1. Android Permission System
Presenter: Yishu Gu, Jackie Wu and Zhengyang Qu

2. Outlines Review and introduction of .apk file AndroidManifest.xml file
Permissions
Methods to minimize requested permission
Related research topic

3. Android .apk file APK file of facebook android application
com.facebook.katana_085912
Androidmainifest.xml
Classes.dex
META-INF 3

4. Android application Androidmanifest.xml
describes the functionality and permission declaration of an app
Classes.dex
Java source complied into .dex byte-code file
META-INF
Signature information
Resources.arsc
Containing precompiled resources such as binary XML
Application can start each other based on Components and Intent

5. Review：App Component Activity Service Content provider
Single screen
Work together to for a cohesive user experience
Service
Run in background
Provides a “service” interface between applications
Content provider
Manage shared app data
Other apps can query/modify data if allowed
Broadcast receiver
Respond to system-wide broadcast announcements
Apps can initiate broadcast announcements
Review the different component types and see the permission use in their tags
App components are the essential building blocks of an Android app. Each component is a different point through which the system can enter your app. Not all components are actual entry points for the user and some depend on each other, but each one exists as its own entity and plays a specific role—each one is a unique building block that helps define your app's overall behavior.
There are four different types of app components. Each type serves a distinct purpose and has a distinct lifecycle that defines how the component is created and destroyed.
Here are the four types of app components:
For example, an app might have one activity that shows a list of new s, another activity to compose an , and another activity for reading s. Although the activities work together to form a cohesive user experience in the app, each one is independent of the others. As such, a different app can start any one of these activities (if the app allows it). For example, a camera app can start the activity in the app that composes new mail, in order for the user to share a picture.
Service
A service is a component that runs in the background to perform long-running operations or to perform work for remote processes.(Downloading a file, playing music, tracking location, etc.) A service does not provide a user interface. For example, a service might play music in the background while the user is in a different app, or it might fetch data over the network without blocking user interaction with an activity. Another component, such as an activity, can start the service and let it run or bind to it in order to interact with it.
Core functionality often implemented as Service components
eg. Location API, Alarm service
Content provider
A content provider manages a shared set of app data. You can store the data in the file system, an SQLite database, on the web, or any other persistent storage location your app can access. Through the content provider, other apps can query or even modify the data (if the content provider allows it). For example, the Android system provides a content provider that manages the user's contact information. As such, any app with the proper permissions can query part of the content provider to read and write information about a particular person.
Content providers are also useful for reading and writing data that is private to your app and not shared. For example, the 
Note Pad sample app uses a content provider to save notes.
Broadcast provider
A broadcast receiver is a component that responds to system-wide broadcast announcements. Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned off, the battery is low, or a picture was captured. Apps can also initiate broadcasts—for example, to let other apps know that some data has been downloaded to the device and is available for them to use. Although broadcast receivers don't display a user interface, they may create a status bar notification to alert the user when a broadcast event occurs. More commonly, though, a broadcast receiver is just a "gateway" to other components and is intended to do a very minimal amount of work. For instance, it might initiate a service to perform some work based on the event.

6. Quiz: App Components Match the component to what it does: 1 Activity
A) Respond to system-wide announcements
B) Manage shared app data – other apps can view/modify is allowed
C) One single “screen” with user interface
D) Runs in background, interfaces between applications
1 Activity
2 Service
3 Content provider
4 Broadcast receiver
Review the different component types and see the permission use in their tags
App components are the essential building blocks of an Android app. Each component is a different point through which the system can enter your app. Not all components are actual entry points for the user and some depend on each other, but each one exists as its own entity and plays a specific role—each one is a unique building block that helps define your app's overall behavior.
There are four different types of app components. Each type serves a distinct purpose and has a distinct lifecycle that defines how the component is created and destroyed.
Here are the four types of app components:
For example, an app might have one activity that shows a list of new s, another activity to compose an , and another activity for reading s. Although the activities work together to form a cohesive user experience in the app, each one is independent of the others. As such, a different app can start any one of these activities (if the app allows it). For example, a camera app can start the activity in the app that composes new mail, in order for the user to share a picture.
Service
A service is a component that runs in the background to perform long-running operations or to perform work for remote processes.(Downloading a file, playing music, tracking location, etc.) A service does not provide a user interface. For example, a service might play music in the background while the user is in a different app, or it might fetch data over the network without blocking user interaction with an activity. Another component, such as an activity, can start the service and let it run or bind to it in order to interact with it.
Core functionality often implemented as Service components
eg. Location API, Alarm service
Content provider
A content provider manages a shared set of app data. You can store the data in the file system, an SQLite database, on the web, or any other persistent storage location your app can access. Through the content provider, other apps can query or even modify the data (if the content provider allows it). For example, the Android system provides a content provider that manages the user's contact information. As such, any app with the proper permissions can query part of the content provider to read and write information about a particular person.
Content providers are also useful for reading and writing data that is private to your app and not shared. For example, the 
Note Pad sample app uses a content provider to save notes.
Broadcast provider
A broadcast receiver is a component that responds to system-wide broadcast announcements. Many broadcasts originate from the system—for example, a broadcast announcing that the screen has turned off, the battery is low, or a picture was captured. Apps can also initiate broadcasts—for example, to let other apps know that some data has been downloaded to the device and is available for them to use. Although broadcast receivers don't display a user interface, they may create a status bar notification to alert the user when a broadcast event occurs. More commonly, though, a broadcast receiver is just a "gateway" to other components and is intended to do a very minimal amount of work. For instance, it might initiate a service to perform some work based on the event. 6

7. Components public or private
Private only components from same app or another app that runs with same UID
Exported attribute decides whether the component is public or private
True: exported to other apps (public)
False: not exported to other apps (private)
Default value depends on if the service contains <intent- filter>
The default value for Content Provider is true
UID
android: export
true other applications can interact with it
False only components of the same application or with same user ID can start the service or bind to it
Default value depends on if the service contains <intent-filter>
The default exported value for Content Providers is true. Because the primary purpose of a Content Provider is to share information between apps, it is assumed that these should be public and accessible by other apps.

8. Intent Communication between applications Activated components:
startActivity – launches a new screen
BroadcastIntent – send to BroadcastReceivers
bindService – connect to background service
Specified in the Manifest by IntentFilters
Filter actions, categories, data, (and priority)
e.g. action= make a phone call, data = phone number
The core components of an application (its activities, services, and broadcast receivers) are activated by intents. An intent is a bundle of information (anIntent object) describing a desired action — including the data to be acted upon, the category of component that should perform the action, and other pertinent instructions. Android locates an appropriate component to respond to the intent, launches a new instance of the component if one is needed, and passes it the Intent object.
Components advertise their capabilities — the kinds of intents they can respond to — through intent filters. Since the Android system must learn which intents a component can handle before it launches the component, intent filters are specified in the manifest as <intent-filter> elements. A component may have any number of filters, each one describing a different capability.
An intent that explicitly names a target component will activate that component; the filter doesn't play a role. But an intent that doesn't specify a target by name can activate a component only if it can pass through one of the component's filters.

9. AndroidManifest.xml XML configuration file
Every application must have it
Contains:
application’s name, icon, labels
Linked libraries
Application Components:
Activities – <activity>
Services – <service>
Broadcast receivers – <receiver>
Content providers – <provider>
Components specify what kind of Intent they accept with an <intent-filter>
Component has a <intent-filter> in AndroidMainfest.xml file, it’s exposed by defalut
Content provider do not use intents
Permissions
Don’t export app components unless you want other apps on system to interact with your app
It describes the components of the application the activities, services, broadcast receivers, and content providers that the application is composed of. It names the classes that implement each of the components and publishes their capabilities(for example, which intent messages they can handle). These declarations let the Android system know what the components are and under what conditions they can be launched.
Permission that others are required to have in order to interact with the application’s components.

10. Example AndroidManifest.xml

11. Android permission model
Two big goals:
Inform the user : list all “sensitive” operations before installing the app
Mitigate Exploits : limit access to sensitive APIs for attackers

12. Quiz: Permissions Goals
What are two goals of the permission system of Android?
Hint 1: User experience
Hint 2: Permission systems are used because...

13. Permissions Manifest File
Permissions are granted at install time
All or nothing.
API-defined permissions in AndroidManifest.Permissions class
At install time each application requests a list of permissions
The permission here refers to <user-permission>

14. Permissions Manifest File
Custom-defined permissions by developers
Name conflicts may appear
Current research on Android permissions doesn’t take them into consideration
At install time each application requests a list of permissions
The permission here refers to <user-permission>

15. Specifying required permissions
e.g. If your application needs access to the Internet, specify the INTERNET permission

16. Custom permissions
Can be used by developers to restrict to various services/components
A permission must be declared/created in an application’s manifest.
Any application need to possess the required permission for the call to succeed

17. Another example for custom permissions
 In this example an application signed with the same key can access the service
Component Permissions : Individual components can set their own permissions, restricting which other component can access them
Limit access to an exported component by permission
The name of a permission that that an entity must have in order to launch the service or bind to it. If a caller of startService(), bindService(), or stopService(), has not been granted this permission, the method will not work and the Intent object will not be delivered to the service.
In the service tag, we defined android:permission = com.example.awesome.EXAMPLE_PERM, with these been done, no external component can launch this service or bind to it unless they have this permission. Without this permission if your component is service it cannot be bind to. And intent-receivers will ignore all the messages sents from sendbroadcast method unless the sender has the permission

18. Permission Protection Levels
normal
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
Dangerous
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
Signature
android.permission.HARDWARE_TEST
android.permission.READ_INPUT_STATE
SignatureOrSystem
android.permission.BACKUP
android.permission.BIND_WALLPAPER
There is only name attribute within the permission tag while there are more than that
We can define icon label, permission group and also protection level within the tag
<!-- Allows applications to open network sockets. -->
android.permission.INTERNET
<!-- Must be required by a android.service.wallpaper.WallpaperService},
to ensure that only the system can bind to it. -->
android.permission.BIND_WALLPAPER
Allows an application to control the backup and restore process.
<p>Not for use by third-party applications.
@hide pending API council -->
android.permission.BACKUP
<!-- Allows access to hardware peripherals. Intended only for hardware testing.
<p>Not for use by third-party applications. -->
android.permission.HARDWARE_TEST
<!-- Allows an application to retrieve the current state of keys and
switches.
@deprecated The API that used this permission has been removed. -->

19. Permission Protection Levels
There are different permission protection levels available for apps:
protectionLevel="normal" – default
protectionLevel="dangerous" – private user data or control over the device that can negatively impact the user.
protectionLevel="signature" – limit access to only apps signed with the same certificate.
protectionLevel="signature or system” – device manufacturers only
protectionLevel="normal" – A lower-risk permission that gives requesting applications access to isolated application-level features, with minimal risk to other applications, the system, or the user. This is the default protection level.
The default value. A lower-risk permission that gives requesting applications access to isolated application-level features, with minimal risk to other applications, the system, or the user. The system automatically grants this type of permission to a requesting application at installation, without asking for the user's explicit approval (though the user always has the option to review these permissions before installing).
protectionLevel="dangerous" – A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user.
A higher-risk permission that would give a requesting application access to private user data or control over the device that can negatively impact the user. Because this type of permission introduces potential risk, the system may not automatically grant it to the requesting application. For example, any dangerous permissions requested by an application may be displayed to the user and require confirmation before proceeding, or some other approach may be taken to avoid the user automatically allowing the use of such facilities.
protectionLevel="signature" – a permission that the system is to grant only if the requesting application is signed with the same certificate that declared the permission. If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.
Can be used to limit access to components to only apps signed with the same certificate.
protectionLevel="signature or system” – matching certificate with system image
But please avoid to use last level as the signature protection level should be sufficient for most needs and works regardless of exactly where applications are installed

20. Discretionary Access Control (DAC)
Linux access control
Based on group/user ID for apps
Restrict system facilities
e.g. Wi-Fi access, storage, location

21. MAC & DAC Mandatory access control (MAC, Android permission system)
Creator of an object does not necessarily have the ability to determine who has authorized access to it
Policy typically governed by a central authority, Android reference monitor in middleware
Discretionary access control (DAC, Linux low-level enforcement)
Individual user (an application) may, at his own discretion, determine who is authorized to access the objects he creates

22. Guess permission protection level
CALL_PHONE
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.
CHANGE_NETWORK_STATE
Allows applications to change network connectivity state
BATTERY_STATS
Allows an application to collect battery statistics
BROADCAST_SMS
Allows an application to broadcast an SMS receipt notification
levels.html
ndroidManifest.xml
dangerous
dangerous
normal
Exercise1
signature

23. Android Permission List
All included in Manifest.permission class
latest API version:22
t.permission.html
We can find the android permission list in the android documentation online

24. Component Permissions
Individual components can set their own permissions
Component permissions take precedence over application-level permissions
Any component can access a public component without specifying a access permission

25. Permissions in AndroidManifest for components
activity
Restricts access to the activity
Checked when staring activity
startActivity() and startActivityForResult()
Throw SecurityException if caller does not have required permission
Activity permissions restricts which components can start the associated activity. These permissions are checked within the execution of method such as startActivity() and startActivityForResult() which as you know is a called a activity tries to start another one and if the required permission is missing and then the android will throw a securityexception

26. Permissions in AndroidManifest for components
service
Restricts who can interact with service
Checked within execution of Context.startService(), Context.stopService() or Context.bindService()
Throw a SecurityException when failed

27. Permissions in AndroidManifest for components
provider (Content Provider)
Restrict who can access the data
Separate read and write permissions
Checked when performing operations(e.g. query, insert)
Problem: need grant permissions to certain portions of a Content Provider's database in short time
Solution: URI permission

28. URI permission Scenario: email client app
If an image or sound file attachment attached to a message, we need to grant corresponding permission to present it
Solution: User interface app could temporarily grant permission to the URI that contains an attachment to the image viewer
URI turned off by default
android:grantUriPermissions="true”
android:grantUriPermissions=”false”
path
pathPrefix
PathPattern
Specifies which data subsets of the parent content provider permission can be granted for. Data subsets are indicated by the path part of a content: URI. (The authority part of the URI identifies the content provider.) Granting permission is a way of enabling clients of the provider that don't normally have permission to access its data to overcome that restriction on a one-time basis.
If a content provider's grantUriPermissions attribute is "true", permission can be granted for any the data under the provider's purview. However, if that attribute is "false", permission can be granted only to data subsets that are specified by this element. A provider can contain any number of <grant-uri-permission> elements. Each one can specify only one path (only one of the three possible attributes).

29. URI permission
Content provider allow URI permissions to be granted on the/attachments/ path
App needs to actually grants these permission
Set flags in the Intent that allows access
e.g. Intent.FLAG_GRANT_READ_URI_PERMISSION

30. Permissions in AndroidManifest for components
receiver (Broadcast receiver)
Restricts who can send broadcasts to the BroadcastReceiver
Check at delivery, after broadcast was sent
Does not throw exception in case of permission failure
One common misconception about these permissions is that having the write permission automatically implies the read permission. The logic is that updating data (writing) is a more powerful permission than simply reading it and anyone that can write into a database should also be able to read from it. This is a fallacy, and the Android design, separating read and write permissions, acknowledges that. For example, consider an client app (I really do seem to like this example when discussing component security, don’t I?). In our app, we may implement a Content Provider to store we download from a mail server. A Service may periodically connect to that mail server, download new messages, and put them into our database by writing to that Content Provider. The Service clearly needs the permission to write to the Content Provider, but does it need the permission to read from it? No. In fact, it should not have that permission, as it is not needed for it to do the job it performs. Remember the Principle of Least Privilege: grant the permissions needed to get the job done and no more.
With Content Providers, permissions are first verified when you connect to the provider. When you do so, you can connect to it if you have either the read permission or the write permission. If you have neither, the connection request will fail with a thrown SecurityException.
Permissions are then checked when you attempt to interact with the Content Provider. Using itsquery() method requires the read permission, while using its insert(), update(), ordelete() methods requires the write permission, as specified in the manifest declaration (DB_READand DB_WRITE in this case). Again, note that having the write permission does not automatically give you the read permission; the two are separate and enforced independently. If you were to call one of these methods without the corresponding permission, the call would not succeed and aSecurityException would be thrown instead.

31. Enforcing permissions in code
Context.registerReceiver() can be used to register a BroadcastReceiver dynamically
Allow senders with MSG_NOTIFY_SEND permission to send to the registering Broadcast Receiver

32. Enforcing permissions in code
Applications can check to see if calling apps have permissions in code
Context.checkCallingPermission() and Context.enforceCallingPermission() can be used in source code to make sure the calling app holds the appropriate permission

33. Question: What’s the difference between <permission> and <uses-permission>?

34. <permission> and <uses-permission>
Developer are requiring permissions / enforce your own permission
Avoid other application to invoke your app
Protect users’ privacy of your app
Normally used when making a custom permission
<uses-permission>
Developer are requesting this permission for app/ seeking the user’s permission to use some feature of yours
Users must accept these permissions
Used when your app actually needs a permission it doesn’t have normally

35. Summary
App1’s activity wants to bind app2’service so app2 is checking if app 1 have the required permissions app2 declared

36. Questions
Content Providers/<provider> have two separate permissions. What are they?
read and write
Which component will not throw a exception in the case of permission failure?
receiver (Broadcast receiver)

37. Principle of using permissions
Requesting Permissions
Minimize the number of permissions that app requests
Design your app that does not require permissions
E.g. Rather than using external storage, store data on the internal storage
Creating Permissions
Creating a new permission is uncommon
If you must create new permissions, consider signature protection level permission first
Where appropriate, perform access checks using existing permissions.
If you must create a new permission, consider whether you can accomplish your task with a "signature" protection level. Signature permissions are transparent to the user and only allow access by applications signed by the same developer as application performing the permission check.
If you create a permission with the "dangerous" protection level, there are a number of complexities that you need to consider:
The permission must have a string that concisely expresses to a user the security decision they will be required to make.
The permission string must be localized to many different languages.
Users may choose not to install an application because a permission is confusing or perceived as risky.
Applications may request the permission when the creator of the permission has not been installed.
Each of these poses a significant non-technical challenge for you as the developer while also confusing your users, which is why we discourage the use of the "dangerous" permission level.

38. Minimize requested permissions
Users don’t like when your app requests too many permissions…
CAMERA
MESSAGES/CONTACT
ACCESS_FINE_LOCATION

39. Only request permissions your app requires
Why minimize the amount of permissions?
1/3 of apps request more permission than they need
Security vulnerabilities can expose protected data
User preferences
Sometimes permissions aren’t required
Getting a picture from the camera
Sending an SMS through the SMS app
Permissions can be temporarily granted to apps by content providers
Letting the user pick a contact to share with your app

40. Get a camera pic without CAMERA permission

41. Start the SMS app with a filled-in destination and message
Does not require the SEND_SMS

42. Let the user choose a contact with ACTION_GET_CONTENT

43. Related Research
Topic: Android Application Static Malware Detection Module
Main process
Extract permissions as features for each .apk file
Use machine learning algorithm to classify samples
Modify algorithm and features for improving accuracy

44. Background Android Malware are growing rapidly
- Over 97% mobile threats coming from Android Mobile Apps
- penetrate while repacking, updating, downloading
Over 97% is android malware

45. Feature extraction Sample definition @relation testset
@attribute ACCESS_CHECKIN_PROPERTIES {0,1} //didn’t defined 0
@attribute ACCESS_COARSE_LOCATION {0,1} //shown 1
@attribute ACCESS_FINE_LOCATION {0,1} ….
@attribute malware{B, M} // benign, malicious
@data
0,1,1,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,…,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,B
Total 145 permissions in API 19

46. Sample: 250 malware and 250 benign software

47. Set weight to permission and permission combinations (part of original table)
Sensitive permission or permission combinations
weight
INTERNET 1
READ_PHONE_STATE 2
RECEIVE_BOOT_COMPLETED
READ_SMS 12
RECEIVE_SMS ∧ SEND_SMS 30
READ_PHONE_STATE ∧ INTERNET 20
GET_ACCOUNTS ∧ INTERNET
READ_LOGS ∧ INTERNET
0,1,1,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,…,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,26,B
Note: The number 26 is sum of permission weight in this apk file

48. Top 10 Bad Permissions (on Google Play I/0 2012)
SEND_SMS, RECEIVE_SMS
SYSTEM_ALERT_WINDOW
READ_HISTROY_BOOKMARKS WRITE_HISTROY_BOOKMARKS
READ_CONTACTS, WRITE_CONTACTS, READ_CALENDAR, WRITE_CALENDAR
CALL_PHONE
READ_LOGS
ACCESS_FINE_LOCATION
GET_TASKS
RECEIVE_BOOT_COMPLETED
CHANGE_WIFI_STATE
Here’s the list of top 10 bad permissions hope next time if you are trying to install app you can see the list first and see if there is sensitive permissions.

49. Thank you for your time!