Permission management control is becoming a primary concern due to the always growing privacy and data concerns, and even more specifically on mobile devices. With Marshmallow, and based on the AppOp project under KitKat, Android users now have (partial) control over permissions requested by the applications they installed, instead of the “I agree or I do not install the app” case.
However, by giving the user the control over permission granting, the Android System had to implement the concept of permission granting, which opened up the opportunity for new security issues and exploits. Besides, the review of the Android permission model implied the need to specify algorithms to ensure Android security policy backward compatibility for non updated applications.
In this talk, we present the limit of the Android permission policy, due to wrong or incomplete API implementation for developers, incorrect display algorithm at system information level, backward compatibility inconsistency and finally incorrect permissions revocation algorithms.
Based on these presented issues on the Android Open Source Project source code, we will show how to exploit them in Android before Marshmallow first. In a second part, we will show how these issues can be mapped to the recent version of the AOSP source code and how we can exploit them on the recent versions of Android.
About Julien THOMAS @protektoid
Engineer from a French Grande École, INSA of Rennes, Julien Thomas is also a French doctor in Computer and Information Security since 2011.
During his PhD, he submitted multiple research papers to national and international research conferences. He had the opportunity to present his research work in information flow and formal modeling in European and Asian countries.
Since 2011, he focused his work on developing web and mobile solutions for businesses in Europe. He also created a company in order to develop startup projects such as Protektoid, which focuses on device security and privacy review of Android applications based, for instance, on personal and social algorithms.