Speaker: James Sellwood (Royal Holloway University of London, UK)
James Sellwood was awarded his BSc in Combined Sciences from Southampton University and his MSc in Information Security from Royal Holloway. James works as an Information Security Consultant and is studying part-time for a PhD under the supervision of Dr Jason Crampton. James’ interests include the application of cryptography to real world security problems and the hardware and software components of the security of consumer mobile devices.
Title: Sleeping Android: The Danger of Dormant Permissions
An Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized by the user of the device when the app is installed. Permissions, and the tools that are used to manage them, form the basis of the Android permission architecture, which is an essential part of the access control services provided by the Android platform.
We have analyzed the evolution of the Android permission architecture across six versions of the Android platform, identifying various changes which have occurred during that period and a considerable amount of information about the permission architecture which is not included in the Android documentation. Using this information, we have identified a weakness in the way that the Android platform handles app permissions during platform upgrades. We explain how this weakness may be exploited by a developer to produce malicious software which the average user is unlikely to detect. We conclude with a discussion of potential mitigation techniques for this weakness, highlighting concerns drawn from other research in this area.