A Framework for Formal Specification and Verification of Security Properties of the Android Permissions System

TL;DR

This paper proposes a formal framework to specify and verify security properties of Android's permission system, addressing evolving features like context-dependent and temporal permissions to enhance security analysis.

Contribution

It introduces a behavioral model of Android Permissions System that captures new permission types and provides a basis for formal verification of security properties.

Findings

Model accurately represents Android 10 and 11 permission features.

Framework enables formal analysis of security vulnerabilities.

Supports verification of permission-related security guarantees.

Abstract

Android is a widely deployed operating system that employs a permission-based access control model. The Android Permissions System (APS) is responsible for mediating resource requests from applications. APS is a critical component of the Android security mechanism. A failure in the design of APS can potentially lead to vulnerabilities that grant unauthorized access to resources by malicious applications. Researchers have employed formal methods for analyzing the security properties of APS. Since Android is constantly evolving, we intend to design and implement a framework for formal specification and verification of the security properties of APS. In particular, we intend to present a behavioral model of APS that represents the non-binary, context dependent permissions introduced in Android 10 and temporal permissions introduced in Android 11.