Imperial College London
Portrait Picture

DrSoterisDemetriou

Faculty of EngineeringDepartment of Computing

Lecturer
 
 
 
//

Contact

 

+44 (0)20 7594 8237s.demetriou Website CV

 
 
//

Assistant

 

Ms Lucy Atthis +44 (0)20 7594 8259

 
//

Location

 

353ACE ExtensionSouth Kensington Campus

//

Summary

 

Publications

Citation

BibTex format

@inproceedings{Tuncay:2018:10.14722/ndss.2018.23210,
author = {Tuncay, GS and Demetriou, S and Ganju, K and Gunter, C},
doi = {10.14722/ndss.2018.23210},
pages = {1--15},
publisher = {Internet Society},
title = {Resolving the predicament of android custom permissions},
url = {http://dx.doi.org/10.14722/ndss.2018.23210},
year = {2018}
}
Download

RIS format (EndNote, RefMan)

TY  - CPAPER
AB  - Android  leverages  a  set  ofsystem  permissionstoprotect platform resources. At the same time, it allows untrustedthird-party applications to declare their owncustom permissionsto  regulate  access  to  app  components.  However,  Android  treatscustom  permissions  the  same  way  as  system  permissions  eventhough  they  are  declared  by  entities  of  different  trust  levels.  Inthis work, we describe two new classes of vulnerabilities that arisefrom  the  ‘predicament’  created  by  mixing  system  and  custompermissions in Android. These have been acknowledged as serioussecurity  flaws  by  Google  and  we  demonstrate  how  they  can  beexploited  in  practice  to  gain  unauthorized  access  to  platformresources and to compromise popular Android apps. To addressthe  shortcomings  of  the  system,  we  propose  a  new  modulardesign called Cusper for the Android permission model. Cusperseparates the management of system and custom permissions andintroduces a backward-compatible naming convention for custompermissions  to  prevent  custom  permission  spoofing.  We  validatethe  correctness  of  Cusper  by  1)  introducing  the  first  formalmodel of Android runtime permissions, 2) extending it to describeCusper,  and  3)  formally  showing  that  key  security  propertiesthat can be violated in the current permission model arealwayssatisfied  in  Cusper.  To  demonstrate  Cusper’s  practicality,  weimplemented  it  in  the  Android  platform  and  showed  that  it  isboth  effective  and  efficient.
AU  - Tuncay,GS
AU  - Demetriou,S
AU  - Ganju,K
AU  - Gunter,C
DO  - 10.14722/ndss.2018.23210
EP  - 15
PB  - Internet Society
PY  - 2018///
SP  - 1
TI  - Resolving the predicament of android custom permissions
UR  - http://dx.doi.org/10.14722/ndss.2018.23210
UR  - http://hdl.handle.net/10044/1/64236
ER  -
Download