Android Custom Permissions Demystified
Overview
This website is prepared for IEEE S&P 2021 Paper: Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings
Rui Li, Wenrui Diao, Zhou Li, Jianqi Du, and Shanqing Guo. Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. The 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021), Virtual. May 23-27, 2021.
-----------------------------------
Remarks: In the extended version of this paper, the newly discovered DS#5 & DS#6 are added.
Rui Li, Wenrui Diao, Zhou Li, Shishuai Yang, Shuang Li, and Shanqing Guo. Android Custom Permissions Demystified: A Comprehensive Security Evaluation. IEEE Transactions on Software Engineering, 2021.
DS#1: Dangling Custom Permission
In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent.
The adversary re-defines a dangling custom permission and changes the original permission attributes.
Responsible Disclosure: Confirmed by Google. Fixed.
AndroidID-165615162: High severity
AndroidID-155648771: High severity (after re-assessment)
CVE ID: CVE-2021-0307
DS#2: Inconsistent Permission-group Mapping
In this demo, the PoC app obtains 30 dangerous system permissions without user consent.
The adversary exploits the inconsistent permission-group mapping information in AndroidManifest.xml and PLATFORM_PERMISSIONS.
Responsible Disclosure: Confirmed by Google. Fixed.
AndroidID-153879813: High severity
CVE ID: CVE-2020-0418
DS#3: Custom Permission Elevating
In this demo, the PoC app obtains the ACTIVITY_RECOGNITION permission (dangerous system permission in Android 10) without user consent.
The adversary elevates a custom permission to a system permission through OS update.
Responsible Disclosure: Confirmed by Google
AndroidID-154505240: High severity
CVE ID: CVE-2021-0306
DS#4: Inconsistent Permission Definition
In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent.
The adversary exploits the inconsistent permission definitions in the system and the owner app.
Responsible Disclosure: Confirmed by Google. Fixed.
AndroidID-168319670: High severity
CVE ID: CVE-2021-0317
DS#5: Dormant Permission Group
In this demo, the PoC app obtains the ACTIVITY_RECOGNITION permission (dangerous system permission) without user consent.
The adversary exploits the new system permission group introduced in Android 10, that is, a dormant permission group.
Responsible Disclosure: Confirmed by Google.
AndroidID-176828496: Moderate severity
CVE ID: To be assigned...
DS#6: Inconsistent Permission Type
In this demo, the PoC app gets unauthorized access to another app's resource which is protected by the signature permission, though these two apps are signed by different certificates.
The adversary exploits the inconsistent permission type in the permission's definition and its granting status.
Responsible Disclosure: Confirmed by Google.
AndroidID-155649020: Low severity