{"title":"Automated Identification of Over-Privileged SmartThings Apps","authors":"Atheer Abu Zaid, Manar H. Alalfi, A. Miri","doi":"10.1109/ICSME.2019.00037","DOIUrl":null,"url":null,"abstract":"The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.","PeriodicalId":106748,"journal":{"name":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Software Maintenance and Evolution (ICSME)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSME.2019.00037","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
The permission system in the SmartThings platform governs how apps access devices. The system was designed to protect devices from third-party apps, by forcing apps to access devices through their capabilities. Design flaws in the system result in apps being over-privileged with unauthorized capabilities. This vulnerability represents serious security challenges to this platform and its users. In this paper, we present an automated tool that can identify over-privilege vulnerability in SmartThings apps. We have identified common patterns, and we have used this knowledge to design our automated over-privilege detection tool. We have evaluated the effectiveness of our tool on 222 official and third-party apps, and we have found that approximately 5.5% of defined devices were misused with 76 identified instances of over-privilege.