Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings

Permission is the fundamental security mechanism for protecting user data and privacy on Android. Given its importance, security researchers have studied the design and usage of permissions from various aspects. However, most of the previous research focused on the security issues of system permissions. Overlooked by many researchers, an app can use custom permissions to share its resources and capabilities with other apps. However, the security implications of using custom permissions have not been fully understood.In this paper, we systematically evaluate the design and implementation of Android custom permissions. Notably, we built an automatic fuzzing tool, called CuPerFuzzer, to detect custom permissions related vulnerabilities existing in the Android OS. CuPerFuzzer treats the operations of the permission mechanism as a black-box and executes massive targeted test cases to trigger privilege escalation. In the experiments, CuPerFuzzer discovered 2,384 effective cases with 30 critical paths successfully. Through investigating these vulnerable cases and analyzing the source code of Android OS, we further identified a series of severe design shortcomings lying in the Android permission framework, including dangling custom permission, inconsistent permission-group mapping, custom permission elevating, and inconsistent permission definition. Exploiting any of these shortcomings, a malicious app can obtain dangeroussystem permissions without user consent and further access unauthorized platform resources. On top of these observations, we propose some general design guidelines to secure custom permissions. Our findings have been acknowledged by the Android security team and rated as High severity.