Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems

OPEN ACCESS

Downloads

Full text (PDF, 371.32 KB)

Author / Producer

Marforio, Claudio Francillon, Aurélien Capkun, Srdjan

Date

2011

Publication Type

Report

ETH Bibliography

yes

Citations

Altmetric
OPEN ACCESS

Downloads

Full text (PDF, 371.32 KB)

Data

Rights / License

In Copyright - Non-Commercial Use Permitted north_east

Abstract

We show that the way in which permissionbased mechanisms are used on today’s mobile platforms enables attacks by colluding applications that communicate over overt and covert communication channels. These attacks allow applications to indirectly execute operations that those applications, based on their declared permissions, should not be able to execute. Example operations include disclosure of users private data (e.g., phone book and calendar entries) to remote parties by applications that do not have direct access to such data or cannot directly establish remote connections. We further show that on today’s mobile platforms users are not made aware of possible implications of application collusion– quite the contrary–users are implicitly lead to believe that by approving the installation of each application independently, based on its declared permissions, they can limit the damage that an application can cause. In this work, we show that this is not correct and that application permissions should be displayed to the users differently (e.g., in their aggregated form), reflecting their actual implications. We demonstrate the practicality of application collusion attacks by implementing several applications and example covert channels on an Android platform and an example channel on a Windows Phone 7 platform. We study free applications from the Android market and show that the potential for application collusion is significant. Finally, we discuss countermeasures that can be used to mitigate these attacks.

Permanent link

https://doi.org/10.3929/ethz-a-006720730

Publication status

published

External links

Editor

Book title

Journal / series

Volume

Pages / Article No.

Publisher

ETH Zurich, Department of Computer Science

Event

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Organisational unit

03755 - Capkun, Srdan / Capkun, Srdan check_circle
02150 - Dep. Informatik / Dep. of Computer Science

Notes

Funding

Related publications and datasets

More

Show all metadata