The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non-obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have changed. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building a Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment.
Andrew Reiter has been in someway involved with the security industry since the late 1990s. He has worked as a security researcher for Foundstone, BindView, and WebSense. Currently, he is working on the research team at Veracode. Andrew holds a BS and MS in Mathematics from UMASS-Amherst.
Zach Lanier is a Security Researcher with Veracode, specializing in network, mobile, and web application security. Prior to joining Veracode, Zach served as Principal Consultant with Intrepidus Group, Senior Network Security Analyst at Harvard Business School, and Security Assessment Practice Manager at Rapid7. He has spoken at a variety of security conferences, including INFILTRATE, ShmooCon, and SecTor, and is a co-leader of the OWASP Mobile Security Project. Zach likes Android, vegan food, and cats (but not as food).