TY - JOUR
T1 - DPC:A Dynamic Permission Control Mechanism for Android Third-Party Libraries
AU - Hsu, Fu Hau
AU - Liu, Nien Chi
AU - Hwang, Yan Ling
AU - Liu, Che Hao
AU - Wang, Chuan Sheng
AU - Chen, Chang Yi
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2021/7/1
Y1 - 2021/7/1
N2 - Today's smartphone app stores are full of apps with diverse features. Many developers use third-party libraries to reduce the development time and cost, but developers often ignore the security problems of third-party libraries. A major security problem introduced by third-party libraries is that a third-party library has the same permissions as the apps, called host-apps hereafter, that use it. According to previous research, having the same permissions as its host apps, a third-party library could have unauthorized access to user data, which poses a serious threat to app users. Therefore, how to prevent third-party libraries from abusing permissions has become an important issue. To solve this problem, this paper proposes a Dynamic Permission Control mechanism, called Dynamic Permission Controller or DPC hereafter, for app developers to prohibit third-party libraries from abusing host apps' dangerous permissions. DPC modifies the permission control mechanism of Android framework to make apps have a more flexible permission management mechanism when they are running. DPC provides new APIs which allows an app to dynamically disable a granted dangerous permission before invoking an API of a third-party library and restore the dangerous permission after completing the API. Hence, DPC protects user's privacy by blocking unauthorized access from third-party libraries. Meanwhile, without the requirement that an app developer needs to know the detail of third-party libraries, the app still can use APIs of third-party libraries safely. Experimental results show that DPC works with many popular apps downloaded from Google Play well and DPC prohibits a third-party library from having the same dangerous permissions that its host apps have. Hence, unlike previous solutions, DPC does not have compatibility problems. The overhead introduced by DPC on an emulator and Nexus 7 are 1.8 and 0.3 percent respectively.
AB - Today's smartphone app stores are full of apps with diverse features. Many developers use third-party libraries to reduce the development time and cost, but developers often ignore the security problems of third-party libraries. A major security problem introduced by third-party libraries is that a third-party library has the same permissions as the apps, called host-apps hereafter, that use it. According to previous research, having the same permissions as its host apps, a third-party library could have unauthorized access to user data, which poses a serious threat to app users. Therefore, how to prevent third-party libraries from abusing permissions has become an important issue. To solve this problem, this paper proposes a Dynamic Permission Control mechanism, called Dynamic Permission Controller or DPC hereafter, for app developers to prohibit third-party libraries from abusing host apps' dangerous permissions. DPC modifies the permission control mechanism of Android framework to make apps have a more flexible permission management mechanism when they are running. DPC provides new APIs which allows an app to dynamically disable a granted dangerous permission before invoking an API of a third-party library and restore the dangerous permission after completing the API. Hence, DPC protects user's privacy by blocking unauthorized access from third-party libraries. Meanwhile, without the requirement that an app developer needs to know the detail of third-party libraries, the app still can use APIs of third-party libraries safely. Experimental results show that DPC works with many popular apps downloaded from Google Play well and DPC prohibits a third-party library from having the same dangerous permissions that its host apps have. Hence, unlike previous solutions, DPC does not have compatibility problems. The overhead introduced by DPC on an emulator and Nexus 7 are 1.8 and 0.3 percent respectively.
KW - Third-party library
KW - in-app advertisement
KW - privacy
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85098012832&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2019.2937925
DO - 10.1109/TDSC.2019.2937925
M3 - 期刊論文
AN - SCOPUS:85098012832
SN - 1545-5971
VL - 18
SP - 1751
EP - 1761
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 4
M1 - 8815864
ER -