Dec 2, 2014 - provide features that are unique to mobile phones, like SMS ... activities. 2 Android Update Attack .... 2012. http://dx.doi.org/10.1109/mc.2012.36.
Contemporary Engineering Sciences, Vol. 7, 2014, no. 31, 1683 - 1689 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ces.2014.411226
Research on Monitoring Method of Permission Requests by Mobile Applications Seung-hwan Ju Department of Computer Engineering Korea University of Technology and Education, Republic of Korea Yo-han Choi Interdisciplinary Program in Creative Engineering Korea University of Technology and Education, Republic of Korea Hee-suk Seo Interdisciplinary Program in Creative Engineering Korea University of Technology and Education, Republic of Korea Copyright © 2014 Seung-hwan Ju, Yo-han Choi and Hee-suk Seo. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Abstract The fluidity of application markets complicate smart-phone security. The analytical methods used mainly are the reverse engineering-based analysis and the sandbox-based analysis. Such methods are can be analyzed in detail. But, they take a lot of time and have a one-time payout. In this study, we develop a system to monitor that mobile application permissions at application update. This study is a service-based malware analysis, it will be based on the mobile security study. Keywords: Mobile Security, Application Permission, Application Analysis
1 Introduction People use smartphones for many of the same purposes as desktop computers: web browsing, social networking, online banking, and more. Smartphones also
1684
Seung-hwan Ju et al.
provide features that are unique to mobile phones, like SMS messaging, constantly updated location data, and ubiquitous access. As a result of their popularity and functionality, smartphones are a burgeoning target for malicious activities.
2 Android Update Attack The first technique typically piggy- backs the entire malicious payloads into host apps, which could potentially expose their presence. The second technique makes it difficult for detection. Specifically, it may still repackage popular apps. But instead of enclosing the payload as a whole, it only includes an update component that will fetch or download the malicious payloads at runtime. As a result, a static scanning of host apps may fail to capture the malicious payloads. While some embed root exploits that allow for silent installation of additional apps without user intervention, we here focus on other variants that use the update attacks without root exploits.
Required permission of the application android.permission.INTERNET android.permission.ACCESS_COARSE_LOCATION android.permission.READ_PHONE_STATE android.permission.VIBRATE
Required permission of the malware android.permission.INTERNET android.permission.ACCESS_COARSE_LOCATION android.permission.READ_PHONE_STATE android.permission.VIBRATE android.permission.ACCESS_FINE_LOCATION android.permission.CALL_PHONE android.permission.READ_CONTACTS android.permission.READ_SMS android.permission.SEND_SMS android.permission.SET_WALLPAPER android.permission.WRITE_CONTACTS android.permission.WRITE_EXTERNAL_STORAGE android.permission.ACCESS_GPS android.permission.ACCESS_LOCATION android.permission.RESTART_PACKAGES android.permission.RECEIVE_SMS android.permission.WRITE_SMS
We develop a system to monitor that mobile application permissions at application update.
Research on monitoring method of permission requests
1685
3 Mobile Application Permission Monitoring System Monitoring System for Permission Request by Application keeps track of permission requests from various applications. Permission request is a part of the installation of Android applications and the same process is done when the applications are updated. Therefore, it is possible to monitor permission requests from applications upon update by tracking the AndroidManifest.xml file of an application software or by tracking the system function that requests permission. First, the monitoring system should detect the event of app installation (including update). This system inherits the BroadcastReceiver object and has the authority to access various Android system events. It collects the broadcast messages, filters the information on adding an application or updates among the messages, and obtains the information on the app from the filtered messages. This system uses the Intent object to detect the update events. Upon the occurrence of an application event, the onReceive() method of the corresponding application is called, and the Intent object passed as an argument contains the event status values. This system monitors the permission request status when applications are installed by using the values of Intent object. The system has been designed to detect the application update event when the Intent object of Intent.ACTION_PACKAGE_ADDED. Upon the detection of application installation event, this system accesses the application that generated the event and saves the requested permission in the files by date.
Fig 2. Overview of Monitoring System for Application Permission The theory of operation for the Monitoring System for Application Permission is as follows. Context object passed as the first argument of the onReceive() is used. PackageManager object can be obtained using the getPackageManager() method of the Context object, and the PackageInfo object can be obtained from the PackageManager.
1686
Seung-hwan Ju et al.
Class PackageInfo activity
applicaioninfo
permissions
providers
configPerferences
firstInstallTime
receivers
reqFeatures
gids
instrumentation
requestedPermissions
services
lastUpdateTime
packageName
sharedUserId
versionName
PackageInfo object contains various package information as well as the application permission request information, which is how this system can search the permission request from the installed applications. When the monitoring system is executed, it generates and outputs the list of all previously collected files. The file list contains the package name with message reception time stamp so that users can search various information including the time of installation, requested permission, and permission request history. Since the name of the application and installation time are saved along with the requested permission, a new file will be generated for the same application if the date is different.
Fig 3. Change Event List of Application Permission Request Files containing this information can be checked through the corresponding monitoring system application, and this system creates groups by the label of each application. Users can check the list of files categorized by label from the first screen. When one of the items in the list is selected, the list organized by date can be checked again. Select the date and press the OK button to view the list of permission requests for the corresponding date. In case of applications installed after installation of this monitoring system, the
Research on monitoring method of permission requests
1687
entire history of permission requests from initial installation and all updates are saved for systematic management and analysis.
Fig 4. Permission Request Status of Such Application This system to monitor the permission request by application allows users to search the relationship between application services and permission requests. Also, users can check the history of permission requests from each application and manage the applications accordingly.
4 Conclusions A system to monitor permission requests from mobile applications was studied for security reasons as many application malicious codes created by tampering permission requests have been discovered recently. Users can use this system to check the permission request history of each application and manage applications. This application monitoring system saves the date and requested permission obtained from the initial installation event of an application. And, when the application is updated, the permission requests and update dates after the update are compared with the existing requests. Mobile terminals with this permission monitoring system save all history of permission requests from the installation to any updates of applications for the purpose of systematic management and analysis. This monitoring system can be used for various research such as pattern analysis of applications that abuse the permission request system and Android permission requested by malicious codes. In the future we will use this system to find patterns using the relationship between application services and requested permissions and will devise a more advanced system to validate applications using this information.
1688
Seung-hwan Ju et al.
Acknowledgements. This paper was partially supported by the sabbatical year research program of KOREATECH. This research was partially supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2010-0021951) This work was partially supported by the BK21 Plus Program (Future-oriented innovative brain raising type) funded by the Ministry of Education (MOE, Korea) and National Research Foundation of Korea (NRF)
References [1] F-Secure, “MOBILE THREAT REPORT," 2014. [2] Sophos, “Security Threat Report 2013,” 2013. [3] McAfee, “McAfee Threats Report: First Quarter 2012,” 2012. [4] Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” Proc 33rd IEEE Symp Security and Privacy, 2012. [5] L. K. Yan and H. Yin, “DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis,” Proc 21st USENIX conf. Security Symp., Security, 2012. [6] R. Xu, H. Saidi, and R. Anderson, “Aurasium: Practical Policy Enforcement for Android Applications,” 21st USENIX Security Symp. USENIX, 2012. [7] M. Chandramohan, and H. B. K. Tan, “Detection of Moblie Malware in the Wild,” Comput., vol, 45 no. 9, Sept. 2012. http://dx.doi.org/10.1109/mc.2012.36 [8] A. Moser, C. Kruegel, and E. Kirda, “Exploring Multiple Execution Paths for Malware Analysis,” Proc. IEEE Symp. Security Privacy, SP, pp. 231 - 245, 2007. http://dx.doi.org/10.1109/sp.2007.17 [9] W. Enck, et al., “Understanding android security,” IEEE Security & Privacy Magazine, Vol. 7, No. 1, pp. 50-57, June 2009. http://dx.doi.org/10.1109/msp.2009.26 [10] R. Xu, H. Saidi, and R. Anderson, “Aurasium: Practical Policy Enforcement for Android Applications,” 21st USENIX Security Symp. USENIX, 2012.
Research on monitoring method of permission requests
1689
[11] A. Shabtai, et al., “Google Android: A State-of-the-art Review of Security Mechanisms,” Technical Report, Cornell University, 2009. [12] W. Enck et al., “A Study of Android Application Security,” Proc. 20th USENIX Conf. Security, Security, 2011. [13] A. P. Felt et al., “Android Permissions Demystified,” Proc. 18th ACM Conf. Comput. Commun. Security (CCS), 2011. http://dx.doi.org/10.1145/2046707.2046779 [14] Arxan, “State of Security in the App Economy: Mobile Apps under Attack,” 2012. [15] A. Moser, C. Kruegel, and E. Kirda, “Exploring Multiple Execution Paths for Malware Analysis,” Proc. IEEE Symp. Security Privacy, SP, 2007, pp. 231 - 245. http://dx.doi.org/10.1109/sp.2007.17
Received: October 1, 2014; Published: December 2, 2014
