[Dailydave] Android Attacks Slides
r3drand at gmail.com
Thu Apr 5 18:06:30 EDT 2012
Does that imply that if an app requests a non-existent permission, say, "TELEPATHY_SEND_RCV", then it will be silently accepted. Then, if Android 6 supports that permission and the user upgrades the OS, the app would execute with that permission w/o any confirmation?
On Apr 2, 2012, at 4:46 PM, Tim <tvidas at gmail.com> wrote:
> The "fine" vs "coarse" grained is somewhat subjective given the
> various resources available on a device, but level of granularity
> certainly varies across the permissions. One that is often cited as
> too coarse is "INTERNET" where many suggest limiting apps more finely
> to particularly domains or hierarchical models. Text messaging has
> several, more granular permissions dividing access among sending,
> receiving, reading, and writing for each of SMS and MMS (which some
> will argue could be even more granular limiting access to certain
> contacts, country codes, non-premium numbers, etc).
> The "borking" you refer to at the end is an interesting problem.
> Originally there were many fewer permissions than there are now, so
> what should happen when a new permission is specified by an app and
> that app is installed on an old device? The older OS doesn't know
> anything about the new permission nor how to enforce it, so a design
> decision was made to silently ignore the permission request. There
> are also odd situations with the UI. For example, when you install
> the app, it will list the permissions that the OS supports, but
> post-install if you inspect the app via the Applications menu in
> Settings it will list the permissions found in the app manifest. So
> in the stackoverflow example you linked, at install time you would not
> see the WRITE_EXTERNAL_STORAGE permission but when inspecting the app
> via Settings on the same device you would (this behavior may vary
> based on API version - I have not checked them all).
> Alternate design decisions could have been made, for example the
> installer could refuse to install apps that specify unknown
> permissions in the manifest. In this case developers would have to
> support an app for old devices that are unaware of
> WRITE_EXTERNAL_STORAGE (a request for this permission is not needed
> anyway because the OS cannot enforce it), and also a nearly identical
> app that does specify the permission for newer devices. For about 1
> year now, the Android Market (now Google Play) has supported this
> split-distribution model where the appropriate variant of the app is
> delivered to a device - but it is still fairly annoying for the
> developer. Many apps are poorly written with manifests that specify
> the same permission multiple times, misspell permissions or even
> specify permissions that have never existed. An installer that
> doesn't install apps with unknown permissions would at least force
> some of these practices to clean up.
> The situation is, of course, worsened by the lagging / nonexistent
> Android OS updates, the relatively short supported lifespan of
> devices, and alternative app sources.
> On Fri, Mar 30, 2012 at 5:50 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> Hi Guys,
>> Android Attacks (Bas Alberts/Massimiliano Oldani),
>> Perhaps I'm reading Slide 15 wrong:
>> Fine grained Permission/Capability model
>> ● Per installed Application (Manifest)
>> ● Per URI (Intent permission flags)
>> I believe Android lacks Fine Grained permissions:
>> Felt, Adrienne Porte; Chin, Erika; Hanna, Steve; Song, Dawn; Wagner,
>> David. "Android Permissions Demystified,"
>> Jeon, Jinseong; Micinski, Kristopher K.; Vaughan, Jeffrey A.; Reddy,
>> Nikhilesh; Zhu, Yixin; Foster, Jeffrey S.; Millstein, Todd." Dr.
>> Android and Mr. Hide: Fine-grained security policies on unmodified
>> Android," http://www.cs.umd.edu/~jfoster/papers/acplib.pdf.
>> In fact, the permissions are so coarse grained and borked that Google
>> was giving everone READ_PHONE_STATE whether they wanted it or not (the
>> practice has been changed). And READ_PHONE_STATE includes call
>> status, incoming number, identity iformation such as IMSI, etc. See
>> "Android permissions: Phone Calls: read phone state and identity,"
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
More information about the Dailydave