ABSTRACT

Android operating system uses the permission-based model which allows Android applications
to access user information, system information, device information and external resources of
Smartphone. The developer needs to declare the permissions for the Android application. The
user needs to accept these permissions for successful installation of an Android application. These
permissions are declarations. At the time of installation, if the permissions are allowed by the
user, the app can access resources and information anytime. It need not re-request for permissions
again. Android OS is susceptible to various security attacks due to its weakness in security. This
paper tells about the misuse of app permissions using Shared User ID, how two factor
authentications fail due to inappropriate and improper usage of app permissions using spyware,
data theft in Android applications, security breaches or attacks in Android and analysis of
Android, IOS and Windows operating system regarding its security.

Keywords— Android, Permissions, Shared User ID, Security, Data Theft, Spyware, IOS,
Windows.

1
 CHAPTER 1
INTRODUCTION

As smart phones and tablets become more popular, the operating systems for those devices
become more important. Android is such an operating system for low powered devices that run
on battery and are full of hardware like Global Positioning System (GPS) receivers, cameras, light
and orientation sensors, Wi-Fi and UMTS (3G telephony) connectivity and a touch screen. Like
all operating systems, Android enable applications to make use of the hardware features through
abstraction and provide a defined environment for applications. Unlike on other mobile operating
systems like Apple’s IOS, Palm’s web OS or Symbian, Android applications are written in Java
and run in virtual machines. For this purpose Android features the Dalvik virtual machine which
executes its own byte code. Dalvik is a core component, as all Android user applications and the
application framework are written in Java and executed by Dalvik. Like on other platforms,
applications for Android can be obtained from a central place called Android Market.
The platform was created by Android Inc. which was bought by Google and released as the
Android Open Source Project (AOSP) in 2007. A group of 78 different companies formed the
Open Handset Alliance (OHA) that is dedicated to develop and distribute Android. The software
can be freely obtained from a central repository and modified in terms of the license which is
mostly BSD and Apache. The development of Android takes place quickly, as a new major release
happens every few months. This leads to a situation where information about the platform
becomes obsolete very quickly and sources like books and articles can hardly keep up with the
development.

1.1 History of Android:

The name Andrew and the noun Android share the Greek root Andros, which means man. Andy
Rubin picked android.com as his personal website, and his colleagues used Android as his
nickname at work. That eventually became the name of the company he founded, and the name
of the operating system they developed.
Android Inc. was founded in Palo Alto, California, in October 2003 by Andy Rubin, Rich Miner,
Nick Sears, and Chris White. Rubin described the Android project as "tremendous potential in
developing smarter mobile devices that are more aware of its owner's location and preferences".
The early intentions of the company were to develop an advanced operating system for digital
cameras, and this was the basis of its pitch to investors in April 2004.The company then decided
that the market for cameras was not large enough for its goals, and by five months later it had
diverted its efforts and was pitching Android as a handset operating system that would rival
Symbian and Microsoft Windows Mobile.
Rubin had difficulty attracting investors early on, and Android was facing eviction from its office
space. Steve Perlman, a close friend of Rubin, brought him $10,000 in cash in an envelope, and
shortly thereafter wired an undisclosed amount as seed funding. Perlman refused a stake in the
company, and has stated "I did it because I believed in the thing, and I wanted to help Andy."

2
In July 2005, Google acquired Android Inc. for at least $50 million. Its key employees, including
Rubin, Miner and White, joined Google as part of the acquisition. Not much was known about
the secretive Android at the time, with the company having provided few details other than that
it was making software for mobile phones. At Google, the team led by Rubin developed a mobile
device platform powered by the Linux kernel. Google marketed the platform to handset makers
and carriers on the promise of providing a flexible, upgradeable system. Google had "lined up a
series of hardware components and software partners and signaled to carriers that it was open to
various degrees of cooperation".
Speculation about Google's intention to enter the mobile communications market continued to
build through December 2006. An early prototype had a close resemblance to a BlackBerry
phone, with no touchscreen and a physical QWERTY keyboard, but the arrival of 2007's Apple
iPhone meant that Android "had to go back to the drawing board". Google later changed its
Android specification documents to state that "Touchscreens will be supported", although "the
Product was designed with the presence of discrete physical buttons as an assumption, therefore
a touchscreen cannot completely replace physical buttons". By 2008, both Nokia and BlackBerry
announced touch-based smartphones to rival the iPhone 3G, and Android's focus eventually
switched to just touchscreens. The first commercially available smartphone running Android was
the HTC Dream, also known as T-Mobile G1, announced on September 23, 2008.
On November 5, 2007, the Open Handset Alliance, a consortium of technology companies
including Google, device manufacturers such as HTC, Motorola and Samsung, wireless carriers
such as Sprint and TMobile, and chipset makers such as Qualcomm and Texas Instruments,
unveiled itself, with a goal to develop "the first truly open and comprehensive platform for mobile
devices". Within a year, the Open Handset Alliance faced two other open source competitors, the
Symbian Foundation and the LiMo
Foundation, the latter also developing a Linux-based mobile operating system like Google. In
September 2007, InformationWeek covered an Evalueserve study reporting that Google had filed
several patent applications in the area of mobile telephony.
Since 2008, Android has seen numerous updates which have incrementally improved the
operating system, adding new features and fixing bugsin previous releases. Each major release is
named in alphabetical order after a dessert or sugary treat, with the first few Android versions
being called "Cupcake", "Donut", "Eclair", and "Froyo", in that order. During its announcement
of Android KitKat in 2013, Google explained that "Since these devices make our lives so sweet,
each Android version is named after a dessert", although a Google spokesperson told CNN in an
interview that "It's kind of like an internal team thing, and we prefer to be a little bit — how
should I say — a bit inscrutable in the matter, I'll say".
In 2010, Google launched its Nexus series of devices, a lineup in which Google partnered with
different device manufacturers to produce new devices and introduce new Android versions. The
series was described as having "played a pivotal role in Android's history by introducing new
software iterations and hardware standards across the board", and became known for its "bloat-
free" software with "timely ... updates".At its developer conference in May 2013, Google
announced a special version of the Samsung Galaxy S4, where, instead of using Samsung's own
Android customization, the phone ran "stock Android" and was promised to receive new system
updates fast. The device would become the start of the Google Play edition program, and was
followed by other devices, including the HTC One Google Play edition, and Moto G Google Play
edition. In 2015, Ars Technica wrote that "Earlier this week, the last of the Google Play edition

3
Android phones in Google's online storefront were listed as "no longer available for sale" and that
"Now they're all gone, and it looks a whole lot like the program has wrapped up".
From 2008 to 2013, Hugo Barra served as product spokesperson, representing Android at press
conferences and Google I/O, Google's annual developer-focused conference. He left Google in
August 2013 to join Chinese phone maker Xiaomi. Less than six months earlier, Google's then-
CEO Larry Page announced in a blog post that Andy Rubin had moved from the Android division
to take on new projects at Google, and that Sundar Pichai would become the new Android lead.
Pichai himself would eventually switch positions, becoming the new CEO of Google in August
2015 following the company's restructure into the Alphabet conglomerate, making Hiroshi
Lockheimer the new head of Android.
In June 2014, Google announced Android One, a set of "hardware reference models" that would
"allow [device makers] to easily create high-quality phones at low costs", designed for consumers
in developing countries. In September, Google announced the first set of Android One phones for
release in India. However, Recode reported in June 2015 that the project was "a disappointment",
citing "reluctant consumers and manufacturing partners" and "misfires from the search company
that has never quite cracked hardware". Plans to re-launch Android One surfaced in August 2015,
with Africa announced as the next location for the program a week later. A report from The
Information in January 2017 stated that Google is expanding its low-cost Android One program
into the United States, although The Verge notes that the company will presumably not produce
the actual devices itself.
Google introduced the Pixel and Pixel XL smartphones in October 2016, marketed as being the
first phones made by Google, and exclusively featured certain software features, such as the
Google Assistant, before wider rollout. The Pixel phones replaced the Nexus series, with a new
generation of Pixel phones launched in October 2017.

4
 Fig 1.:Android Architecture

1.2 Features:

Interface
Android's default user interface is mainly based on direct manipulation, using touch inputs that
loosely correspond to real-world actions, like swiping, tapping, pinching, and reverse pinching to
manipulate onscreen objects, along with a virtual keyboard. Game controllers and full-size
physical keyboards are supported via Bluetooth or USB. The response to user input is designed
to be immediate and provides a fluid touch interface, often using the vibration capabilities of the
device to provide haptic feedback to the user. Internal hardware, such as accelerometers,
gyroscopes and proximity sensors are used by some applications to respond to additional user
actions, for example adjusting the screen from portrait to landscape depending on how the device
is oriented, or allowing the user to steer a vehicle in a racing game by rotating the device,
simulating control of a steering wheel.
Android devices boot to the home screen, the primary navigation and information "hub" on
Android devices, analogous to the desktop found on personal computers. Android home screens
are typically made up of app icons and widgets; app icons launch the associated app,

5
whereas widgets display live, auto-updating content, such as a weather forecast, the user's email
inbox, or a news ticker directly on the home screen. A home screen may be made up of several
pages, between which the user can swipe back and forth. Third-party apps available on Google
Play and other app stores can extensively re-theme the home screen, and even mimic the look of
other operating systems, such as Windows Phone. Most manufacturers customize the look and
features of their Android devices to differentiate themselves from their competitors.
Along the top of the screen is a status bar, showing information about the device and its
connectivity. This status bar can be "pulled" down to reveal a notification screen where apps
display important information or updates. Notifications are "short, timely, and relevant
information about your app when it's not in use", and when tapped, users are directed to a screen
inside the app relating to the notification. Beginning with Android 4.1 "Jelly Bean", "expandable
notifications" allow the user to tap an icon on the notification in order for it to expand and display
more information and possible app actions right from the notification.
An All Apps screen lists all installed applications, with the ability for users to drag an app from
the list onto the home screen. A Recent screen lets users switch between recently used apps.
Applications
Applications ("apps"), which extend the functionality of devices, are written using the Android
software development kit (SDK) and, often, the Java programming language. Java may be
combined with C/C++,[80] together with a choice of non-default runtimes that allow better C++
support.[81] The Go programming language is also supported, although with a limited set of
application programming interfaces (API). In May 2017, Google announced support for Android
app development in the Kotlin programming language.
The SDK includes a comprehensive set of development tools, including a debugger, software
libraries, a handset emulator based on QEMU, documentation, sample code, and tutorials.
Initially, Google's supported integrated development environment (IDE) was Eclipse using the
Android Development Tools (ADT) plugin; in December 2014, Google released Android Studio,
based on IntelliJ IDEA, as its primary IDE for Android application development. Other
development tools are available, including a native development kit (NDK) for applications or
extensions in C or C++, Google App Inventor, a visual environment for novice programmers, and
various cross platform mobile web applications frameworks. In January 2014, Google unveiled
an framework based on Apache Cordova for porting Chrome HTML 5 web applications to
Android, wrapped in a native application shell.
Android has a growing selection of third-party applications, which can be acquired by users by
downloading and installing the application's APK (Android application package) file, or by
downloading them using an application store program that allows users to install, update, and
remove applications from their devices. Google Play Store is the primary application store
installed on Android devices that comply with Google's compatibility requirements and license
the Google Mobile Services software. Google Play Store allows users to browse, download and
update applications published by Google and third-party developers; as of July 2013, there are
more than one million applications available for Android in Play Store. As of July 2013, 50 billion
applications have been installed. Some carriers offer direct carrier billing for Google
Play application purchases, where the cost of the application is added to the user's monthly bill.
As of May 2017, there are over one billion active users a month for Gmail, Android, Chrome,
Google Play and Maps.

6
Due to the open nature of Android, a number of third-party application marketplaces also exist
for Android, either to provide a substitute for devices that are not allowed to ship with Google
Play Store, provide applications that cannot be offered on Google Play Store due to policy
violations, or for other reasons. Examples of these third-party stores have included the Amazon
Appstore, Get Jar, and Slide Me. F-Droid, another alternative marketplace, seeks to only provide
applications that are distributed under free and open source licenses.
Memory management
Since Android devices are usually battery-powered, Android is designed to manage processes to
keep power consumption at a minimum. When an application is not in use the system suspends
its operation so that, while available for immediate use rather than closed, it does not use battery
power or CPU resources. Android manages the applications stored in memory automatically:
when memory is low, the system will begin invisibly and automatically closing inactive
processes, starting with those that have been inactive for the longest amount of time. Life hacker
reported in 2011 that third-party task killer applications were doing more harm than good.

Fig 2. : Android History

7
 CHAPTER 2
Security Issues in Android

Android has robust security measures, but even then it is not 100% secure. There are a lot of
security issues faced by Android, few of them are:

(i). Quad Rooter Vulnerability: Quad Rooter is a set of four vulnerabilities affecting Android
devices built using Qualcomm chipsets. An attacker can exploit these vulnerabilities using a
malicious app. Such an app would require no special permissions to take advantage of these
vulnerabilities, alleviating any suspicion users may have when installing.

(ii). The ‘Certify-gate’ mRST flaw: This is a flaw in two mobile Remote Support Tool plug-ins
used by many handset makers, including Samsung, LG, HTC, Huawei and ZTE running
Android versions up to 5.1. Attackers could exploit it by sneaking a bogus app onto a phone
which exploits the flaw in a way that elevates the attacker’s permissions. From that point on,
the attacker would have complete remote control over the smartphone.

(iii). ‘Stage fright’ MMS flaw: It is arguably the most serious security flaw ever to hit Android,
this one affecting a media playback component of the OS nobody usually thinks much about
called Stage fright. The attackers could exploit the issue by sending a malicious video
message to almost any Android handset on the plant, which would execute automatically.
Incredibly, no user interaction is needed and the message could even render itself invisible
by deleting itself.

(iv). Android Installer hijacking: Affecting older smartphones only – that was still around half
of all Android smartphones at the time of its discovery – this offered a novel way of
attackers to replace one installer (or APK file) with another one when using third-party app
stores, in effect letting a malicious app replace a legitimate one without the user realising
it.

(v). Android FakeID flaw: This flaw offers a way for a malicious app to hijack the trusted status
of a legitimate app through (by forging its digital certificate), effectively escaping any
sandboxing security on the device.

(vi). Towel Root: It was an unusual kernel-level flaw affecting something called the futex
subsystem. However, not long after it was incorporated into a tool designed to root Android
4.4 called Towel Root, which effectively functioned as a benign proof-of-concept exploit.

8
 CHAPTER 3
Literature Survey

W. Enck, D. Octeau, P. McDaniel and S. Chaudhry presented ‘A study of Android application

security’ and introduced the ded decompiler, which generated the android application source
code directly from the installation image. They designed and executed a horizontal study of
smartphone applications based on static analysis of 21 million lines of recovered code and
concluded that low or no restriction of entry for application developers increased the security
risk for end users5. S. Powar, Dr. B. B. Meshram on their research ‘Android security framework’,
described android security framework and concluded that the increased exposure of open
source smartphone is increasing the security risk. The permission module to secure the phone
is very basic. The user has only two options at the time of app installation: first allow all
requested permissions and second deny the requested permissions which leads to stop
installation6. S. Kaur and M. Kaur in their paper ‘implementing security on Android application’
described how the security in android based systems can be increased7. S. Smalley and R. Craig
in their research ‘Security Enhanced (SE) Android: Bringing Flexible MAC to Android’, showed
how the android software stack defines and enforces its own security model for apps through
its application layer permissions model. They also described how MAC- mandatory access
control can be brought to Android by enabling the effective use of Security Enhanced Linux
(SELinux) for kernel-level MAC and by developing a set of middleware MAC extensions to the
Android permissions model8. M.Ongtang, S. McLaughlin, W. Enck, and P. McDaniel, in their
study ‘Semantically Rich Application-Centric Security in Android’ proposed a secure application
interaction (Saint), which is an improved infrastructure that governs install-time permission
assignment and their run-time use as dictated by application provider policy9. T. Luo, H. Hao,
W. Du, Y. Wang and H. Yin in the paper ‘Attacks on Web View in Android System’ discussed a
number of attacks on Web View, either by malicious apps or against non-malicious apps. They
identified two fundamental causes of the attacks: weakening of the TCB and Sandbox10. A.D.
Schmidt and S. Albayrak presented a paper on ‘Malicious Software for Smartphones’ and
presented a list of most common behavior patterns and investigated the possibilities to exploit
the standard Symbain OS API and additional malware functionalities11. G. Dini, F. Martinelli, A.
Saracino and D. Sgandurra presented a paper ‘MADAM: a multilevel anomaly detector for
android malware’ in which they showed that MADAM is able to notice several real malware
found in the world. The device is not affected by MADAM due to the low range of false positives
generated after the training phase12.

9
 CHAPTER 4
CONCLUSION

4.1 CONCLUSION:
As smart phones and tablets become more popular, the operating systems for those devices
become more important. Android is such an screen. Like all operating systems, Android enables
applications to make use of the hardware features through abstraction and provide a defined
environment for applications. Unlike on other mobile operating systems like Apple’s IOS, Palm’s
web OS or Symbian, Android applications are written in Java and run in virtual machines. For
this purpose Android features the Dalvik virtual machine which executes its own byte code.
Dalvik is a core component, as all Android user applications and the application framework are
written in Java and executed by Dalvik. Like on other platforms, applications for Android can be
obtained from a central place called Android Market. The platform was created by Android Inc.
which was bought by Google and released as the Android Open Source Project (AOSP) in 2007.
A group of 78 different companies formed the Open Handset Alliance (OHA) that is dedicated to
develop and distribute Android. The software can be freely obtained from a central repository and
modified in terms of the license which is mostly BSD and Apache. The development of Android
takes place quickly, as a new major release happens every few months. This leads to a situation
where information about the platform becomes obsolete very quickly and sources like books and
articles can hardly keep up with the development. Along with the increasing numbers of Android
smartphones, the number of various Android applications including malware is increasing day by
day at a faster rate. In spite of the present Android security mechanisms, the malware takes
advantage of the Android security holes to misuse the resources which are being granted. Manual
analysis has become infeasible due to the exponential increasing number of unknown malware
samples. The proposed works are primarily behavior-based and their main contribution is tracing
the applications' system calls and activities are being analysed to restrict them from malware
activities which are at high risks. Therefore, the paper tries to analyse the proposed works based
on the nature of the solutions suggested for the Android security issues.

10
REFERENCES

[1] S. Powar, Dr. B. B. Meshram on their research ‘Android security framework’, described
android security framework and concluded that the increased exposure of open source
smartphone is increasing the security risk,(2015).

[2] S. Kaur and M. Kaur in their paper ‘implementing security on Android application’ described
how the security in android based systems can be increased, (2013).

[3] W. Enck, D. Octeau, P. McDaniel and S. Chaudhry research paper,(2014).

11
 Android Security Issues and Solutions
Aman Agrawal
Computer Engineering,
Poornima College of Engineering
([email protected])

Abstract -Android operating system uses

the permission-based model which allows
Android applications to access user
information, system information, device
information and external resources of
Smartphone. The developer needs to declare
the permissions for the Android application.
The user needs to accept these permissions for
successful installation of an Android
application. These permissions are
declarations. At the time of installation, if the
permissions are allowed by the user, the app
can access resources and information
anytime. It need not re-request for
permissions again. Android OS is susceptible
to various security attacks due to its weakness
in security. This paper tells about the misuse
of app permissions using Shared User ID, how
two factor authentications fail due to
inappropriate and improper usage of app
permissions using spyware, data theft in
Android applications, security breaches or
attacks in Android and analysis of Android,
IOS and
Windows operating system regarding its
security
Keywords— Android; Permissions; Shared
User ID;Security; Data Theft; Spyware;
iOS; Windows.
I. INTRODUCTION
As smart phones and tablets become more
popular, the operating systems for those
devices become more important. Android is
such an
Jaipur,Rajasthan
12
Screen .Like all operating systems, Android
enables applications to make use of the
hardware features through abstraction and
provide a defined environment for
applications. Unlike on other mobile
operating systems like Apple’s IOS, Palm’s
web OS or Symbian, Android applications are
written in Java and run in virtual machines.
For this purpose Android features the Dalvik
virtual machine which executes its own byte
code. Dalvik is a core component, as all
Android user applications and the application
framework are written in Java and executed
by Dalvik. Like on other platforms,
applications for Android can be obtained from
a central place called Android Market.
The platform was created by Android Inc.
which was bought by Google and released as
the Android Open Source Project (AOSP) in
2007. A group of 78 different companies
formed the Open Handset Alliance (OHA)
that is dedicated to develop and distribute
Android. The software can be freely obtained
from a central repository and modified in
terms of the license which is mostly BSD and
Apache. The development of Android takes
place quickly, as a new major release happens
every few months. This leads to a situation
where information about the platform
becomes obsolete very quickly and sources
like books and articles can hardly keep up
with the development.
II. BACKGROUND & HISTORY
Android is described as a mobile operating
system, initially developed by Android Inc.
Android was sold to Google in 2005. Android
is based on a modified Linux 2.6 kernel.
Google, as well as other members of the Open
Handset Alliance (OHA) collaborated on
Android (design, development, distribution).
Currently, the Android Open Source Project
(AOSP) is governing the Android
maintenance and development cycle. To
reiterate, the Android operating system is
based on a modified Linux 2.6 kernel.
Compared to a Linux 2.6 environment though,
several drivers and libraries have been either
modified or newly developed to allow
Android to run as efficiently and as effectively
as possible on mobile devices (such as smart
phones or internet tablets). Some of these
libraries have their roots in open source
projects. Due to some licensing issues, the
Android community decided to implement
their own c library (Bionic), and to develop an
Android specific Java runtime engine (Dalvik
Virtual Machine – DVM). With Android, the
focus has always been on optimizing the
infrastructure based on the limited resources
available on mobile devices [05]. To
complement the operating environment, an
Android specific application framework was
designed and implemented. Therefore,
Android can best be described as a complete
solution stack, incorporating the OS,
middleware components, and applications. In
Android, the modified Linux 2.6 kernel acts as
the hardware abstraction layer (HAL).
III. SECURITY ATTACKS IN
ANDROID
Android has robust security measures, but
even then it is not 100% secure. There are a lot
of security issues faced by Android, few of
them are: i. QuadRooter Vulnerability:
QuadRooter is a set of four vulnerabilities
affecting Android devices built using
Qualcomm chipsets. An attacker can exploit
these vulnerabilities using a malicious app.
Such an app would require no special
permissions to take advantage of these
13
vulnerabilities, alleviating any suspicion users
may have when installing. ii. The ‘Certifi-
gate’ mRST flaw: This is a flaw in two mobile
Remote Support Tool plugins used by many
handset makers, including Samsung, LG,
HTC, Huawei and ZTE running Android
versions up to 5.1. Attackers could exploit it
by sneaking a bogus app onto a phone which
exploits the flaw in a way that elevates the
attacker’s permissions. From that point on, the
attacker would have complete remote control
over the smartphone. iii. ‘Stagefright’ MMS
flaw: It is arguably the most serious security
flaw ever to hit Android, this one affecting a
media playback component of the OS nobody
usually thinks much about called Stagefright.
The attackers could exploit the issue by
sending a malicious video message to almost
any Android handset on the plant, which
would execute automatically. Incredibly, no
user interaction is needed and the message
could even render itself invisible by deleting
itself. iv. Android Installer hijacking:
Affecting older smartphones only – that was
still around half of all Android smartphones at
the time of its discovery – this offered a novel
way of attackers to replace one installer (or
APK file) with another one when using third-
party app stores, in effect letting a malicious
app replace a legitimate one without the user
realising it.
v. Android FakeID flaw: This flaw offers
a way for a malicious app to hijack the trusted
status of a legitimate app through (by forging
its digital certificate), effectively escaping any
sandboxing security on the device.
vi. TowelRoot: It was an unusual kernel-
level flaw affecting something called the futex
subsystem. However, not long after it was
incorporated into a tool designed to root
Android 4.4 called TowelRoot, which
effectively functioned as a benign proof-of-
concept exploit.
IV. LITERATURE SURVEY
W. Enck, D. Octeau, P. McDaniel and S.
Chaudhry presented ‘A study of Android
application security’ and introduced the ded
decompiler, which generated the android
application source code directly from the
installation image. They designed and
executed a horizontal study of smartphone
applications based on static analysis of 21
million lines of recovered code and concluded
that low or no restriction of entry for
application developers increased the security
risk for end users5. S. Powar,
Dr. B. B. Meshram on their research ‘Android
security framework’, described android
security framework and concluded that the
increased exposure of open source
smartphone is increasing the security risk. The
permission module to secure the phone is very
basic. The user has only two options at the
time of app installation: first allow all
requested permissions and second deny the
requested permissions which leads to stop
installation6. S.
Kaur and M. Kaur in their paper
‘implementing security on Android
application’ described how the security in
android based systems can be increased7. S.
Smalley and R. Craig in their research
‘Security Enhanced (SE) Android: Bringing
Flexible MAC to Android’, showed how the
android software stack defines and enforces its
own security model for apps through its
application layer permissions model. They
also described how MAC- mandatory access
control can be brought to Android by enabling
the effective use of Security Enhanced Linux
(SELinux) for kernel-level MAC and by
developing a set of middleware MAC
extensions to the Android permissions
model8. M.Ongtang, S. McLaughlin, W.
Enck, and P. McDaniel, in their study
‘Semantically Rich
ApplicationCentric Security in Android’
proposed a secure application interaction
(Saint), which is an improved infrastructure
14
that governs install-time permission
assignment and their runtime use as dictated
by application provider policy9. T. Luo, H.
Hao, W. Du, Y. Wang and H. Yin in the paper
‘Attacks on WebView in Android System’
discussed a number of attacks on WebView,
either by malicious apps or against non-
malicious apps. They identified two
fundamental causes of the attacks: weakening
of the TCB and Sandbox10. A.D. Schmidt and
S. Albayrak presented a paper on
‘Malicious Software for Smartphones’ and
presented a list of most common behavior
patterns and investigated the possibilities to
exploit the standard Symbain OS API and
additional malware functionalities11. G. Dini,
F. Martinelli, A. Saracino and D. Sgandurra
presented a paper ‘MADAM: a multi-level
anomaly detector for android malware’ in
which they showed that MADAM is able to
notice several real malware found in the
world. The device is not affected by
13
MADAM due to the low range of false
positives generated after the training phase12.
V. CONCLUSION
Along with the increasing numbers of Android
smartphones, the number of various Android
applications including malware is increasing
day by day at a faster rate. In spite of the
present Android security mechanisms, the
malware takes advantage of the Android
security holes to misuse the resources which
are being granted. Manual analysis has
become infeasible due to the exponential
increasing number of unknown malware
samples. The proposed works are primarily
behavior-based and their main contribution is
tracing the applications' system calls and
activities are being analysed to restrict them
from malware activities which are at high
risks. Therefore, the paper tries to analyse the
solutions issues.
VI. REFERENCES
[1] S. Powar, Dr. B. B. Meshram on their
research‘Android_security
framework ’,described android
security framework and concluded
that the increased exposure of open
source smartphone is increasing the
security risk.
[2] S. Kaur and M. Kaur in their paper
‘implementing security on Android
application’ described how the
security in android based systems
can_be_increased.
https://developer.android.com/g
uide/to security/normalpermissions.
[3] W. Enck, D. Octeau, P. McDaniel
and
S. Chaudhry research paper