Solving the Problem of unauthorized access in Android

Access control in Android is implemented through a combination of UID checks and permission checks. However, this model can be bypassed to gain unauthorized access in two ways. 

Android’s permission mechanism is not enough to prevent unauthorized access. If a caller component is granted permission by the system at install time or by the user at run-time then it gains access to the callee component. The Android system does not check the identity of the caller component. It assumes that because permission has been granted to it, the access request is legitimate. However, this assumption is not always true. A malicious app can use those permissions in its own manifest to gain access to a protected component even though the component was not intended to be accessed by the malicious app. 

The second problem is more of an implementation issue in the Android system. All permissions except dangerous permissions are granted when an application is successfully installed in the system. Dangerous permissions are granted only when the user approves at run time. Up until Android 5.0 these protection levels could be upgraded or downgraded. For instance, a permission declared as signature used to protect a sensitive component could be re-declared as normal by a malicious app. A colluding app could then use this permission in its manifest. If the malicious app is then uninstalled and the benign app with the sensitive component is installed, then the colluding app will still be able to use that permission to gain access. In Android 5.1 this was resolved by revoking the permission whose definition does not exist. This means that the colluding app’s permission will be revoked when the malicious app is uninstalled. While this does solve the problem of unauthorized access, it introduces a new problem where legitimate apps could crash due to the sudden revocation of a permission which was granted to it by the system before. A more elegant solution would be to maintain a white list of apps and their signatures that are allowed to interact with a component. If a call is made to this component from outside its sandbox, then we check if the permission granted to the caller matches with the permission name and protection level of the permission protecting the callee. If they match, we check if the protection level is “signature”. If it is then access is granted. If not then we check the white list. If the caller is present in the white list we grant access. If not we reject it. However, if the white list is empty we should still grant access to accommodate for cases where a component might want to be accessed by everyone. This approach does not solve the problem of dangling permissions but does prevent unauthorized access caused due to it without affecting the availability of the app. It also provides a white list mechanism through which components will be able to explicitly specify who is authorized to access it. The Android source could be modified to perform this check every time a component is called by another.