A Comprehensive Analysis of Android Security and Proposed Solutions

Full Text (PDF, 589KB), PP.9-20

Views: 0 Downloads: 0


Asim S. Yuksel 1,* Abdul H. Zaim 2 Muhammed A. Aydin 3

1. Suleyman Demirel University/Computer Engineering Department, Isparta, 32260, Turkey

2. Istanbul Commerce University/Computer Engineering Department, Istanbul, 34378, Turkey

3. Istanbul University/Computer Engineering Department, Istanbul, 34320, Turkey

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2014.12.02

Received: 6 Apr. 2014 / Revised: 4 Aug. 2014 / Accepted: 15 Sep. 2014 / Published: 8 Nov. 2014

Index Terms

Mobile Security, Mobile Privacy, Mobile Application Security, Android Operating System, Android Security Architecture


The increasing popularity of smart devices have led users to complete all of their daily work with these devices. Users are now able to shop online, share information with the applications that they install on their smart devices. Installed applications gain access to various sensitive information, such as the user's contact list, phone number, location. However, there is no control mechanism in place that can check whether these applications are safe to install. Therefore, applications are installed according to the users’ decisions, without any limitations or warnings. As a result, users become the target of malicious applications, and the personal security and privacy are compromised. In this study, we investigate the security solutions that aim to protect the privacy and security of Android users. We reveal the shortcomings of mobile security solutions and shed light on the research community. Additionally, we present the taxonomy of Android-based mobile security solutions.

Cite This Paper

Asim S. Yuksel, Abdul H. Zaim, Muhammed A. Aydin, "A Comprehensive Analysis of Android Security and Proposed Solutions", International Journal of Computer Network and Information Security(IJCNIS), vol.6, no.12, pp.9-20, 2014. DOI:10.5815/ijcnis.2014.12.02


[1]Hugo Barra, Official Android Engineering team, https://plus.google.com/u/0/+HugoBarra/posts/R5YdRRyeTHM, 09-12, 2012. Last accessed: 13-10-2014.
[2]Us smartphone subscriber market share. http://www.comscore.com/Insights/Market-Rankings/com Score-Reports-August-2014-US-Smartphone-Subscriber-Market-Share. Last accessed: 13-10-2014.
[3]Smartphone operating system market share worldwide. http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Last accessed: 13-10-2014.
[4]Official system architecture diagram of Android OS. http://developer.android.com/images/system-architecture.jpg. Last accessed: 13-10-2014.
[5]Official documentation of Android security overview. https://source.android.com/devices/tech/security/index.html. Last accessed: 13-10-2014.
[6]Official documentation of Android permissions. https://developer.android.com/reference/android/Manifest.permission.html. Last accessed:13-10-2014.
[7]Mohammad Nauman, Sohail Khan, and Xinwen Zhang. Apex: Extending android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’10, pages 328–332, New York, NY, USA, 2010. ACM. doi:10.1145/1755688.1755732.
[8]Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, and Bhargava Shastry. Practical and lightweight domain isolation on android. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’11, pages 51–62, New York, NY, USA, 2011. ACM. doi:10.1145/2046614.2046624.
[9]A Shabtai, Y. Fledel, and Y. Elovici. Securing android-powered mobile devices using selinux. Security Privacy, IEEE, 8(3):36–44, May 2010. doi:10.1109/MSP.2009.144.
[10]M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in android. In Computer Security Applications Conference, 2009. ACSAC ’09. Annual, pages 340–349, Dec 2009. doi:10.1109/ACSAC.2009.39.
[11]David Barrera, H. Gunes? Kayacik, Paul C. van Oorschot, and Anil Somayaji. A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 73–84, New York, NY, USA, 2010. ACM. doi:10.1145/1866307.1866317.
[12]R. Johnson, Zhaohui Wang, C. Gagnon, and A Stavrou. Analysis of android applications’ permissions. In Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on, pages 45–46, June 2012. doi:10.1109/SERE-C.2012.44.
[13]Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pages 627–638, New York, NY, USA, 2011. ACM. doi:10.1145/2046707.2046779.
[14]R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and Hao Chen. Asking for (and about) permissions used by android apps. In Mining Software Repositories (MSR), 2013 10th IEEE Working Conference on, pages 31–40, May 2013. doi:10.1109/MSR.2013.6624000.
[15]Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, 2012.
[16]Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. 2012. Dr. Android and Mr. Hide: fine-grained permissions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices (SPSM '12). ACM, New York, NY, USA, 3-14. doi:10.1145/2381934.2381938.
[17]Zhaohui Wang, Ryan Johnson, Rahul Murmuria, and Angelos Stavrou. Exposing security risks for commercial mobile devices. In Igor Kotenko and Victor Skormin, editors, Computer Network Security, volume 7531 of Lecture Notes in Computer Science, pages 3–21. Springer Berlin Heidelberg, 2012. doi:10.1007/978-3-642-33704-8_2.
[18]William Enck, Machigar Ongtang, and Patrick Mcdaniel. Mitigating android software misuse before it happens. Technical report, 2008. do:i10.
[19]Hao Peng, Chris Gates, Bhaskar Sarma, Ninghui Li, Yuan Qi, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 241–252, New York, NY, USA, 2012. ACM. doi:10.1145/2382196.2382224.
[20]Bhaskar Pratim Sarma, Ninghui Li, Chris Gates, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. Android permissions: A perspective combining risks and benefits. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT ’12, pages 13–22, New York, NY, USA, 2012. ACM. doi:10.1145/2295136.2295141.
[21]William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Conference on Security, SEC’11, pages 21–21, Berkeley, CA, USA, 2011. USENIX Association.
[22]Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST’12, pages 291–307, Berlin, Heidelberg, 2012. Springer-Verlag. doi:0.1007/978-3-642-30921-2_17.
[23]Michael Backes, Sebastian Gerling, Christian Hammer, Matteo Maffei, and Philipp von Styp-Rekowsky. 2013. AppGuard: Enforcing user requirements on android apps. In Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'13), Nir Piterman and Scott A. Smolka (Eds.). Springer-Verlag, Berlin, Heidelberg, 543-548. DOI=10.1007/978-3-642-36742-7_39.
[24]Benjamin Davis, Ben S, Armen Khodaverdian, and Hao Chen. I-arm-droid: A rewriting framework for in-app reference monitors for android applications. In Proceedings of the Mobile Security Technologies 2012, MOST 12. IEEE, 2012. doi:
[25]Rubin Xu, Hassen Sa¨?di, and Ross Anderson. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st USENIX Conference on Security Symposium, Security’12, pages 27–27, Berkeley, CA, USA, 2012. USENIX Association.
[26]Adam P. Fuchs, Avik Chaudhuri, and Jeffrey S. Foster. Scandroid: Automated security certification of android applications, 2009. doi:
[27]Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. Andromaly: a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, 38(1):161–190, 2012. doi:10.1007/s10844-010-0148-x.
[28]Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Vision: Automated security validation of mobile apps at app markets. In Proceedings of the Second International Workshop on Mobile Cloud Computing and Services, MCS ’11, pages 21–26, New York, NY, USA, 2011. ACM. doi:10.1145/1999732.1999740.
[29]Yajin Zhou and Xuxian Jiang. Dissecting android malware: Characterization and evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 95–109, Washington, DC, USA, 2012. IEEE Computer Society. doi:10.1109/SP.2012.16.
[30]Jon Oberheide, Evan Cooke, and Farnam Jahanian. Cloudav: N-version antivirus in the network cloud. In Proceedings of the 17th Conference on Security Symposium, SS’08, pages 91–106, Berkeley, CA, USA, 2008. USENIX Association.
[31]Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, and Herbert Bos. Paranoid android: Versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pages 347–356, New York, NY, USA, 2010. ACM. doi:10.1145/1920261.1920313.
[32]Welderufael Berhane Tesfay, Todd Booth, and Karl Andersson. Reputation based security model for android applications. In Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, TRUSTCOM ’12, pages 896–901, Washington, DC, USA, 2012. IEEE Computer Society. doi:10.1109/TrustCom.2012.236.
[33]L. Batyuk, M. Herpich, S.A Camtepe, K. Raddatz, A-D. Schmidt, and S. Albayrak. Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within android applications. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on, pages 66–72, Oct 2011. doi:
[34]Jon Oberheide, Kaushik Veeraraghavan, Evan Cooke, Jason Flinn, and Farnam Jahanian. Virtualized in-cloud security services for mobile devices. In Proceedings of the First Workshop on Virtualization in Mobile Computing, MobiVirt ’08, pages 31–35, New York, NY, USA, 2008. ACM. doi:10.1145/1622103.1629656.
[35]Mohammad Nauman, Sohail Khan, Xinwen Zhang, and Jean-Pierre Seifert. Beyond kernel-level integrity measurement: Enabling remote attestation for the android platform. In Alessandro Acquisti, SeanW. Smith, and Ahmad-Reza Sadeghi, editors, Trust and Trustworthy Computing, volume 6101 of Lecture Notes in Computer Science, pages 1–15. Springer Berlin Heidelberg, 2010. doi:10.1007/978-3-642-13869-0_1.