[Dailydave] Android Attacks Slides
Jeffrey Walton
noloader at gmail.com
Fri Mar 30 17:50:23 EDT 2012
Hi Guys,
Android Attacks (Bas Alberts/Massimiliano Oldani),
http://www.immunityinc.com/infiltrate/2011/presentations/Android_Attacks.pdf.
Perhaps I'm reading Slide 15 wrong:
Fine grained Permission/Capability model
● Per installed Application (Manifest)
● Per URI (Intent permission flags)
I believe Android lacks Fine Grained permissions:
Felt, Adrienne Porte; Chin, Erika; Hanna, Steve; Song, Dawn; Wagner,
David. "Android Permissions Demystified,"
http://www.cs.berkeley.edu/~afelt/android_permissions.pdf.
Jeon, Jinseong; Micinski, Kristopher K.; Vaughan, Jeffrey A.; Reddy,
Nikhilesh; Zhu, Yixin; Foster, Jeffrey S.; Millstein, Todd." Dr.
Android and Mr. Hide: Fine-grained security policies on unmodified
Android," http://www.cs.umd.edu/~jfoster/papers/acplib.pdf.
In fact, the permissions are so coarse grained and borked that Google
was giving everone READ_PHONE_STATE whether they wanted it or not (the
practice has been changed). And READ_PHONE_STATE includes call
status, incoming number, identity iformation such as IMSI, etc. See
"Android permissions: Phone Calls: read phone state and identity,"
http://stackoverflow.com/questions/1747178/android-permissions-phone-calls-read-phone-state-and-identity.
Jeff
More information about the Dailydave
mailing list