DPC:A Dynamic Permission Control Mechanism for Android Third-Party Libraries

Today's smartphone app stores are full of apps with diverse features. Many developers use third-party libraries to reduce the development time and cost, but developers often ignore the security problems of third-party libraries. A major security problem introduced by third-party libraries is that a third-party library has the same permissions as the apps, called host-apps hereafter, that use it. According to previous research, having the same permissions as its host apps, a third-party library could have unauthorized access to user data, which poses a serious threat to app users. Therefore, how to prevent third-party libraries from abusing permissions has become an important issue. To solve this problem, this paper proposes a Dynamic Permission Control mechanism, called Dynamic Permission Controller or DPC hereafter, for app developers to prohibit third-party libraries from abusing host apps' dangerous permissions. DPC modifies the permission control mechanism of Android framework to make apps have a more flexible permission management mechanism when they are running. DPC provides new APIs which allows an app to dynamically disable a granted dangerous permission before invoking an API of a third-party library and restore the dangerous permission after completing the API. Hence, DPC protects user's privacy by blocking unauthorized access from third-party libraries. Meanwhile, without the requirement that an app developer needs to know the detail of third-party libraries, the app still can use APIs of third-party libraries safely. Experimental results show that DPC works with many popular apps downloaded from Google Play well and DPC prohibits a third-party library from having the same dangerous permissions that its host apps have. Hence, unlike previous solutions, DPC does not have compatibility problems. The overhead introduced by DPC on an emulator and Nexus 7 are 1.8 and 0.3 percent respectively.