%0 Conference Paper %1 DDSW2010b %A Davi, Lucas %A Dmitrienko, Alexandra %A Sadeghi, Ahmad-Reza %A Winandy, Marcel %B Information Security Conference (ISC) %D 2010 %K myown %T Privilege Escalation Attacks on Android %X Android is a modern and popular software platform for smart-phones. Among its predominant features is an advanced security model which is based on application-oriented mandatory access control and sandboxing. This allows developers and users to restrict the execution of an application to the privileges it has (mandatorily) assigned at installation time. The exploitation of vulnerabilities in program code is hence believed to be confined within the privilege boundaries of an application’s sandbox. However, in this paper we show that a privilege escalation at-tack is possible. We show that a genuine application exploited at runtime or a malicious application can escalate granted permissions. Our results immediately imply that Android’s security model cannot deal with a transitive permission usage attack and Android’s sandbox model fails as a last resort against malware and sophisticated runtime attacks.

@inproceedings{DDSW2010b, abstract = {Android is a modern and popular software platform for smart-phones. Among its predominant features is an advanced security model which is based on application-oriented mandatory access control and sandboxing. This allows developers and users to restrict the execution of an application to the privileges it has (mandatorily) assigned at installation time. The exploitation of vulnerabilities in program code is hence believed to be confined within the privilege boundaries of an application’s sandbox. However, in this paper we show that a privilege escalation at-tack is possible. We show that a genuine application exploited at runtime or a malicious application can escalate granted permissions. Our results immediately imply that Android’s security model cannot deal with a transitive permission usage attack and Android’s sandbox model fails as a last resort against malware and sophisticated runtime attacks.}, added-at = {2020-05-03T20:09:10.000+0200}, author = {Davi, Lucas and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza and Winandy, Marcel}, biburl = {https://www.bibsonomy.org/bibtex/2e1eca0d85e42d19cb43808e4695c7025/sssgroup}, booktitle = {Information Security Conference (ISC)}, interhash = {6dd2108867949e5e295a0eb4d85cbb81}, intrahash = {e1eca0d85e42d19cb43808e4695c7025}, keywords = {myown}, location = {Boca Raton, Florida}, month = {October}, pdf = {https://se2.informatik.uni-wuerzburg.de/publications/download/paper/1528.pdf}, timestamp = {2022-12-20T00:42:22.000+0100}, title = {Privilege Escalation Attacks on Android}, venue = {ISC}, year = 2010 }