Android Custom Permissions Demystified

Overview

This website is prepared for IEEE S&P 2021 Paper: Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings

Rui Li, Wenrui Diao, Zhou Li, Jianqi Du, and Shanqing Guo. Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. The 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021), Virtual. May 23-27, 2021. 

-----------------------------------

Remarks: In the extended version of this paper, the newly discovered DS#5 & DS#6 are added. 

Rui Li, Wenrui Diao, Zhou Li, Shishuai Yang, Shuang Li, and Shanqing Guo. Android Custom Permissions Demystified: A Comprehensive Security Evaluation. IEEE Transactions on Software Engineering, 2021.

bug2-reinstall.mp4

DS#1: Dangling Custom Permission

In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent.

The adversary re-defines a dangling custom permission and changes the original permission attributes.

Responsible Disclosure: Confirmed by Google. Fixed.

AndroidID-165615162: High severity

AndroidID-155648771: High severity (after re-assessment)

CVE ID: CVE-2021-0307

bug1-app-update.mp4

DS#2: Inconsistent Permission-group Mapping

In this demo, the PoC app obtains 30 dangerous system permissions without user consent.

The adversary exploits the inconsistent permission-group mapping information in AndroidManifest.xml and PLATFORM_PERMISSIONS.

Responsible Disclosure: Confirmed by Google. Fixed.

AndroidID-153879813: High severity

CVE ID: CVE-2020-0418 

bug3-osupdate.mp4

DS#3: Custom Permission Elevating

In this demo, the PoC app obtains the ACTIVITY_RECOGNITION permission (dangerous system permission in Android 10) without user consent.

The adversary elevates a custom permission to a system permission through OS update.

Responsible Disclosure: Confirmed by Google

AndroidID-154505240: High severity

CVE ID: CVE-2021-0306

DS#4-reboot.mp4

DS#4: Inconsistent Permission Definition

In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent.

The adversary exploits the inconsistent permission definitions in the system and the owner app.

Responsible Disclosure: Confirmed by Google. Fixed.

AndroidID-168319670: High  severity

CVE ID: CVE-2021-0317

demo-bug-osUpdate.mp4

DS#5: Dormant Permission Group

In this demo, the PoC app obtains the ACTIVITY_RECOGNITION permission (dangerous system permission) without user consent.

The adversary exploits the new system permission group introduced in Android 10, that is, a dormant permission group.

Responsible Disclosure: Confirmed by Google. 

AndroidID-176828496: Moderate  severity

CVE ID: To be assigned...

demo-new.mp4

DS#6: Inconsistent Permission Type

In this demo, the PoC app gets unauthorized access to another app's resource which is protected by the signature permission, though these two apps are signed by different certificates.

The adversary exploits the inconsistent permission type in the permission's definition and its granting status.

Responsible Disclosure: Confirmed by Google. 

AndroidID-155649020: Low  severity