In the age of smartphones, people do most of their daily work using their smartphones due to significant improvement in smartphone technology. When comparing different platforms such as Windows, iOS, Android, and Blackberry, Android has captured the highest percentage of total market share [1]. Due to this tremendous growth, cybercriminals are encouraged to penetrate various mobile marketplaces with malicious applications. Most of these applications require device information permissions aiming to collect sensitive data without user’s consent. This paper investigates each element of system information permissions and illustrates how cybercriminals can harm users’ privacy. It presents some attack scenarios using
READ_PHONE_STATE permission and the risks behind it. In addition, this paper refers to possible attacks that can be performed when additional permissions are combined with READ_PHONE_STATE permission. It also discusses a proposed solution to defeat these types of attacks.
References
[1]
Gartner (2017) Worldwide Smartphone Sales to End Users by Operating System.
http://www.gartner.com/newsroom/id/3725117
[2]
Oberheide, J. and Miller, C. (2012) Dissecting the Android Bouncer.
AllAreaCodes.com (2016) About All Area Codes. http://www.allareacodes.com/
[5]
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P. and Sheth, A.N. (2014) TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM Transactions on Computer Systems (TOCS), 32, 5. https://doi.org/10.1145/2619091
[6]
Google Play Help (2016) Review App Permissions Thru Android 5.9.
https://support.google.com/googleplay/answer/6014972?hl=en
[7]
Dot, N. (2015) The Importance of Data (Part I).
[8]
University of Virginia (2014) UNIX/Linux UID and File Ownership over NFS.
http://its.virginia.edu/unixsys/sec/nfs-uids.html
[9]
Android Developers (2016) System Permissions.
https://developer.android.com/guide/topics/permissions/index.html
[10]
Facebook (2016) Confirm Your Identity with an ID.
https://m.facebook.com/help/contact/183000765122339
[11]
Rashidi, B. and Fung, C. (2015) A Survey of Android Security Threats and Defenses. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 6.
[12]
Batyuk, L., Herpich, M., Camtepe, S.A., Raddatz, K., Schmidt, A.D. and Albayrak, S. (2011) Using Static Analysis for Automatic Assessment and Mitigation of Unwanted and Malicious Activities within Android Applications. 2011 6th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, Puerto Rico, 18-19 October 2011, 66-72.
https://doi.org/10.1109/MALWARE.2011.6112328
[13]
Sufatrio, Darell J. J. Tan, Tong-Wei Chua, and Vrizlynn L. L. Thing. (2015) Securing Android: A Survey, Taxonomy, and Challenges. ACM Computing Surveys, 47, Article No. 58.
Heartbleed (2016) The Heartbleed Bug. http://heartbleed.com
[18]
Gibler, C., Crussell, J., Erickson, J. and Chen, H. (2012) Android Leaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In: International Conference on Trust and Trustworthy Computing, Springer, Berlin, 291-307. https://doi.org/10.1007/978-3-642-30921-2_17
[19]
Paolo, P. (2015) April 2015 Cyber Attacks Statistics.
http://www.hackmageddon.com/2016/01/11/2015-cyber-attacks-statistics
[20]
Paolo, P. (2016) April 2016 Cyber Attacks Statistics.
http://www.hackmageddon.com/2016/06/01/april-2016-cyber-attacks-statistics/
[21]
Grzonkowski, S., Mosquera, A., Aouad, L. and Morss, D. (2014) Smartphone Security: An Overview of Emerging Threats. Electronics Magazine, 3, 40-44.
https://doi.org/10.1109/MCE.2014.2340211
http://www.hackmageddon.com/2015/06/18/the-importance-of-data-part-i
[22]
Steve, K. (2016) The Data Brokers: Selling Your Personal Information.
https://www.cbsnews.com/news/data-brokers-selling-personal-information-60-minutes/
[23]
Enck, W., Octeau, D., McDaniel, P. and Chaudhuri, S. (2011) A Study of Android Application Security. 20th USENIX Security Symposium, 10-12 August 2011, San Francisco, CA.
[24]
Boksasp, T. and Utnes, E. (2012) Android Apps and Permissions: Security and Privacy Risks. Norwegian University of Science and Technology, Trondheim.
[25]
Shay, R., Ion, I., Reeder, R.W. and Consolvo, S. (2014) “My Religious Aunt Asked Why I Was Trying to Sell Her Viagra”: Experiences with Account Hijacking. In: Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems, ACM, New York, 2657-2666.
[26]
Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M. and Rajarajan, M. (2015) Android Security: A Survey of Issues, Malware Penetration, and Defenses. IEEE Communications Surveys & Tutorials, 17, 998-1022.
[27]
Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M. and Rajarajan, M. (2015) Android Security: A Survey of Issues, Malware Penetration, and Defenses. IEEE Communications Surveys & Tutorials, 17, 998-1022.
https://doi.org/10.1109/COMST.2014.2386139
[28]
Joseph, O. (2015) IMSI Catchers and Mobile Security.
[29]
Boodman, E. (2016) Health Apps Aren’t Just Collecting Your Info. They May Be Selling It, Too.
https://www.statnews.com/2016/03/08/health-apps-sell-medical-data/
[30]
Augustine, F. (2016) Mobile Phishing Social Media Phishing and Other Attacks.
http://www.slideshare.net/augustinefou/mobile-phishing-social-media-phishing/-and-other-attacks
[31]
EPSILON (2016) EPSILON. http://www.epsilon.com/
[32]
Shebaro, B., Oluwatimi, O., Midi, D. and Bertino, E. (2014) Identidroid: Android Can Finally Wear Its Anonymous Suit.
[33]
Elenkov, N. (2014) Android Security Internals: An In-Depth Guide to Android’s Security Architecture. William Pollock, San Francisco, CA.
[34]
Ryan, G. (2012) Criminals May Be using Covert Mobile Phone Surveillance Tech for Extortion.
http://www.slate.com/blogs/future_tense/2012/08/22/imsi_catchers_criminals_
law_enforcement_using_high_tech_portable_devices_to_intercept_communications_.html
