Permissions are the cornerstone for Android security model, as they enable secure access to sensitive resources of the phone. Consequently, improper use of Android permission model can lead to permission-induced issues that disrupt the functional and nonfunctional behavior of the apps. However, due to the lack of automated tools for detecting such issues, many of those defects are shipped with the final product, which not only dissatisfies end users but also poses security risks to their phones. This dissertation proposes and describes a set of automated tools, namely Covert, Separ, Terminator, and PATDroid, to detect and prevent permission-induced issues in Android apps, specifically (I) permission-induced security attacks, and (II) permission-induced compatibility defects.
Through combining static analysis with formal methods, Covert and Separ provide compositional analysis and enforcement techniques, respectively, for detection and prevention of permission-induced security attacks, particularly those that occur due to the interaction of multiple apps. However, by ignoring the temporal aspects of an attack, Covert and Separ, as well as the other techniques aimed at protecting the users against permission-induced attacks, are prone to have low-coverage in detection and high-disruption in prevention of such attacks. Terminator addresses this shortcoming by incorporating the notion of time in both detection and prevention of the attacks. Terminator leverages temporal logic model checking to detect permission-induced threats, and then relies on Android’s dynamic permission mechanism to thwart the identified threats by revoking unsafe permissions. However, such countermeasure, i.e., permission revocation, could itself result in other defects, such as crash, if the target app suffers from dynamic-permission-compatibility issue. To identify such permission-induced compatibility defects, developers need to exhaustively re-execute tests for all possible permission combinations, thereby increasing the time and resources required to test apps. PATDroid, the last proposed approach in this dissertation, is intended to help app developers with this challenge. PATDroid can significantly reduce the testing effort by performing a hybrid program analysis that determines which tests should be executed on what permission combinations. All conducted experiments corroborate the effectiveness and efficiency of Covert, Separ, Terminator, and PATDroid and their ability to identify and eliminate the defects rooted in permission misuse of Android apps.