Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android
A common security architecture, called the permission-based security model (used e.g. in Android and Blackberry), entails intrinsic risks. For instance, applications can be granted more permissions than they actually need what the people call a "Permission gap". Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, the authors present an approach to detecting permission gaps using static analysis. Their prototype implementation in the context of Android shows that the static analysis must take into account a significant amount of platform-specific knowledge.