Date of Original Version
Abstract or Description
This paper has three goals: to improve our understanding of enforcing security policies via Android-style permissions; to identify properties of and flaws in the permission system implemented in Android; and to suggest alternative designs that could lead to more usable and effective permission systems. The vehicle for reaching these goals is a formal model that generalizes Android-style permissions. Because it is more general than the permission system implemented in Android, the model facilitates a discussion of the design space of Android-style permission systems, and makes it possible to formally state some properties that one may desire of Android-style permission systems. Instantiating the model with the design choices made in Android shows that Android’s permission system exhibits some of these properties, but is missing others. We then describe an alternative instantiation of the permission model that allows more of the desired properties to be satisfied. This instantiation better supports dynamic delegation of permissions and the effects of events like application install and uninstall, and offers coarse-grained protection against privilege escalation attacks and undesired information flows. We implemented a subset of these features on Android 2.3.4, and tested them on a Nexus S phone.