Security Investigate

Permission Re-Delegation: Attacks and Defenses

Download now Free registration required

Executive Summary

Modern browsers and smartphone operating systems treat applications as mutually untrusting, potentially malicious principals. Applications are isolated except for explicit IPC or inter-application communication channels and unprivileged by default, requiring user permission for additional privileges. Although inter-application communication supports useful collaboration, it also introduces the risk of permission re-delegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application's access to privileged devices and data. The authors discuss permission re-delegation and demonstrate its risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been confirmed as bugs.

  • Format: PDF
  • Size: 328.8 KB