vironmental features such as type safety [38]. At the ap-
plication level, each software package is sandboxed by
the kernel, making Android a widely deployed system
that employs privilege separation as a matter of course.
This sandboxing is intended to prevent many types of in-
formation disclosure such as one application accessing
sensitive information stored on the system or in the pri-
vate space of another application, performing unautho-
rized network communication, or accessing other hard-
ware features such as the camera or GPS. Applications
instead request access to system resources via special ap-
plication level permissions, such as READ
SMS, which
must be granted by the user.
Android’s permission model requires each applica-
tion to explicitly request the right to access protected
resources. The permission model is intended to prevent
the unwarranted intrusion by an application on the user’s
data and the data of other applications, as well as limit
access to features that directly or indirectly cause finan-
cial harm (e.g. a mobile phone plan that charges for each
SMS message). Before installing an application, the user
is presented with a list of all
1
the permissions requested
by that application which they must accept before instal-
lation begins. Not only is the permission set so confus-
ing that it is difficult for users to read and understand, but
it is also a binary decision where the user must accept all
requested permissions or not install the application [38].
The semantics of these application level permissions
may be difficult for most users to understand [21, 40],
but this understanding is further complicated with im-
plementation details and design choices. For exam-
ple, a method of inter-process communication employed
by Android known as Intents can be broadcast to sev-
eral software handlers existing in multiple applications.
Each application has the option of registering a handler
for an Intent, and for some Intents, an associated prior-
ity. When pondering permissions at install time, a user
has no way of knowing what priorities are assigned to
a given handler or what effects installation will have in
conjunction with already installed applications when a
particular event occurs.
Applications are made available to users through an
unmoderated venue, the Android Market. Any entity
can create an Android Market account for a modest fee,
and immediately make software available to the pub-
lic. While mobile applications on Android must be
signed, they are typically self-signed without employ-
ing any kind of central authority or any means for a user
to validate the authenticity of a certificate. This open
policy can actually make the market a means for propa-
gating malware [34]. Attackers can easily publish mali-
cious applications to a venue with over 4 billion down-
1
We show later that this list is not necessarily comprehensive
loads [4], needing only an appealing facade to convince
users to install the malicious code.
The open nature of the Android market requires
a management model that facilitates reactive malware
management after applications have been installed.
The malware issue is currently addressed with remote
[un]install capabilities maintained by Google via the
Google Talk and Google Services software present on
every Android device. Following the identification of
malicious applications, possibly through Android users
rating an application negatively, Google may remove ap-
plications from the market and remotely kill and unin-
stall the applications from devices known to have down-
loaded the application [34]. Interestingly, while Android
is largely considered to be open-source, the sources for
software such as Google Talk, Google Services, the An-
droid market app (Vendor.apk), and carrier-specific up-
date software are not readily available. In this model the
user only maintains control of applications found in the
restricted user space, and even this can be over-ridden
via remote uninstall.
3 Android Security Model Analysis
Even with the inclusion of security as part of the original
design, the new security features create new opportuni-
ties for attack, and the growth of the platform provides
incentive. In this section we discuss several features of
the Android model that may make it vulnerable to attack.
Application model. Unprivileged application attacks
can take advantage of the complexity of the Android per-
mission model and the Android market to persuade users
to install malicious software and grant applications the
permissions required to deliver a harmful payload. Ap-
plications advertised in the Market must be signed by the
author, but the user has no means of verifying that a sig-
nature is associated with any particular entity [27]. Even
users that carefully monitor permission requests may not
fully understand the semantics of a particular permis-
sion or the framework behavior surrounding a permis-
sion. Many common users may simply not understand
the security trade-offs that surround permissions like
ACCESS
SURFACE FLINGER or BIND APPWIDGET.
Other permissions, such as SEND SMS are more likely
to be recognized by users, and yet the framework imple-
mentations may cause undesired behavior. For example,
the receipt of an SMS on a device causes an Android
ordered-broadcast to be sent system wide. Applications
can register the ability to take action when the broad-
cast is observed by the application and can assign them-
selves a priority over the broadcast. Thus, an applica-
tion that registers a higher priority will receive and have
the ability to act upon this broadcast before any other