Evaluation Metric for Android Applications

Android platform uses authorizing system which grants permission per application at install-time. With authorized privilege, user applications can modify and delete user’s personal information. Therefore, inspection of granted permission usage can be used to detect security vulnerabilities. ISO/IEC 25010 defines software product security characteristic and provides guidelines to evaluate software product quality. Among sub-characteristics of security, Authenticity is related to Android permission system. In this paper, we present authenticity metric for android application. This metric can quantify the permission usage of application and measured information can be used to classify the malware applications. To verify theapplicability of metric, we perform evaluation to benign and malware application and compare its results.

Among characteristics which ISO25010 defines in its product quality model, security has authenticity sub-characteristic [6]. Authenticity is the identity of a subject or resource that can be proved to be the one claimed and it is necessary to ensure that the data, transactions, communications or documents are genuine. Android platform grant permissions to each application when it is installed. Thus, Authenticity is needed to evaluate to the permission usage of an application. We propose a metric of authenticity evaluation for android application. The metric is a measure of permission usage and it can be used to provide quantitative measurement which checks whether the application is over-privileged or not. Because it can find security vulnerabilities of permissions, it will be a basis for authenticity evaluation and can be used to shorten security analysis time. The rest of the paper is organized as follows. Section II describes overview of android security system, security characteristic of ISO/IEC25000 and relations between each other. Section III, then, presents characteristics of the authenticity metric we suggested in detail and evaluation of it by experiment is attached. Finally, Section IV concludes and explains future work.Codeshoppy

Android Application Security In Android, application security is based on isolation and permission control to protect user data and system resources [7, 8]. Fig.1 shows overview of android permission system in simple way. Each applications runs in a specified sandbox. Application isolation is provided by Linux kernel level security architecture. So separated application is reaching only limited resources and it doesn’t share any resources. In addition, an application is granted permission at install time by declared contents in its AndroidManifest.xml file. Only permitted appAPI to access personal information. It takes advproperly, but sometimes application requests mthan what they actually required [2] Overview of Android Permission system It’s because users do not pay attention to pthey install an application [9]. Extra permissiocondition users to casually accept dangerous needlessly exacerbate application vulnerabilities.B.ISO/IEC25000 Security In 2011, ISO announced the new standaproduct quality ISO/IEC 25010 [6]. The bigexisting standard is software security is definquality characteristic. Security characteristic “degree to which a product or system protects data so that persons or other products or systemsof data access appropriate to their types authorization”. Security has five sub-charactebased on the access control and monitoring funct•Confidentiality: ensures that data are acthose authorized to have access •Integrity: prevents unauthorized amodification of , software or data •Non-repudiation: actions or events can btaken place •Accountability: actions of an entity uniquely to entity •Authenticity: the identity of a subject orproved to be the one claimed With this product model, to evaluate secusystem is being researched [10, 11]. In characteristics can be measured by using the ipermission usage. However the four characteriauthenticity, are based on platform security forSo, specific analysis of those characteristicsrepresent. But, Authenticity purpose to apermissions and it is related to Android aprequests permissions at install time.

 Evaluation Metric for Android Applications

First of all, 15% of benign applications score 1 which means count of requested and used permission is same. In contrary, only 1% of malware applications score 1. Authenticity of malicious application is lower than normal application’s authenticity. Further, about 45% of total malware apps showing less than 0.2 authenticity score, but only 10% of benign apps score lower than 0.2. This means over-privileged permission is likely to be utilized in a malicious action. But, Almost 80% of benign and 99% of malware apps score below 1. A lot of applications request more permissions than they really use. Thus, Android applications are easy to be exposed to security threats. Table 2 shows sample measurement result of application QuickSettings1. In this paper, the analyzed application is repackaged with malicious codes. It contains a variant of DroidKungFu32. This app request total 41 kinds of permission but, only 9 permissions are used. If malicious applications attack to user’s devices using permission re-delegation (privilege escalation), an application in over-privileged status can be used to a method to originate security vulnerabilities. n this paper, we presented authenticity evaluation metric for android applications. Evaluation metric is considering the characteristic of android permission system. We could detect over-privileged status with the metric and analyze permission usage rate. We applied this metric to 2283 Android application and found that most of malware applications are over-privileged. Our results show that applications need to permit properly at development cycle. With authenticity score, we can detect potential vulnerabilities. Therefore, it could be used to prohibit over-privileged status for ease of development and to draw malicious candidates. Limitation of this work is that the analysis results are based on static analysis information. Thus, it cannot detect runtime permission use state. Our future work will focus on this. A static analysis method will be used to reduce number of target application and a dynamic analysis method will be added to analyze android platform inner side. Finally, we will design evaluation metrics