1. A Formal Specification of Access Control in Android with URI Permissions
- Author
-
Samir Talegaon and Ram Krishnan
- Subjects
Security analysis ,Computer Networks and Communications ,business.industry ,Computer science ,05 social sciences ,Access control ,02 engineering and technology ,Theoretical Computer Science ,Data access ,020204 information systems ,Formal specification ,0502 economics and business ,0202 electrical engineering, electronic engineering, information engineering ,050211 marketing ,Android (operating system) ,Software engineering ,business ,Software ,Information Systems - Abstract
A formal specification of access control yields a deeper understanding of any operating system, and facilitates performing security analysis of the OS. In this paper, we provide a comprehensive formal specification of access control in Android (ACiA). Prior work is limited in scope, furthermore, recent developments in Android concerning dynamic runtime permissions require rethinking of its formalization. Our formal specification includes three parts, the user-initiated operations (UIOs) and app-initiated operations (AIOs) - which are distinguished based on the initiating entity, and the URI permissions which are utilized in sharing temporary access to data. We also studied the evolution of URI permissions from API 10 (Gingerbread) to API 22 (Lollipop), and a brief discussion on this is included in the paper. Formalizing ACiA allowed us to discover many peculiar behaviors pertaining to ACiA. In addition to that, we discovered two significant issues with permissions in Android which were reported to Google.
- Published
- 2020