Sciweavers

NDSS
2015
IEEE

What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources

8 years 8 months ago
What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources
Abstract—The pervasiveness of security-critical external resources (e.g accessories, online services) poses new challenges to Android security. In prior research we revealed that given the BLUETOOTH and BLUETOOTH_ADMIN permissions, a malicious app on an authorized phone gains unfettered access to any Bluetooth device (e.g., Blood Glucose meter, etc.). Here we further show that sensitive text messages from online banking services and social networks (account balance, password reset links, etc.) are completely exposed to any app with either the RECEIVE_SMS or the READ_SMS permission. Similar security risks are present in other channels (Internet, Audio and NFC) extensively used to connect the phone to assorted external devices or services. Fundamentally, the current permission-based Discretionary Access Control (DAC) and SEAndroid-based Mandatory Access Control (MAC) are too coarse-grained to protect those resources: whoever gets the permission to use a channel is automatically allowed...
Soteris Demetriou, Xiao-yong Zhou, Muhammad Naveed
Added 15 Apr 2016
Updated 15 Apr 2016
Type Journal
Year 2015
Where NDSS
Authors Soteris Demetriou, Xiao-yong Zhou, Muhammad Naveed 0001, Yeonjoon Lee, Kan Yuan, XiaoFeng Wang, Carl A. Gunter
Comments (0)