[Dailydave] Android Attacks Slides
noloader at gmail.com
Fri Mar 30 17:50:23 EDT 2012
Android Attacks (Bas Alberts/Massimiliano Oldani),
Perhaps I'm reading Slide 15 wrong:
Fine grained Permission/Capability model
● Per installed Application (Manifest)
● Per URI (Intent permission flags)
I believe Android lacks Fine Grained permissions:
Felt, Adrienne Porte; Chin, Erika; Hanna, Steve; Song, Dawn; Wagner,
David. "Android Permissions Demystified,"
Jeon, Jinseong; Micinski, Kristopher K.; Vaughan, Jeffrey A.; Reddy,
Nikhilesh; Zhu, Yixin; Foster, Jeffrey S.; Millstein, Todd." Dr.
Android and Mr. Hide: Fine-grained security policies on unmodified
In fact, the permissions are so coarse grained and borked that Google
was giving everone READ_PHONE_STATE whether they wanted it or not (the
practice has been changed). And READ_PHONE_STATE includes call
status, incoming number, identity iformation such as IMSI, etc. See
"Android permissions: Phone Calls: read phone state and identity,"
More information about the Dailydave