You are on page 1of 6

A REVIEW ON ANDROID’S APPLICATION SECURITY

Siti Nur Hakima Binti Mohamed
Faculty Of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
hakima_mohamed91@yahoo.com
Abstract— Security need to be concerned as to ensure that the
system can function well as that users need. With the
increasing of the varying operating system in smartphones, it
provides easier ways for users use many functions like gaming,
writing or reading and so on and also make connections with
other devices. Android is one of the most popular operating
system. Android has designed the security model for
mechanism in order to protect the users’ data or resources.
Permission-based model is one of the security models that
Android develops. Android and iOS have same goal in order to
protect the security in a smartphone, but iOS provides
different mechanism. In this paper, we make a review of
Android’s security where we define the weaknesses on Android
and also include the comparison of Android and iOS as same
UNIX Kernel based on security aspects.
Keywords- Android, operating system; Permission-based
model, security, iOS, UNIX Kernel

I.

INTRODUCTION

Security becomes a very important area in order to
protect data and information from any kind of threat,
whether from human and technical errors, disasters or
accidents, fraud and so on. As for many businesses
depending on their information system for business
process, software application and information system
become an important part in every field of life. The
organization uses to store important data electronically
[1]. Applications and system need to be secure to establish
trust from the users and organizations [1]. Therefore, the
security is an important concept in the design and analysis
for secured system.
Such like smartphones, there is a variety of software
operating system running on such as Android, iOS,
Window phone and so on. In order to make secure system
for smartphones, the organization builds the operating
system that provides security mechanism. The smartphone
is not just a common mobile phone that has a basic
feature phone. This is a mobile phone has an ability to
provide better and advance of computing ability and
connectivity. Android is one of the most popular mobile
operating system on the market since the beginning of the
first Android in October 2008 [2].
According to a Gartner study, android become the
second-most popular operating system in the world and it
will challenge the number one because of the growing at a

Wan Ya Bin Wan Hussin
Faculty Of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
wanya@salam.uitm.edu.my
fast rate [3]. The Android Market has experienced high
development since the improvement of the application has
permitted user to upload applications to the market.
People like to use android device is because Android is an
open source operating system. The open source means
that people can build or get the source code and creating
for applications. However, Android has high market share
and it also the open source architecture which makes it be
the most vulnerable mobile operating system to security
attack [4]. Android’s increasing popularity is one of the
factors that turn it into the one of most targets for many
malicious numbers of applications [5].
Therefore, security becomes the crucial part when
dealing with the important data or information. People
want to use software that can protect user data or
resources. Android goals are to protect user data and also
system resources [6]. Therefore, Android has provided a
security mechanism to help user to protect their
information. However, the security that Android provides
is not enough. Based on research studies, there are
vulnerabilities that allow the threat from attackers.
In this paper, we make a review of Android’s security
since the central issue is based on security. We discussed
on Android vulnerabilities that affect the security on
Android.
The paper is structured as follows: in Section 2, we
make a review on smartphone’s security. In Section 3, we
discuss the Android’s vulnerabilities or the issues on
Android. Lastly, we conclude the paper with a conclusion
about the Android’s security in Section 4.
II. SMARTPHONE’S SECURITY
A. Software security
Software problem is the critical aspect of the security
problem [7].
When the software detects to have
vulnerabilities, then there are possibility of the threat to
spread and malicious to attack in the system. The software
security is about the way to build the secure software. This
is more about to design the software to be more secure,
ensure that the software is secure and help to educate the
software developers or users on how to develop secure
things [7].

It is needed to be more useful and easier. the companies help users in protecting the resources in Smartphones.  A device which is the smartphones itself [10]. internet and also to other mobile phones using wireless network [10]. The attacks make users become afraid to make any transaction or connection using the smartphone. III. There are applications that are freely distributed by user or online application store and the other one is commercially used with digital rights [10]. there should not be a complex security because many different levels of users used the smartphone. There are be a certain different level of complexity of the software depend on how confidential the system is. Android security mechanism Current Android’s security model design with two layers: an application–level permission model (Android Permission) and a kernel-level sandboxing and isolation mechanism. Providing the security application is not enough to make sure that the smartphone is secure. The applications which can be defined in two types of application. The studies have defined that smartphone contains assets that considered to be the target for the vulnerabilities and attack [10]. The system like military system is true to have high security in order to protect from others attack. the focus will be on review of the Android's architecture. and application framework. For smartphone.  Integrity is close to confidentiality where the integrity is about to protect or prevent from unauthorized modification of data [8]. In order to describe more about the issues in Android. then malicious user can cause overcharging [10]. applications and hardware [9]. Instance. regular update and so on [10].  Availability is about protecting from loss of access to data and resources [8]. B. Therefore. The more complex of the system becomes. device hardware. the less guarantee levels of the security mechanism [8]. if the  phone lost. The security applications provided only to prevent attack or threat from outside such as malware.As we understand. Therefore. It is because the smartphone can create a connection that cause the threat. Developers are free to take advantage to be the superiority of access location information. the design of the system should not be too high or hard for users to use. It consists of an operating system. Android run time. ISSUES ON ANDROID BASED SMARTPHONE In any system or software. B. there is certain security mechanism that needs to be adopted such as platform modification. the military system needs to be more complex or more secure to make common users hard to use. It is where users or people have trustworthy to the system. [12]. The Android platform is divided into five parts which are Linux kernel. The assets consist of three which are  Private information which is information that have in smartphones included all data that store or transmitted out to smartphones. There are some applications that need to use the internet to connect with web or other devices and also to various wireless networks. These attributes can be enforced in any variety places within an enterprise [8]. system libraries. Security can be taken as the important part of the system in the organization in order to protect the data and information. Besides making money. As what we know. All the security applications can be found and get on an online market. The more complex the security mechanism becomes. PC. Confidentiality. Smartphone’ security Smartphone contain components of the computing platform which are an operating system. However. An open development platform is provided by Android and it offers the developers’ ability to develop incredibly rich and imaginative applications. security companies have provided some security solution. Android provides security features to achieve these goals. Android is a Linux-based open source software stack for mobile devices. there will be certain weaknesses that will lead to the low of performance. middleware and key applications that have API libraries [1]. the smartphone has the ability to connect to various subject. The Android security mechanism defines to understand the features of the security that has built on Android. This all features give users more desire to use it. any software or system builds will need to have security aspect. run background service and add inform to status bar [15]. this feature looks like to invite the malicious attacker or software to make the threat of smartphones in various paths. All applications are run in a sandbox and . The Android operating system’s goals are to secure the user data and system resources and also give an application isolation [6]. Android architecture The architecture in Android is a hierarchical architecture [14]. the more users unable to conduct the system because of the hardness in understanding the process or flow of the system. However. Therefore.  Confidentiality is about preventing or protect from unauthorized disclosure of data [8]. integrity and availability are the main attributes in security [8]. To make the smartphone more secure. A. [13].

Dangerous Permissions are the permission that only granted to the application that get user ‘confirmation during installation. This because the application can access to private user data or can control over the device that can give negative effect to the user. Android uses . The AndroidManifest. Figure 2 shows an example of how binder works to communicate the applications. All the permission is listed to inform users what needs to receive in order to get the applications.xml file is used to extract information on permissions. An Android application has a set of permissions that need to be granted before installation. Figure 1 shows the basic Android permission access control mechanism. and they are given to applications that are signed by the same developer that defines the permissions [19]. 2) Application permission mechanism Permissions used in Android to protect from malicious application.permissions are declared in order to access the resources in smartphones and it is a. The permissions that declared in this manifest file cannot be changed or modified after installation. In Android. then the application cannot be installed. In time-of-use. user must confirm to this permission first. there are three protection levels that categorized based on 152 permissions that has define by Android 4. Time-of-use and install-time is the two approaches in accepting the permissions [20].xml file as shown on figure 3 is the place where the permissions are declared. The application has access to limited system resources as it runs on application sandbox. If the user denies confirming the permission. starting or connecting to the Services. The permission based model gives a controlled access to many system resources and restrict access to others [bing]. The Binder is a low-level of an Android-specific IPC mechanism.4 [18]. they can stop the installation if they deny accepting the permission of the application. then users cannot make a choice which permission needs to accept or deny. Dangerous Permission and Signature or System Permissions. AndroidManifest. An application is needed to declare it necessary capabilities and get confirmation from users upon installation [17]. Android Permissions on Android services and APIs that have the potential to adversely impact the user experience or data on the device are protected with a mandatory access control framework called Permissions [22]. Therefore. Linux kernel gives the foundational mechanism for sandboxing and application isolation. and also invoking Binder interfaces [21]. accessing ContentProviders. While in install-time. At the time of application installation. This is to make sure that there will no more applications can run in the same process . The three protection level includes Normal Permissions. Android consists of several access controls. The shareUserId is used when the applications need to share the same process. the application cannot interact with each other because they do not share the resources. If users install the application. According to Ahmed Ben Ayed. The same permission can be required by the Starting Activities. Otherwise. the applications also need to be signed with the same signature if request to share the same UID. the ID or UID was assigned [16]. The Binder contains of a kernel-level driver and a user space server. Basic Android Permission Access Control Mechanism [19]    Normal Permissions only will grant all the permissions that request them. The application needs to request a specific UID. when execute the sensitive operation like accessing the device location. Signature or system Permissions are granted if the permissions that application request meet the criterion that need. This mechanism normally operates without visible by the application developers and users. This design is to ensure that the private information of the application will not be accessed by other applications. This permission does not request the user’s explicit approval and not considered give harmful to the user. Users will notified during installations what the permissions that application request for and receive. then they need to grant the permission. but it if an application does not intend to violate the restrictions imposed by the kernel [13]. when user accepted the permission. the permissions are hard to get. This way used to protect applications from access device resources. It is potentially harmful to the API calls [19]. It works by allowing binder objects to communicate with each other. Users may accept all the permission received if users tend to install the application. However. Figure 1. Permission model requires an application to request the permission that needs to access the resources and perform its activities before installing. sending and receiving broadcast Intents. 1) Sandboxing mechanism Every application runs on its own process with its own user and group ID create it a sandbox.

The Android permission model is a defective model [28].Discretionary access control (DAC) to restrict the use of system facilities by applications [13]. etc) [12]. users have to decide whether they want to allow the installation or deny it. Due to permission mechanism vulnerabilities. Android also supports third party applications which users can install and get through the Android Market. Permission-based mechanisms have some weaknesses. The permission model that discuss before is the core mechanism for securing access to many resources in Android [27]. malicious applications can take chances to make use of the SMS. An example of how Application communicates [23] Figure 3. the vulnerabilities still increasing.xml [24] Now. This model gives power to the user to make a decision. OEM/SOC specific vulnerabilities and application vulnerabilities [25]. It depends on user’s awareness. It is as improvement to overcome the shortcomings of DAC [13]. When users want to install the application. they can modify or delete the personal information or location information. users can get to install the application on Android using Android’s Play Store. In this study. it gives a chance for malware to access the confidential information on mobiles [28]. When user decides to install any third-party application either through Android Market on the web or phone. As an example. An example of AndroidManifest. Android uses permission-based model as a mechanism in order to protect user’s information and resources. There are reported that Android 4. address book and mobile phone information using this authority information. Not only that. there are still have confusion with the unclear permission displayed on screen. It is because the permission depends on developer and users do not have right to control any permissions of applications [5]. Security expert investigate that this threat gain access to modified the system APK and without make modification to orginal cryptographic key. MAC provides privileges that are limited for subjects(processes) and objects(device. Android makes an enhancement with replaces the access control by developing the SELinux as a Mandatory Access Control(MAC) mechanism for Linux. . As we know. MAC allows the applications privileges to be controlled during installation and runtime [12]. users do not have any power to control or modify the permission given. SELinux is fit for limiting the privileged Android system daemons to shield them from abuse and to limit the harm that should be possible through them. Android’s vulnerabilities . there are possibility of security threat occurs for those that do not have enough knowledge or interest in the concept of authority [29].4 KitKat have affected by the Master Key vulnerabilities [26]. file. Furthermore. C. When the authority information can only check during installation. then let alware obtain full access to Android OS and the overall installed applications [26]. This is a dangerous aspect where there are possibilities for the data and information get modify. According to Google report [25]. Figure 2. the permission will display to aware users about the permission that the application will access. The developer wrote the application and permission that require and developer might claim that their application needs to complete access to the setting of the phone and so on. Although there have been categorized into each of protection levels. This decision is mean that the user needs to grant or deny the entire permission list. which focus more on permission vulnerabilities of an application. then Android application permission will display [28]. there are four types of vulnerabilities recorded which are SSL vulnerabilities. Although user alert about the permission. Android vulnerabilities. we focus on application vulnerabilities. The interface will display a list of permission that application needs to receive. Android provides the “All or nothing “decision. In order to make a decision. It is also used to isolate applications from one another [13].

IOS do not use “All or nothing” permission to display the permissions like Android. It depends on user. A developer cannot request more than what have been set in order to ensure that there will no unauthorized access from unauthorized users. Apple will make a review first on the application before the application is available on Application store. Therefore. network hardware [32]. gives an opportunity for threat. There are no thirdparties involved in order to protect from the threat. Always trust to the system is not good because we do not know when and how the system will have the vulnerabilities and it can be deceiving. The application sandboxing has defined as a set of fine-grained controls. Fine-grained control means that the application is limited to only access to the file system. this will create a limitation on installing the application. This is when there two different applications that are sharing the same user ID. the need for security is proven. Thus. In iOS. then will be directed through to the malicious website. but iOS use ‘take it or leave it’ permission [33]. it is not enough to prevent from the malicious threat. Developers do not get the signature like the Android. users do not have authority to modify the application permission. Android gives a chance for users to get more application on their market and also from the third-parties. permission requests and sends to user a notification on a pop-up window [33]. However. Although permission help gives warning to users about the malicious application. Users cannot modify or make decision to choose which one of the permission they can denied or accept. Users are given a decision to allow certain basic permissions and users can manage the permission on setting section. There are some applications that freely to be downloaded. IOS do not have explicit permission interface. Android has designed the security model in order to prevent from other malicious attacks. The best thing is. Google’s Android and Apple’s iOS are some of the most ordinary and popular Mobile operating system. the application requests not possess standardized permission lists. users cannot install and run the application [34]. CONCLUSION Based on what have been discussed about the Android security model. However. Recent studies stated that the permission systems suffer the problem of the where developers requesting more unwanted permissions than what needed [30]. . whether or not to allow the application to install. Developer play the role to create and modify the code for permissions manifest file in order to grant or receive the activities needed by the application. the application needs to pass Apple’s check before can be stored in their market. Apple will make the vetting process in order to scan for the applications that detect to have threat. users click to the advertisement link. Figure 4 shown the permission delegation process. Permission delegation flow[31] IV. The sharing user ID causes each of the applications can easily to access to the both resources. Based on the comparison. Without the approval or signed from private encryption key. in iOS the applications cannot communicate directly with other applications. Although Android and iOS are on the same UNIX Kernel. Therefore. it more depend on users. While in Android. there are pro and cons in these two platforms. Users need to make a decision to grant or deny the all the permissions listed. There are some of the vulnerabilities arise from the concept of sharing the UID that discussed before. There are certain permission that need to get an approval from the users like current location. we can see that iOS more restrict in security. Android and iOS have different way in controlling the permissions. With this restriction. we are going to discuss about these two operating systems and make a comparison based on security aspects. In iOS. Permission redelegation happened when an application that has permissions is performing a privilege task on behalf of an application without that permission [30]. One of security mechanisms that Android designed is permission-based model.Using the third party technique. IOS look more secured when users allow accessing the system file in the root and also the setting phone not in each application [32]. but Apple itself will digitally sign the code for each application. the traditional drivedownload gives another space for vulnerabilities. Figure 4. however. As an example. there are differences in security permission that apply on this two operating system. Security models are needed in order to make the system have more protection and make user satisfied and have trust in the system. . Security becomes the main attribute in order to make system become stronger. Apple has been defined the application sandboxing for the iOS. The permission that is shown to users are limited. However. This freedom way. This website asking for accessing the location permission of the user’s phone and then will direct through to fake Android Market to download the applications. This threat is mainly important for web browsers. it looks like the iOs more better and secure. Research studies define that about 90% of submission of applications to Apple App Store are being denied or rejected because the applications do not fulfill the requirements of what needed to do [35]. The attack actually attracts the users to download “feature-rich” or “interesting” app that will lead users to the attack of malicious [27]. applications are like to have limited access to what they can do. IOS only gives users to install the applications only from their market. However. These two operating system gets high popularity. this gives effect to the applications. However.

ACM.. A. C. (2011).. October). Jung. org.. P. ACM [18] Ayed. Burange. Android Apps permissions model (in) security . 9(3). Studying Security Weaknesses of Android System..2010. Y. P. [10] Jeon. Based on review in this paper. N. pp. 1-25. NativeGuard: Protecting android applications from third-party native libraries. Sadeh. [30] Au. China. Lee. P. An Insight into the Security Issues and Their Solutions for Android Phones. (2009. Android Security –Big Challenge [12] Aron. S. D. R. P. Smartphone Apps. & Hanáček. ISSN 0963-9314 [2] Franklin Tchakounté. T. August). [22] Mis. [21] Burns. [16] Barrera. J. [33] Sheppard.. Huang.. [15] Bing. system. R.. Evaluating Smartphone Application Security: A Case Study on Android. T. X. & Tanaka. In Open Journal of Information Security and Applications. [31] Davide Danelon (2008). Wang. Jean Michel Nlong and Njei Check: Understanding of the Behaviour of Android Smartphone Users in Cameroon. F. 22-24 [6] Sanjeev Srivatsa. Black Hat. Oct. D. Android Security –Big Challenge [23] Alin Tomescu. W.. Misbah and Naveed. 217-228). [35] Tom Eston. Zhang.. & Othman. S.. [5] June-seung Na. X. IEEE. M.9-20. In Information Technology in Asia (CITA). In Intelligent Computation Technology and Automation (ICICTA). 6. 165-176). & Craig. J. A. J. Number 2.Prajakta S. & Choi. October). In Security and Privacy (SP). B| ushra (2013) Security quality model: an extension of Dromey’s model. Pscout: analyzing the android permission specification. Fukushima. & Wang. February). IEEE. 2013 8th International Conference on (pp. In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks (pp.. S. W. B.Prajakta S. [28] Kelley. K. Android malware detection with contrasting permission patterns. S. Analysis and research of system security based on android. and Woo-guil Pak. 2014 IEEE Symposium on (pp. (2012.. Mayur S. "Mandatory Access Control for Android Application". 581-584). Understanding and improving app installation security mechanisms through empirical analysis of android.. (2014. Android 4. Comparison between android and iOS Operating System in terms of security. Nadarajah. “CISSP Certification All-in-One Exam Guide”. The OWASP Foundation [32] Ahmad.. 2014. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices (pp.. (2013. & Xing. 1-4).n. Hassan. Volume 1. Communications. 1-14. Nusaputra. 2014 [3] SANS Institute InfoSec Reading Room. IEEE. Naveed. (2014). G. Musa. Android vs Apple iOS Security Showdown . 87-92). Permissions and Privacy. (2014).. M. In Wireless and Mobile Communications. J.. January). A. 5. 2014. A practical analysis of smartphone security.. (2009).. 20-38). (2012). Asma and Malik. Z. 11(8).. 2013. Liu. 9. [13] Smalley. D. July). Paul Dayang. 409-423).. R.. CEUR-WS. H. 2009.. M. Android Security 2014 Year in Review [26] Pierluigi Paganini. IEEE. The peril of fragmentation: Security hazards in android device driver customizations. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. D. Springer Berlin Heidelberg [29] Park. ISSN 0975-4172. J. M. G. (2015). Saad and Mehboob. [25] Google report (2014). May).. S. & van Oorschot. unpublished [24] Shin. [19] Xiong. [17] Sun. Mobile application security on Android. M. A literature Review on Android Permission System. W.. Cranor. STRATEGIES IN IMPROVING ANDROID SECURITY. Mayur S. In Financial Cryptography and Data Security (pp. 81-92). Introduction to Android 5 Security. 311-320).. Android security model. Burange. Kiyomoto. but there are certain limitations or weaknesses which block the users to do what they need in order to protect their resources. Clark. J. we think that the permission model has certain design flaw that need to be emphasized. Young-June Choi. Wang. ACM. 2011. pp. Android Security Issues [7] Gary McGraw (2006). Y. International Journal of Security & Its Applications. Y. In Proceedings of Student Research Forum Papers and Posters at (pp. [34] Khandelwal. P. Zhu. P. 310. & Wetherall. & Tan. Deshbhratar & Prof. E. (2013. Malicious Android Applications: Risks and Exploitation [4] Tse. N. Global Journals Inc. S. Y. Interacting with Information (pp. R. Springer Berlin Heidelberg. X.. Presenting Risks Introduced by Android Application Permissions in a User-friendly Way.. Y. & Gupta. N. N.. REFERENCES [1] Zafar. A conundrum of permissions: installing applications on an android smartphone. K.4 KitKat also affected by Master Key vulnerability [27] Ingale. pp. D.The security mechanism that provide by Android is good. D. M. W. & Won. ICWMC'09. L. Fifth International Conference on (pp. Lee. Security Enhanced (SE) Android: Bringing Flexible MAC to Android.. 68-79). K. Zhou. L. [20] Varga. E. Hu. Software Security: Building Security In. (2012. July). & Li. Younghoon Kim. (2014. 2012 Fifth International Conference on (pp. 103-112). (2015). McCarney. Addison-Wesley Professional [8] Shon Harris. ICTC 2014.. W. S.. In Human Interface and the Management of Information. Android needs to concern more on the permission model to help users and developers get to access the system based on their roles and prevent the unauthorized access.. C..d [9] Muneer Ahmad Dar & Javed Parvez (2013). K. (USA).. & Lie.. Consolvo.. In NDSS (Vol. Niu. 3rd edition. Deshbhratar & Prof. Kim. [14] Zhou. & Mohapatra. Towards formal analysis of the permission-based security model for android. X. [11] Mis. & Muska... SECURITY IN ANDROID BASED SMARTPHONE.. F. (2012. B.. Software Quality Journal. Y. 2014. G.