On demystifying the android application framework: Re-visiting android permission specification analysis

Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, Sebastian Weisgerber

Research output: Chapter in Book/Report/Conference proceedingConference contribution

90 Scopus citations


In contrast to the Android application layer, Android’s application framework’s internals and their influence on the platform security and user privacy are still largely a black box for us. In this paper, we establish a static runtime model of the application framework in order to study its internals and provide the first high-level classification of the framework’s protected resources. We thereby uncover design patterns that differ highly from the runtime model at the application layer. We demonstrate the benefits of our insights for security-focused analysis of the framework by re-visiting the important use-case of mapping Android permissions to framework/SDK API methods. We, in particular, present a novel mapping based on our findings that significantly improves on prior results in this area that were established based on insufficient knowledge about the framework’s internals. Moreover, we introduce the concept of permission locality to show that although framework services follow the principle of separation of duty, the accompanying permission checks to guard sensitive operations violate it.

Original languageEnglish (US)
Title of host publicationProceedings of the 25th USENIX Security Symposium
PublisherUSENIX Association
Number of pages16
ISBN (Electronic)9781931971324
StatePublished - Jan 1 2016
Event25th USENIX Security Symposium - Austin, United States
Duration: Aug 10 2016Aug 12 2016

Publication series

NameProceedings of the 25th USENIX Security Symposium


Conference25th USENIX Security Symposium
Country/TerritoryUnited States

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'On demystifying the android application framework: Re-visiting android permission specification analysis'. Together they form a unique fingerprint.

Cite this