Android 8.0 及更高版本的权限策略更新有哪些好处?
What are the benefits of the permission policy update on Android 8.0 and above?
Android 在 Android 8.0 上略微更改了他们的权限策略:
Prior to Android 8.0 (API level 26), if an app requested a permission
at runtime and the permission was granted, the system also incorrectly
granted the app the rest of the permissions that belonged to the same
permission group, and that were registered in the manifest.
For apps targeting Android 8.0, this behavior has been corrected. The
app is granted only the permissions it has explicitly requested.
However, once the user grants a permission to the app, all subsequent
requests for permissions in that permission group are automatically
granted.
For example, suppose an app lists both READ_EXTERNAL_STORAGE and
WRITE_EXTERNAL_STORAGE in its manifest. The app requests
READ_EXTERNAL_STORAGE and the user grants it. If the app targets API
level 25 or lower, the system also grants WRITE_EXTERNAL_STORAGE at
the same time, because it belongs to the same STORAGE permission group
and is also registered in the manifest. If the app targets Android 8.0
(API level 26), the system grants only READ_EXTERNAL_STORAGE at that
time; however, if the app later requests WRITE_EXTERNAL_STORAGE, the
system immediately grants that privilege without prompting the user.
这样的改变有什么好处?看来他们达到了同样的目的。新方法修复的先前方法可能出了什么问题?
What could go wrong with the previous approach that the new one fixes?
嗯,你看,有这个错误...
引用 the research paper,并强调:
First, the adversary creates an app that
includes in its manifest file a custom permission declaration
with the protection level
normal
or
signature
and sets this
custom permission to be a part of a system permission group
(e.g., storage, camera etc.). Then, they update the definition
of this custom permission so that the protection level is
changed to
dangerous
and proceed to push an update to
their app on the respective app market... The expectation is
that since the custom permission is of level
dangerous
, the
user will be prompted at runtime to make a decision on whether
to grant or deny this permission in the runtime permission
model. However, the malicious app automatically gets granted
the permission. In addition, since the runtime permission
model grants dangerous
permissions on a group basis, the app
also automatically obtains all the other requested dangerous
permissions of the system permission group that the original
permission belongs to. Same procedure can be followed to
attack
any
system permissions group; hence, the adversary can
silently obtain
all
system permissions simultaneously. Requesting dangerous permissions in the Android manifest constitutes
no problems for the adversary, as permission requirements of
an app are not directly presented to users at installation since
Android 6.0. Hence, the user will be completely unaware that
all these system permissions are granted to the app.
AFAICT,此 Android 8.0 更改是此错误缓解策略的一部分。这只会有一点帮助,因此我假设还进行了其他更改。然而,考虑到论文中出现的错误的性质和这个 Android 8.0 的性质,我不得不假设这两者至少在某种程度上是相关的。
Android 在 Android 8.0 上略微更改了他们的权限策略:
Prior to Android 8.0 (API level 26), if an app requested a permission at runtime and the permission was granted, the system also incorrectly granted the app the rest of the permissions that belonged to the same permission group, and that were registered in the manifest.
For apps targeting Android 8.0, this behavior has been corrected. The app is granted only the permissions it has explicitly requested. However, once the user grants a permission to the app, all subsequent requests for permissions in that permission group are automatically granted.
For example, suppose an app lists both READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE in its manifest. The app requests READ_EXTERNAL_STORAGE and the user grants it. If the app targets API level 25 or lower, the system also grants WRITE_EXTERNAL_STORAGE at the same time, because it belongs to the same STORAGE permission group and is also registered in the manifest. If the app targets Android 8.0 (API level 26), the system grants only READ_EXTERNAL_STORAGE at that time; however, if the app later requests WRITE_EXTERNAL_STORAGE, the system immediately grants that privilege without prompting the user.
这样的改变有什么好处?看来他们达到了同样的目的。新方法修复的先前方法可能出了什么问题?
What could go wrong with the previous approach that the new one fixes?
嗯,你看,有这个错误...
引用 the research paper,并强调:
First, the adversary creates an app that includes in its manifest file a custom permission declaration with the protection level
normal
orsignature
and sets this custom permission to be a part of a system permission group (e.g., storage, camera etc.). Then, they update the definition of this custom permission so that the protection level is changed todangerous
and proceed to push an update to their app on the respective app market... The expectation is that since the custom permission is of leveldangerous
, the user will be prompted at runtime to make a decision on whether to grant or deny this permission in the runtime permission model. However, the malicious app automatically gets granted the permission. In addition, since the runtime permission model grantsdangerous
permissions on a group basis, the app also automatically obtains all the other requested dangerous permissions of the system permission group that the original permission belongs to. Same procedure can be followed to attack any system permissions group; hence, the adversary can silently obtain all system permissions simultaneously. Requesting dangerous permissions in the Android manifest constitutes no problems for the adversary, as permission requirements of an app are not directly presented to users at installation since Android 6.0. Hence, the user will be completely unaware that all these system permissions are granted to the app.
AFAICT,此 Android 8.0 更改是此错误缓解策略的一部分。这只会有一点帮助,因此我假设还进行了其他更改。然而,考虑到论文中出现的错误的性质和这个 Android 8.0 的性质,我不得不假设这两者至少在某种程度上是相关的。