subject or resource that can be proved to be the one claimed and it is necessary to ensure that the data, transactions, communications or documents are genuine. Android platform grant permissions to each application when it is installed. Thus, Authenticity is needed to evaluate to the permission usage of an application. We propose a metric of authenticity evaluation for android application. The metric is a measure of permission usage and it can be used to provide quantitative measurement which checks whether the application is over-privileged or not. Because it can find security vulnerabilities of permissions, it will be a basis for authenticity evaluation and can be used to shorten security analysis time. The rest of the paper is organized as follows. Section II describes overview of android security system, security characteristic of ISO/IEC25000 and relations between each other. Section III, then, presents characteristics of the authenticity metric we suggested in detail and evaluation of it by experiment is attached. Finally, Section IV concludes and explains future works.CodeShoppy
Android Application Security In Android, application security is based on isolation and permission control to protect user data and system resources [7, 8]. Fig.1 shows overview of android permission system in simple way. Each applications runs in a specified sandbox. Application isolation is provided by Linux kernel level security architecture. So separated application is reaching only limited resources and it doesn’t share any resources. In addition, an application is granted permission at install time
In this paper, we presented authenticity evaluation metric for android applications. Evaluation metric is considering the characteristic of android permission system. We could detect over-privileged status with the metric and analyze permission usage rate. We applied this metric to 2283 Android application and found that most of malware applications are over-privileged. Our results show that applications need to permit properly at development cycle. With authenticity score, we can detect potential vulnerabilities. Therefore, it could be used to prohibit over-privileged status for ease of development and to draw malicious candidates. Limitation of this work is that the analysis results are based on static analysis information. Thus, it cannot detect runtime permission use state. Our future work will focus on this. A static analysis method will be used to reduce number of target application and a dynamic analysis method will be added to analyze android platform inner side. Finally, we will design evaluation metrics for other sub-characteristics of security (confidentiality, integrity, etc.)
https://codeshoppy.com/php-projects-titles-topics.html