Role-Based Access Control Models for Android

Android uses runtime permissions to alert users of application resource usage. Only a limited portion of Android permissions are allowed to be managed by the users. This is made essential, because Android assigns permissions directly to applications, and the number of applications and permissions is high. However, due to this tradeoff, users are restricted from managing all the aspects of their own devices. Android itself groups permissions based on their functionality; however, these groups are immutable and non-overlapping, which confers a rigidity to the permission system. Prior work in adapting RBAC to Android exists but deviates from the standardized NIST RBAC and does not include sessions, a key component of RBAC, used to mitigate the exposure of system resources. So, to fully understand the benefits RBAC offers for Android, and to mitigate its permissions management problem, we propose three new models for RBAC in Android. Our models are aimed to address the issue of user permission management in conjunction with flexibility of being able to assign permissions to either users, applications, or app-components.