Towards a Formal Approach for Detection of Vulnerabilities in the Android Permissions System

TL;DR

This paper introduces a formal modeling and verification method for the Android Permissions System to identify security vulnerabilities, demonstrated by detecting a known flaw in custom permissions.

Contribution

It presents a novel formal approach for analyzing Android's permission system, enabling systematic detection of security vulnerabilities.

Findings

Successfully modeled Android Permissions System formally

Detected a known vulnerability in Android's custom permissions

Validated the effectiveness of the formal approach

Abstract

Android is a widely used operating system that employs a permission-based access control model. The Android Permissions System (APS) is responsible for mediating application resource requests. APS is a critical component of the Android security mechanism; hence, a failure in the design of APS can potentially lead to vulnerabilities that grant unauthorized access to resources by malicious applications. In this paper, we present a formal approach for modeling and verifying the security properties of APS. We demonstrate the usability of the proposed approach by showcasing the detection of a well-known vulnerability found in Android's custom permissions.