International Journal of Scientific Research & Engineering Trends

Volume 5, Issue 2, Mar-Apr-2019, ISSN (Online): 2395-566X

A Review of Android Security System

M. Tech. Scholar Shipra Joshi Asst. Prof. Rahul Sharma
[email protected] [email protected]
Dept. of MCA (CTA)
RKDF Institute of Science and Engineering
Indore, M.P., India
Abstract- Android operating system uses the permission-based model which allows Android applications to access user
information, system information, device information and external resources of Smartphone. The developer needs to declare
the permissions for the Android application. The user needs to accept these permissions for successful installation of an
Android application. These permissions are declarations. At the time of installation, if the permissions are allowed by the user,
the app can access resources and information anytime. It need not request for permissions again. Android OS is susceptible to
various security attacks due to its weakness in security. This paper tells about the misuse of app permissions using Shared User
ID, how two factor authentications fail due to inappropriate and improper usage of app permissions using spyware, data theft
in Android applications, security breaches or attacks in Android and analysis of Android, IOS and Windows operating system
regarding its security.

Keywords- Android, Permissions, Shared User ID, Security, Data Theft, Spyware, IOS, Windows.

I. INTRODUCTION data. Availability refers ―prevention and recovery from

A versatile working framework (OS) is programming hardware and software errors and from malicious data
that permits cell phones, tablet PCs, and different access denials making the database system unavailable‖
gadgets to run applications and projects. There are [27]. Integrity refers preventing systems in data
several types of mobile operating system available in the modification from unauthorized and indecent behavior.
market. The commonly used mobile operating systems
are android, IOS, Windows and BlackBerry OS. The
Android working framework is an open source and
source code discharge by Google under Apache permit
license, based on Linux-Kernel designed for smart
phones and tablets.

Android is one of the most popular operating systems for

smart phones. At the last quarter of 2016, the total
number of applications available in Google play store
was 2.6 Million [1], and a total number of Android
operating system-based smart phones sold was 2.1
Billion [2]. The market share of Android in the first
quarter of 2016 was 84.1% whereas IOS, Windows,
BlackBerry, and others hold 14.8%, 0.7%, 0.2% and
0.2% respectively [2]. Therefore, it is clear that Android
has the widest market when compared to others mobile
operating systems. IOS (iPhone OS) developed by Apple Fig. 1 Mobile Platform Model Threats (MPMT) [17].
Inc. and used only by Apple devices such as iPhone,
iPad, and iPod touch. It is the second most popular Furthermore, growing and enlargement of mobile
operating system next to Android [2]. applications and platforms, security concerns are rising
in different aspects of our lives. [7]. the four
Confidentiality, availability and integrity are considered fundamentals of security in mobile computing are
as three main crucial requirements that each system must information security, system security, network security,
have to secure the data and provide the suitable security and physical security. In the meantime, the accessibility
solutions. Confidentiality assures that the information attempted to be the essential features of mobile clouds
will not reach to wrong destination; at the same time it computing to be able to access to data from anywhere
must also guarantee that right people acquire the right and anytime. Currently, mobile platform ventures are

© 2019 IJSRET
615
 International Journal of Scientific Research & Engineering Trends
Volume 5, Issue 2, Mar-Apr-2019, ISSN (Online): 2395-566X

requiring limited security mechanisms from IT taking the second place since 2015, while the other OSs
companies and technology infrastructures with applying is simply following. It is worth mentioning that OSs like
new levels of security in order to safeguard user„s data. Windows phone and Blackberry are losing the market
Meanwhile, existing technologies for the security could share considerably from 2015 to 2018.
be embedded within mobile platforms architecture such
as ‗firewalls, authentication servers, biometrics, II. SECURITY ATTACKS IN ANDROID
cryptography, and Virtual Private Network„[8]. 1. Permission Escalation Attack- It allows a malicious
application to collaborate with other applications so as to
In Android, other than google play store, it is possible to access critical resources without requesting for
install the applications from unknown sources. But, in corresponding permissions explicitly [5][6].
IOS, the apps can be only installed from AppStore. It is
one of the major security breaches in Android. Due to 2. Collision Attack- Android supports shared user ID
various security breaches in Android, attackers already [5][7]. It is a technique wherein two or more application
regard smartphone as the target to steal personal share the same user id so that they can access the
information using various malware. In 2013, permissions which are granted to each other. for
MohdShahdi Ahmad et al. [3] indicated the analysis of example. if application a has permissions to
Android and IOS regarding security and declared IOS read_contacts, read_phone_status and b has permissions
more secure than Android. In 2014, to read_messages, location_access, if both the
applications use the same user id shareduserid, then it is
A. Kaur et al. [4] indicated that it is possible to revoke possible for application a to use the permissions granted
granted permissions from android application. The rest to itself and the permissions granted to b. similarly, it is
of the paper organizes as Section II describes various possible for application b to use the permissions granted
security attacks on Android such as permission to itself and the permissions granted to A.
escalation attack, confused deputy attack, direct collision
attack, indirect collision attack and TOCTOU (Time of Every Android application has unique ID that is its
Check and Time of Use) attack. Section III describes package name. Android supports shared User ID. It is an
different types of Android app permissions, over- attribute in AndroidManifest.xml file. If this attribute
claiming of app permissions, and misuse of app assigned with the same value in two or more applications
permissions using Shared User ID and failure of two- and if the same certificate signs these applications. They
factor authentication in Android-based smart phones due can access permissions granted to each other. Collision
to spyware. Section IV presents the comparison of attack has been classified as direct collision attack and
security between Android and IOS. Section V presents indirect collision attack. A direct collision attack is
the proposed method to avoid misuse of app permissions wherein application communicates directly. In Indirect
and the conclusion of the paper. Table 1 provides an collision attack application communicates via third party
overview of global Smartphone platforms sales to end- application or component.
users in March 2018.
3. Time of Check and Time of Use Attack- The main
Table 1 Market Share Analysis [18] reason for TOCTOU Attack is naming collision. No
naming rule or constraint is applied to a new permission
declaration. Moreover, permissions in Android are
represented as strings, and any two permissions with the
same name string are treated as equivalent even if they
belong to separate Applications.

4. Spyware- Spyware is a type of malware. It is an apk

file which is downloaded automatically when the user
visits malicious website and apps installed from
unknown sources. In Android, other than google play
store, it is possible to install the applications from
unknown sources. Spyware is one of the main reasons
for major security threats in Android operating system.

As it can be seen from the above table, the Android OS

is controlling the market share for years 2015, 2016,
2017, 2018 consecutively. On the other hand, IOS is

© 2019 IJSRET
616
 International Journal of Scientific Research & Engineering Trends
Volume 5, Issue 2, Mar-Apr-2019, ISSN (Online): 2395-566X

Table 2 Attacks and Threats [1] Receive_Wap_Push, Receive_Mms

Storage
Read_External_Storage,
Write_External_Storage
Android Marshmallow 6.0 has classified the permissions
into normal and dangerous permissions. Whenever the
app needs to use dangerous permissions, it explicitly
asks the user to confirm with the permission. Thus,
Android 6.0 and higher versions provide explicit
permission notification to access critical resources. But,
Marshmallow is available only on 1.2 percent of
Android devices [9]. The Android operating system
updates are not available for most of the older devices.
Therefore, security threats related to app permissions are
still not solved.

3. Application Sandboxing - Android uses application

sandboxing which is used to limit the application to
access the resources. If an app needs to access the
resources outside of its sandbox, it needs to request the
appropriate permission.

III.UNDERSTANDING PERMISSIONS 4. Over-claiming of application permissions - The

The Android operating system uses the permission-based permissions which may not be required for the app, but
model to access various resources and information. the application request for the particular permission, this
These permissions are not requests; they are is called over claiming of permissions. It is the
declarations. These permissions are declared in declaration to use irrelevant permissions that are not at
AndroidManifest.xml file. Once the permissions are all required for the application. It is the main reason for
granted, the permissions remain static for Android data theft in android application. The information is
versions less than 6 [8][9]. But, in Android versions, 7.0 collected and sent to the concerned people. The
and higher the app permissions are classified into normal developers of the app make money by selling this
permissions [10] and dangerous permissions information. Several third parties buy this information
[11]. for various reasons like data mining etc., For example, in
1. Normal Permissions - Normal permissions don't Flash Light Android app permission is given for full
specifically hazard the client's privacy. Normal internet access. It is irrelevant for flashlight application
permissions need not be declared in the to have internet access. Ashmeet Kaur et al. [4]
AndroidManifest.xml file. These permissions are granted developed a framework wherein it is possible to remove
automatically. Example- Kill_Background_Processes, the unnecessary permissions from the app,once the app
Set_Wallpaper,Uninstall_Shortcut, Write_Sync_Settings has been successfully installed.

2. Dangerous Permissions - Dangerous Permissions can 5. Misuse of App permissions and failure of two
access critical resources of the mobile. Dangerous factor authentication- Due to misuse of various app
permissions can give the app access to the user's permissions, it is possible for various security threats.
confidential data. If app lists a normal permission in its Among various threats, it is possible for Android
manifest, the system grants the permission automatically. applications to read messages, send messages. SMS is a
If app list a dangerous permission, the user has to common and basic functionality in traditional mobile
explicitly give approval for the app for the successful and smart phone. All confidential information based on
installation of the app. Example: two-factor authentication has been sent as a text
Contacts message. For example, various banks, online websites,
Read_Contacts, Write_Contacts, etc., use two-factor authentications. The main objective
Get_Accounts of two-factor authentication is to increase the security
Location and integrity for the users and to avoid various security
Access_Fine_Location, attacks that are based on traditional username and
Access_Coarse_Location password approach. But, even this method fails, if
Sms malware installed in a smart phone or due to over claim
Send_Sms, Receive_Sms, Read_Sms, permission apps. If the hacker hacks username and

© 2019 IJSRET
617
 International Journal of Scientific Research & Engineering Trends
Volume 5, Issue 2, Mar-Apr-2019, ISSN (Online): 2395-566X

password of the user using various hacking techniques, firmly watched, regularly in light of the fact that it's
the first level of authentication are compromised and viewed as a prized formula that makes shortage and
then the OTP (One Time Password)is being sent to the keeps the association aggressive. Such projects
user. If the application or malware that is being installed company limitations against changing the product or
in Smartphone then it is possiblefor the app or malware utilizing it in courses intended by the first makers.
to read messages and send theinformation to the hacker
without the knowledge ofthe user. So, even two-factor 5. Memory Randomization - It is a technique wherein
authentication fails. the information about the application is stored on the
disk in the random address which has been generated.
IV. COMPARISON OF ANDROID This reduces the security threats since malicious code
and attacker needs to find the exact location where the
AND IOS information is being stored. This technique is used by
1. Application Downloads -The Android applications both iOS and Android OS.
can be downloaded from google play store and unknown
sources. Android uses crowd sourcing [12] which is 6. Storage- Data of application is stored either in
based on user comments and rating of the app. If enough internal storage or external storage. For Android, the
users complain about the app, then it will be removed information can be stored in both built in storage and
and deactivated remotely. The iOS applications can be external storage. But, iOS does not support external
downloaded only from Ios App Store. It is not possible storage. It has only internal storage to reduce various
to download and install iOS applications other than App security threats and faster processing.
Store. All the applications available in iOS have been
properly checked for various security issues in the source
code and after verifying it then it is available in the App V.CONCLUSION
Store. Android is most widely used mobile operating system.
Improvising the security of an Android OS is very
2. Signing Technology- Self Signing [13] is used in important to safeguard the user's privacy and
Android. The Android discharge framework requires that confidential information. In this study, it was shown how
all applications introduced on client gadgets are carefully to avoid misusing app permissions.
marked with declarations whose private keys are held by
the Designer of the applications. The end or sements REFERENCES
permit the Android framework to recognize the creator [1] "Number of Google play store apps 2016 | statistic,"
of an application and set up trust connections amongst Statista, 2014. [Online]. Available:
designers and their applications. http://www.statista.com/statistics/266210/number-
ofavailable- applications-in-the-google-play-store.
The end or sements are not used to control which [2] "Smartphone users worldwide 2014-2020 | statistic,"
applications the client can and can't introduce. Code Statista, 2016. [Online]. Available:
signing [14] [15] used in iOS. It app assures users That it https://www.statista.com/statistics/330695/number-
is from a known source and the app hasn‟t been modified ofsmartphone- users-worldwide.
since it was last signed. Before publishing an app, the [3] M. S. Ahmad, N. E. Musa, R. Nadarajah, R. Hassan,
app has to be submitted to Apple Inc. for approval. and N. E. Othman, "Comparison between android
Apple signs the app after checking the code for any and iOS operating system in terms of security," 2013
malicious code. If an app is signed then, any changes to 8th International Conference on Information
the app can be easily tracked. Technology in Asia (CITA), Jul. 2013.
[4] A. Kaur and D. Upadhyay, "PeMo: Modifying
3. Inter process Communication- Android supports application‟s permissions and preventing information
intercrosses communication among its applications [15] stealing on smartphones," 2014 5th International
[16]. Apple iOS does not support inter-process Conference - Confluence The Next Generation
communication among its applications. Information Technology Summit (Confluence), Sep.
2014.
4. Open Source and Closed Source -Android is open [5] Z. Fang, W. Han, and Y. Li, "Permission based
source. In this guideline, open source programming Android security: Issues and countermeasures,"
implies the source code is made accessible on an all- Computers & Security, vol. 43, pp. 205–218, Jun.
inclusive level. The thought is to open up the product to 2014.
the general population, making a mass coordinated effort [6] Y. Zhou and X. Jiang, “Dissecting Android malware:
that outcomes in the product being continually upgraded, Characterization and evolution,” Proc. - IEEE Symp.
settled, enhanced, and developed. Apple‟s iOS is closed Secur. Priv., no. 4, pp. 95–109, 2012.
source. With closed source software, the source code is
© 2019 IJSRET
618
 International Journal of Scientific Research & Engineering Trends
Volume 5, Issue 2, Mar-Apr-2019, ISSN (Online): 2395-566X

[7] L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang,

“Upgrading Your Android, Elevating My Malware:
Privilege Escalation Through Mobile OS Updating,”
IEEE Symp. Secur. Priv., 2014.
[8] L. Whitney, "Almost no one is using Android
marshmallow, still," CNET, 2016. [Online].
Available: http://www.cnet.com/news/almost-no-
one-is-using-androidmarshmallow-still.
[9] V. Savov, "Only 7.5 percent of Android phones are
running marshmallow," The Verge, 2016. [Online].
Available:
http://www.theverge.com/circuitbreaker/2016/5/4/1
1589630/ android-6-marshmallow-os-distribution-
statistics.
[10] "Normal Permissions,". [Online]. Available:
https://developer.android.com/guide/topics/security
/normalpermissions. html
[11] "Dangerous Permissions,". [Online]. Available:
https://developer.android.com/guide/topics/security
/permissions.html#normal-dangerous.
[12] J.-K. Park and S.-Y. Choi, "Studying security
weaknesses of Android system," International
Journal of Security and Its Applications, vol. 9, no.
3, pp. 7–12, Mar. 2015.
[13] "Sign your App,". [Online]. Available:
https://developer.android.com/studio/publish/appsi
gning. html#certificates-keystores.
[14] A. Inc, "About code signing," 2012. [Online].
Available:
https://developer.apple.com/library/mac/documenta
tion/Security/Conceptual/CodeSigningGuide/Introd
uction/Introduction.html.
[15] A. Inc, "Support," 2016. [Online]. Available:
https://developer.apple.com/support/code-signing/.
[16] C. Security and P. Foundation, “Gimme Rat –
Android Malware In The Wild,” XSec
Technologies Pvt Ltd andCyber Security & Privacy
Foundation, India, p.5, mar 2014.
[17] Delac, G. Silic, M. and Krolo, J. (2011), Emerging
Security Threats for Mobile Platforms„ MIPRO
2011, May 23-27, 2011, Opatija, Croatia
[18] IDC.com (2015). Smartphone OS Market Share,
2015 Q2 [online]. Available at:
http://www.idc.com/prodserv/smartphone-os-
market-share.jsp [Accessed 4th September 2015].

© 2019 IJSRET
619