A REVIEW ON ANDROIDS APPLICATION SECURITY

Siti Nur Hakima Binti Mohamed

Faculty Of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
hakima_mohamed91@yahoo.com
Abstract Security need to be concerned as to ensure that the
system can function well as that users need. With the
increasing of the varying operating system in smartphones, it
provides easier ways for users use many functions like gaming,
writing or reading and so on and also make connections with
other devices. Android is one of the most popular operating
system. Android has designed the security model for
mechanism in order to protect the users data or resources.
Permission-based model is one of the security models that
Android develops. Android and iOS have same goal in order to
protect the security in a smartphone, but iOS provides
different mechanism. In this paper, we make a review of
Androids security where we define the weaknesses on Android
and also include the comparison of Android and iOS as same
UNIX Kernel based on security aspects.
Keywords- Android, operating system; Permission-based
model, security, iOS, UNIX Kernel

I.

INTRODUCTION

Security becomes a very important area in order to

protect data and information from any kind of threat,
whether from human and technical errors, disasters or
accidents, fraud and so on. As for many businesses
depending on their information system for business
process, software application and information system
become an important part in every field of life. The
organization uses to store important data electronically
[1]. Applications and system need to be secure to establish
trust from the users and organizations [1]. Therefore, the
security is an important concept in the design and analysis
for secured system.
Such like smartphones, there is a variety of software
operating system running on such as Android, iOS,
Window phone and so on. In order to make secure system
for smartphones, the organization builds the operating
system that provides security mechanism. The smartphone
is not just a common mobile phone that has a basic
feature phone. This is a mobile phone has an ability to
provide better and advance of computing ability and
connectivity. Android is one of the most popular mobile
operating system on the market since the beginning of the
first Android in October 2008 [2].
According to a Gartner study, android become the
second-most popular operating system in the world and it
will challenge the number one because of the growing at a

Wan Ya Bin Wan Hussin

Faculty Of Computer and Mathematical Sciences
Universiti Teknologi MARA
Shah Alam, Malaysia
wanya@salam.uitm.edu.my
fast rate [3]. The Android Market has experienced high
development since the improvement of the application has
permitted user to upload applications to the market.
People like to use android device is because Android is an
open source operating system. The open source means
that people can build or get the source code and creating
for applications. However, Android has high market share
and it also the open source architecture which makes it be
the most vulnerable mobile operating system to security
attack [4]. Androids increasing popularity is one of the
factors that turn it into the one of most targets for many
malicious numbers of applications [5].
Therefore, security becomes the crucial part when
dealing with the important data or information. People
want to use software that can protect user data or
resources. Android goals are to protect user data and also
system resources [6]. Therefore, Android has provided a
security mechanism to help user to protect their
information. However, the security that Android provides
is not enough. Based on research studies, there are
vulnerabilities that allow the threat from attackers.
In this paper, we make a review of Androids security
since the central issue is based on security. We discussed
on Android vulnerabilities that affect the security on
Android.
The paper is structured as follows: in Section 2, we
make a review on smartphones security. In Section 3, we
discuss the Androids vulnerabilities or the issues on
Android. Lastly, we conclude the paper with a conclusion
about the Androids security in Section 4.
II. SMARTPHONES SECURITY
A. Software security
Software problem is the critical aspect of the security
problem [7].
When the software detects to have
vulnerabilities, then there are possibility of the threat to
spread and malicious to attack in the system. The software
security is about the way to build the secure software. This
is more about to design the software to be more secure,
ensure that the software is secure and help to educate the
software developers or users on how to develop secure
things [7].

As we understand, any software or system builds will

need to have security aspect. Security can be taken as the
important part of the system in the organization in order to
protect the data and information. It is where users or people
have trustworthy to the system. Confidentiality, integrity
and availability are the main attributes in security [8]. These
attributes can be enforced in any variety places within an
enterprise [8].
Confidentiality is about preventing or protect
from unauthorized disclosure of data [8].
Integrity is close to confidentiality where the
integrity is about to protect or prevent from
unauthorized modification of data [8].
Availability is about protecting from loss of
access to data and resources [8].
However, the design of the system should not be too high
or hard for users to use. The more complex the security
mechanism becomes, the less guarantee levels of the
security mechanism [8]. The system like military system is
true to have high security in order to protect from others
attack. Therefore, the military system needs to be more
complex or more secure to make common users hard to use.
The more complex of the system becomes, the more users
unable to conduct the system because of the hardness in
understanding the process or flow of the system. For
smartphone, there should not be a complex security because
many different levels of users used the smartphone. There
are be a certain different level of complexity of the software
depend on how confidential the system is. It is needed to be
more useful and easier.
B. Smartphone security
Smartphone contain components of the computing
platform which are an operating system, applications and
hardware [9]. As what we know, the smartphone has the
ability to connect to various subject, PC, internet and also to
other mobile phones using wireless network [10]. This all
features give users more desire to use it. However, this
feature looks like to invite the malicious attacker or software
to make the threat of smartphones in various paths. There
are some applications that need to use the internet to
connect with web or other devices and also to various
wireless networks.
The studies have defined that smartphone contains assets
that considered to be the target for the vulnerabilities and
attack [10]. The assets consist of three which are
Private information which is information that
have in smartphones included all data that store
or transmitted out to smartphones.
A device which is the smartphones itself [10]. It
is because the smartphone can create a
connection that cause the threat. Instance, if the

phone lost, then malicious user can cause

overcharging [10].
The applications which can be defined in two
types of application. There are applications that
are freely distributed by user or online
application store and the other one is
commercially used with digital rights [10].

The attacks make users become afraid to make any

transaction or connection using the smartphone. Therefore,
security companies have provided some security solution.
All the security applications can be found and get on an
online market. Besides making money, the companies help
users in protecting the resources in Smartphones.
Providing the security application is not enough to make
sure that the smartphone is secure. The security applications
provided only to prevent attack or threat from outside such
as malware. To make the smartphone more secure, there is
certain security mechanism that needs to be adopted such as
platform modification, regular update and so on [10].
III. ISSUES ON ANDROID BASED SMARTPHONE
In any system or software, there will be certain
weaknesses that will lead to the low of performance. In
order to describe more about the issues in Android, the
focus will be on review of the Android's architecture. The
Android security mechanism defines to understand the
features of the security that has built on Android. Android is
a Linux-based open source software stack for mobile
devices. It consists of an operating system, middleware and
key applications that have API libraries [1], [12], [13].
A. Android architecture
The architecture in Android is a hierarchical architecture
[14]. The Android operating systems goals are to secure the
user data and system resources and also give an application
isolation [6]. Therefore, Android provides security features
to achieve these goals.
An open development platform is provided by Android
and it offers the developers ability to develop incredibly
rich and imaginative applications. Developers are free to
take advantage to be the superiority of access location
information, device hardware, run background service and
add inform to status bar [15]. The Android platform is
divided into five parts which are Linux kernel, system
libraries, Android run time, and application framework.
B. Android security mechanism
Current Androids security model design with two
layers: an applicationlevel permission model (Android
Permission) and a kernel-level sandboxing and isolation
mechanism. All applications are run in a sandbox and

permissions are declared in order to access the resources in

smartphones and it is a.
1) Sandboxing mechanism
Every application runs on its own process with its own
user and group ID create it a sandbox. Therefore, the
application cannot interact with each other because they do
not share the resources. The application has access to
limited system resources as it runs on application sandbox.
At the time of application installation, the ID or UID was
assigned [16]. This is to make sure that there will no more
applications can run in the same process . The shareUserId
is used when the applications need to share the same
process. The application needs to request a specific UID.
However, the applications also need to be signed with the
same signature if request to share the same UID. This design
is to ensure that the private information of the application
will not be accessed by other applications.
2) Application
permission
mechanism
Permissions used in Android to protect from malicious
application. Permission model requires an application to
request the permission that needs to access the resources
and perform its activities before installing. An application is
needed to declare it necessary capabilities and get
confirmation from users upon installation [17]. Users will
notified during installations what the permissions that
application request for and receive. If users install the
application, then they need to grant the permission.
Otherwise, they can stop the installation if they deny
accepting the permission of the application.
The permission based model gives a controlled access to
many system resources and restrict access to others [bing].
According to Ahmed Ben Ayed, there are three protection
levels that categorized based on 152 permissions that has
define by Android 4.4 [18]. The three protection level
includes Normal Permissions, Dangerous Permission and
Signature or System Permissions. Figure 1 shows the basic
Android permission access control mechanism.

Figure 1. Basic Android Permission Access Control Mechanism [19]

Normal Permissions only will grant all the

permissions that request them. This permission
does not request the users explicit approval and
not considered give harmful to the user.
Dangerous Permissions are the permission that
only granted to the application that get user
confirmation during installation. If the user denies
confirming the permission, then the application
cannot be installed. This because the application
can access to private user data or can control over
the device that can give negative effect to the user.
It is potentially harmful to the API calls [19].
Signature or system Permissions are granted if the
permissions that application request meet the
criterion that need, the permissions are hard to get,
and they are given to applications that are signed
by the same developer that defines the permissions
[19].

Time-of-use and install-time is the two approaches in

accepting the permissions [20]. In time-of-use, when
execute the sensitive operation like accessing the device
location, user must confirm to this permission first. This
way used to protect applications from access device
resources. While in install-time, when user accepted the
permission, then users cannot make a choice which
permission needs to accept or deny. Users may accept all the
permission received if users tend to install the application.
An Android application has a set of permissions that need
to be granted before installation. All the permission is listed
to inform users what needs to receive in order to get the
applications. AndroidManifest.xml file as shown on figure 3
is the place where the permissions are declared. The
AndroidManifest.xml file is used to extract information on
permissions. The permissions that declared in this manifest
file cannot be changed or modified after installation. In
Android, Linux kernel gives the foundational mechanism
for sandboxing and application isolation. This mechanism
normally operates without visible by the application
developers and users, but it if an application does not intend
to violate the restrictions imposed by the kernel [13].
The same permission can be required by the Starting
Activities, starting or connecting to the Services, accessing
ContentProviders, sending and receiving broadcast Intents,
and also invoking Binder interfaces [21]. The Binder is a
low-level of an Android-specific IPC mechanism. The
Binder contains of a kernel-level driver and a user space
server. It works by allowing binder objects to communicate
with each other. Figure 2 shows an example of how binder
works to communicate the applications.
Android Permissions on Android services and APIs that
have the potential to adversely impact the user experience or
data on the device are protected with a mandatory access
control framework called Permissions [22]. Android
consists of several access controls. Android uses

Discretionary access control (DAC) to restrict the use of

system facilities by applications [13]. It is also used to
isolate applications from one another [13].

Figure 2. An example of how Application communicates [23]

Figure 3. An example of AndroidManifest.xml [24]

Now, Android makes an enhancement with replaces the

access control by developing the SELinux as a Mandatory
Access Control(MAC) mechanism for Linux. It is as
improvement to overcome the shortcomings of DAC [13].
MAC provides privileges that are limited for
subjects(processes) and objects(device, file, etc) [12]. MAC
allows the applications privileges to be controlled during
installation and runtime [12]. SELinux is fit for limiting the
privileged Android system daemons to shield them from
abuse and to limit the harm that should be possible through
them.
C. Androids vulnerabilities
. According to Google report [25], there are four types of
vulnerabilities recorded which are SSL vulnerabilities,
Android vulnerabilities, OEM/SOC specific vulnerabilities

and application vulnerabilities [25]. There are reported that

Android 4.4 KitKat have affected by the Master Key
vulnerabilities [26]. Security expert investigate that this
threat gain access to modified the system APK and without
make modification to orginal cryptographic key, then let
alware obtain full access to Android OS and the overall
installed applications [26]. The permission model that
discuss before is the core mechanism for securing access to
many resources in Android [27]. In this study, we focus on
application vulnerabilities, which focus more on permission
vulnerabilities of an application.
As we know, users can get to install the application on
Android using Androids Play Store. Android also supports
third party applications which users can install and get
through the Android Market. When user decides to install
any third-party application either through Android Market
on the web or phone, then Android application permission
will display [28].
Android uses permission-based model as a mechanism in
order to protect users information and resources. Although
there have been categorized into each of protection levels,
the vulnerabilities still increasing. Permission-based
mechanisms have some weaknesses. Due to permission
mechanism vulnerabilities, it gives a chance for malware to
access the confidential information on mobiles [28]. The
Android permission model is a defective model [28].
In order to make a decision, users have to decide whether
they want to allow the installation or deny it. When users
want to install the application, the permission will display to
aware users about the permission that the application will
access. The interface will display a list of permission that
application needs to receive. Android provides the All or
nothing decision. This decision is mean that the user needs
to grant or deny the entire permission list. This model gives
power to the user to make a decision. It depends on users
awareness.
When the authority information can only check during
installation, there are possibility of security threat occurs for
those that do not have enough knowledge or interest in the
concept of authority [29]. As an example, malicious
applications can take chances to make use of the SMS,
address book and mobile phone information using this
authority information. Not only that, they can modify or
delete the personal information or location information. This
is a dangerous aspect where there are possibilities for the
data and information get modify.
Although user alert about the permission, there are still
have confusion with the unclear permission displayed on
screen. Furthermore, users do not have any power to control
or modify the permission given. It is because the permission
depends on developer and users do not have right to control
any permissions of applications [5]. The developer wrote the
application and permission that require and developer might
claim that their application needs to complete access to the
setting of the phone and so on.

Using the third party technique, the traditional drivedownload gives another space for vulnerabilities. The attack
actually attracts the users to download feature-rich or
interesting app that will lead users to the attack of
malicious [27]. As an example, users click to the
advertisement link, then will be directed through to the
malicious website. This website asking for accessing the
location permission of the users phone and then will direct
through to fake Android Market to download the
applications.
There are some of the vulnerabilities arise from the
concept of sharing the UID that discussed before. Recent
studies stated that the permission systems suffer the problem
of the where developers requesting more unwanted
permissions than what needed [30]. Permission redelegation happened when an application that has
permissions is performing a privilege task on behalf of an
application without that permission [30]. This is when there
two different applications that are sharing the same user ID.
The sharing user ID causes each of the applications can
easily to access to the both resources. This threat is mainly
important for web browsers. Figure 4 shown the permission
delegation process.

Figure 4. Permission delegation flow[31]

IV.

CONCLUSION

Based on what have been discussed about the Android

security model, the need for security is proven. Security
becomes the main attribute in order to make system become
stronger. Security models are needed in order to make the
system have more protection and make user satisfied and
have trust in the system.
Android has designed the security model in order to
prevent from other malicious attacks. One of security
mechanisms that Android designed is permission-based
model. Although permission help gives warning to users
about the malicious application, it is not enough to prevent
from the malicious threat. It depends on user, whether or not
to allow the application to install. However, users do not
have authority to modify the application permission.
Googles Android and Apples iOS are some of the most
ordinary and popular Mobile operating system. These two
operating system gets high popularity. Thus, we are going to
discuss about these two operating systems and make a
comparison based on security aspects. . Although Android
and iOS are on the same UNIX Kernel, there are differences

in security permission that apply on this two operating

system.
There are some applications that freely to be
downloaded. However, in iOS the applications cannot
communicate directly with other applications. Apple has
been defined the application sandboxing for the iOS. The
application sandboxing has defined as a set of fine-grained
controls. Fine-grained control means that the application is
limited to only access to the file system, network hardware
[32]. A developer cannot request more than what have been
set in order to ensure that there will no unauthorized access
from unauthorized users.
In iOS, permission requests and sends to user a
notification on a pop-up window [33]. IOS do not have
explicit permission interface. However, the application
requests not possess standardized permission lists. IOS do
not use All or nothing permission to display the
permissions like Android, but iOS use take it or leave it
permission [33]. Users are given a decision to allow certain
basic permissions and users can manage the permission on
setting section.
IOS look more secured when users allow accessing the
system file in the root and also the setting phone not in each
application [32]. The best thing is, Apple will make a review
first on the application before the application is available on
Application store. Without the approval or signed from
private encryption key, users cannot install and run the
application [34].
Based on the comparison, we can see that iOS more
restrict in security. IOS only gives users to install the
applications only from their market. There are no thirdparties involved in order to protect from the threat. However,
this will create a limitation on installing the application.
Android gives a chance for users to get more application on
their market and also from the third-parties. This freedom
way, however, gives an opportunity for threat. Therefore,
there are pro and cons in these two platforms.
Android and iOS have different way in controlling the
permissions. In iOS, the application needs to pass Apples
check before can be stored in their market. Apple will make
the vetting process in order to scan for the applications that
detect to have threat. Developers do not get the signature like
the Android, but Apple itself will digitally sign the code for
each application. With this restriction, it looks like the iOs
more better and secure. However, this gives effect to the
applications. Research studies define that about 90% of
submission of applications to Apple App Store are being
denied or rejected because the applications do not fulfill the
requirements of what needed to do [35]. The permission that
is shown to users are limited. There are certain permission
that need to get an approval from the users like current
location. Therefore, applications are like to have limited
access to what they can do.
While in Android, it more depend on users. Users need to
make a decision to grant or deny the all the permissions
listed. Always trust to the system is not good because we do
not know when and how the system will have the
vulnerabilities and it can be deceiving. Users cannot modify
or make decision to choose which one of the permission they
can denied or accept. Developer play the role to create and
modify the code for permissions manifest file in order to
grant or receive the activities needed by the application.

The security mechanism that provide by Android is

good, but there are certain limitations or weaknesses which
block the users to do what they need in order to protect their
resources. Based on review in this paper, we think that the
permission model has certain design flaw that need to be
emphasized. Android needs to concern more on the
permission model to help users and developers get to access
the system based on their roles and prevent the unauthorized
access.
REFERENCES
[1] Zafar, Saad and Mehboob, Misbah and Naveed, Asma and Malik, B|
ushra (2013) Security quality model: an extension of Dromeys
model. Software Quality Journal. pp. 1-25. ISSN 0963-9314
[2] Franklin Tchakount, Paul Dayang, Jean Michel Nlong and Njei Check:
Understanding of the Behaviour of Android Smartphone Users in
Cameroon. In Open Journal of Information Security and Applications,
Volume 1, Number 2, pp.9-20, 2014
[3] SANS Institute InfoSec Reading Room,2010, Malicious Android
Applications: Risks and Exploitation
[4] Tse, D., Liu, X., Nusaputra, C., Hu, B., Wang, Y., & Xing, M. W.
(2014). STRATEGIES IN IMPROVING ANDROID SECURITY.
[5] June-seung Na, Younghoon Kim, Young-June Choi, and Woo-guil Pak,
"Mandatory Access Control for Android Application", ICTC 2014,
Oct. 22-24
[6] Sanjeev Srivatsa, 2014, Android Security Issues
[7] Gary McGraw (2006), Software Security: Building Security In,
Addison-Wesley Professional
[8] Shon Harris, CISSP Certification All-in-One Exam Guide, 3rd
edition,n.d
[9] Muneer Ahmad Dar & Javed Parvez (2013), Evaluating Smartphone
Application Security: A Case Study on Android, Global Journals Inc.
(USA), ISSN 0975-4172.
[10] Jeon, W., Kim, J., Lee, Y., & Won, D. (2011). A practical analysis of
smartphone security. In Human Interface and the Management of
Information. Interacting with Information (pp. 311-320). Springer
Berlin Heidelberg.
[11] Mis.Prajakta S. Deshbhratar & Prof. Mayur S. Burange, 2014, Android
Security Big Challenge
[12] Aron, L., & Hanek, P. Introduction to Android 5 Security. In
Proceedings of Student Research Forum Papers and Posters at (pp.
103-112). CEUR-WS. org.
[13] Smalley, S., & Craig, R. (2013, February). Security Enhanced (SE)
Android: Bringing Flexible MAC to Android. In NDSS (Vol. 310, pp.
20-38).
[14] Zhou, X., Lee, Y., Zhang, N., Naveed, M., & Wang, X. (2014, May).
The peril of fragmentation: Security hazards in android device driver
customizations. In Security and Privacy (SP), 2014 IEEE Symposium
on (pp. 409-423). IEEE.
[15] Bing, H. (2012, January). Analysis and research of system security
based on android. In Intelligent Computation Technology and

Automation (ICICTA), 2012 Fifth International Conference on (pp.

581-584). IEEE.
[16] Barrera, D., Clark, J., McCarney, D., & van Oorschot, P. C. (2012,
October). Understanding and improving app installation security
mechanisms through empirical analysis of android. In Proceedings of
the second ACM workshop on Security and privacy in smartphones
and mobile devices (pp. 81-92). ACM.
[17] Sun, M., & Tan, G. (2014, July). NativeGuard: Protecting android
applications from third-party native libraries. In Proceedings of the
2014 ACM conference on Security and privacy in wireless & mobile
networks (pp. 165-176). ACM
[18] Ayed, A. B. A literature Review on Android Permission System.
[19] Xiong, P., Wang, X., Niu, W., Zhu, T., & Li, G. (2014). Android
malware detection with contrasting permission patterns.
Communications, China, 11(8), 1-14.
[20] Varga, J., & Muska, P. Presenting Risks Introduced by Android
Application Permissions in a User-friendly Way. system, 5, 6.
[21] Burns, J. (2009). Mobile application security on Android. Black Hat,
9.
[22] Mis.Prajakta S. Deshbhratar & Prof. Mayur S. Burange, 2014, Android
Security Big Challenge
[23] Alin Tomescu, 2011, Android security model, unpublished
[24] Shin, W., Kiyomoto, S., Fukushima, K., & Tanaka, T. (2009, August).
Towards formal analysis of the permission-based security model for
android. In Wireless and Mobile Communications, 2009. ICWMC'09.
Fifth International Conference on (pp. 87-92). IEEE.
[25] Google report (2014), Android Security 2014 Year in Review
[26] Pierluigi Paganini, 2013, Android 4.4 KitKat also affected by Master
Key vulnerability
[27] Ingale, M. S. P., & Gupta, S. R. SECURITY IN ANDROID BASED
SMARTPHONE.
[28] Kelley, P. G., Consolvo, S., Cranor, L. F., Jung, J., Sadeh, N., &
Wetherall, D. (2012). A conundrum of permissions: installing
applications on an android smartphone. In Financial Cryptography
and Data Security (pp. 68-79). Springer Berlin Heidelberg
[29] Park, J. K., & Choi, S. Y. (2015). Studying Security Weaknesses of
Android System. International Journal of Security & Its Applications,
9(3).
[30] Au, K. W. Y., Zhou, Y. F., Huang, Z., & Lie, D. (2012, October).
Pscout: analyzing the android permission specification. In
Proceedings of the 2012 ACM conference on Computer and
communications security (pp. 217-228). ACM.
[31] Davide Danelon (2008), Android Apps permissions model (in) security
, The OWASP Foundation
[32] Ahmad, M. S., Musa, N. E., Nadarajah, R., Hassan, R., & Othman, N.
E. (2013, July). Comparison between android and iOS Operating
System in terms of security. In Information Technology in Asia
(CITA), 2013 8th International Conference on (pp. 1-4). IEEE.
[33] Sheppard, M. Smartphone Apps, Permissions and Privacy.
[34] Khandelwal, A., & Mohapatra, A. K. (2015). An Insight into the
Security Issues and Their Solutions for Android Phones.
[35] Tom Eston, Android vs Apple iOS Security Showdown