Application-centric security policies on unmodified Android

Google’s Android platform uses a fairly standard resource-centric permission model to protect resources such as the camera, GPS, and Internet connection. We claim that a much better permission model for developers and users would be application-centric, with a vocabulary that directly relates to application-level functionality, e.g., one permission could allow camera use, but only for barcode scanning; another could allow Internet access, but only to certain domains. Despite the large apparent gap between resourceand application-centric permissions, we argue that Android already provides the necessary mechanisms to support an expressive and practical form of application-centric policies. Specifically, each application-centric permission can be represented by a new Android permission and can be enforced by coupling the permission with a trusted service running in its own process. We present a survey of the top 24 free Android apps and show that a small vocabulary of application-centric permissions covers much of the functionality of those apps. We also describe a prototype implementation of our approach.