Flaws in the Android Permission Protocol with Limited Verification

Purpose of the article: analysis of the resolution protocol implemented in the Android operating system as the most popular for smartphones and other electronic gadgets; consider a formal model of the Android permission protocol and describe the automatic security analysis of this model; identify potential flaws in the permitting protocol. Research method: A formal model of the Android permission protocol based on C++ using the Java NDK based on first-order relational logic is considered, with an analysis engine that performs limited model validation. Result. Created a formal model of Android permission protocol using C ++ using Java NDK. The model identified flaws in the Android permission protocol, and thus exposed Android security vulnerabilities. The developed Android protocol permission model consists of three parts: an Android device architecture query; Android permission scheme request; system operations. Fixed flaws in Android OS related to custom permissions vulnerability. An experiment is presented to demonstrate the feasibility and prevalence of custom permissions vulnerability in existing Android applications. Examination of real Android applications supports our finding that flaws in the Android permission protocol can have serious security implications for electronic gadget applications, and in some cases allows an attacker to completely bypass permission checks. A study of one of the vulnerabilities showed that it is widespread among many existing Android applications. Most developers do not perform any additional validation to ensure that inbound APIs come from trusted applications or vendors, assuming they may not be aware of a custom permissions vulnerability despite its potential for security breaches. The result will be useful for software developers for operating systems with permissions - Android, iOS and Fire OS.