![]() It is ineffective and not accurate enough since (i) declared permissions are often coarse-grained, not providing sufficient information to indicate their actual use (ii) permissions actually used in the application code may be inconsistent with those declared in the application package Manifest (In this paper, ‘Manifest’ represents the AndroidManifest.xml in an application package which specify the global configuration of the application including the declared permissions.), and in fact most applications are overprivileged (iii) some dangerous API invocations may not need explicit pre-declared permissions in the Manifest. However, this can ensure that only approved software can be installed and reduction of the impact of dangerous functionality in applications to some extent. Moreover, Android M, the relatively new version of Android, allows users to modify (revoke/allow) the permission configuration of an application at run time. An application running on the Android platform cannot gain access to API calls and user data unless it has declared the corresponding permissions which are automatically allowed/prohibited by the user identification while installing. To mitigate the impact brought by dangerous functionality in applications such as reading contacts automatically, Android provides a permission declaration and certification mechanism to indicate potential security threats of applications at install time, aiming at blocking the installation of suspicious applications. In addition, Google releases the Android code as open-source and users can download applications provided by not only GooglePlay (formerly known as Android market) but also third-party sites, which brings convenience to the propagation of malicious applications. However, the presence of dangerous configuration and functionality in such applications poses threats to the security of sensitive user data and phone settings. It supports a third-party development with an extensive application programming interface (API) that provides applications with access to network connections, user data and phone settings. Recently, Android has become one of the largest smart phone platforms in the world. We find evidence that ASCAA can identify risk factors in a fine-grained way, for example, applications’ being over privileged or the use of some dangerous APIs require no permission declaration. Hitherto, they have analysed over 200 applications with an automated tool based on ASCAA, and discovered that about one-eighth failed to pass part of our sample rules. Since it is a cloud-based framework, any potential user could easily make ASCAA work for them, and ASCAA has also been proved to gain high performance. In addition, the authors provide ASCAA Security Language to formalise security rules and the certification process, which makes ASCAA general and scalable. To certify an application, ASCAA examines all permission labels in its manifest and API invocations extracted from its decompiled code based on a set of requirement-dependent security rules. ![]() The authors propose application programming interface (API)-level security certification of android applications (ASCAA), a cloud-based framework, which employs a systematic method to identify and analyse security threats at API level. Normally, an application is certified based on its declared permissions, but declared permissions are often coarse-grained or inconsistent with those actually used in the program code.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |