Skip to main content

App users need protecting from aggregation of permissions

To help speed up code writing, many app developers use common libraries, but this can result in such libraries getting access to significant privileges on a device. DPhil student Vincent Taylor describes the problem and his research in the area.

Smartphones have rapidly become a leading part of our daily lives. Smartphone usage is fuelled predominantly by apps, small pieces of software ready to be downloaded from app stores at the touch of a button. Android is the most popular smartphone operating system, with an official app store (Google Play) containing over two million apps.

Each Android app is delivered as a single archive, which contains all app code and resources needed for the app to function. Just as on traditional computers, third-party libraries are available for app developers to use to rapidly deploy advanced functionality to their apps. Common libraries include those for advertising, analytics, and social networking.

The libraries used in Android apps are tightly integrated into the binary code of the app itself and the Android operating system treats an app and its embedded libraries as a single entity. An undesired consequence of this is that embedded libraries obtain the same permissions that have been granted to their host app. This means that granting permissions to apps often grants permissions to other third parties as well.

While this permission leakage from apps to libraries is well understood by Android security and privacy researchers, a far more insidious problem has been left unaddressed. Popular libraries are likely to be used in more than one app on a device. The problem stems from the fact that apps typically have different sets of permissions granted to them. This means that an instance of a library in one app may have several permissions, and another instance of the same library in another app on the same device may have several different permissions. Thus, if the library were to aggregate its permissions, it would achieve significantly more privileges on a device than it would seem at first glance. This is the problem of ‘intra-library collusion’.

Professor Ivan Martinovic and I from Oxford (with data and insights from Alastair Beresford of Cambridge University) studied the potential for intra-library collusion in the real-world using data from 30,000 actual smartphones. Over 57% of devices were susceptible to intra-library collusion. By performing a historical study, we showed that the risks from intra-library collusion have increased significantly over the past two-and-a-half years.

Having investigated the problem, we are now conducting research into providing mitigations for it as part of my DPhil research. The next steps are to extract URLs and network traffic from libraries to see what private data is being sent, and to where. This work fits within the security research theme of the department, which has the aim of enabling users to use technology with confidence that their privacy will not be breached.

This article first appeared in the Winter 2017 issue of Inspired Research.