Third party libraries fear the Android’s REAPER
In the modern era, smartphones have become a vital means of human communication holding sensitive user information. Within this framework, the popular Android-based devices present limitations concerning their permission management system, generating privacy risks as they are strongly dependent on third-party libraries, facilitating code development, granting developers with a steady stream of revenue. Moroever, the spread of vulnerable third-party libraries can have negative repercussions for Android users due to the fact that they incentivize apps to request more permissions than required resulting in extensive leakage of personal information.
Lately, Android 6 moved towards a more fine-grained run time permission system where users can either accept or reject a permission request at run time or rescind permissions at any time from the system’s settings. Despite mobile users are now privileged with a more precise granting of permissions, they still lack required resources to identify which permission requests relate to the functionality of the app and which rendered to untrusted third-party libraries. As a consequence, apps remain a black box with hidden inner workings and therefore Android users cannot make informed decisions on which permissions should be granted to each app. This can prevent them from gaining fully benefits from its potential.
Michalis Diamantaris, Elias P. Papadopoulos, Evangelos P. Markatos, Sotiris Ioannidis, and Jason Polakis in their research work “REAPER: Real-time App Analysis for Augmenting the Android Permission System” address this challenge by presenting the REAPER system, which provides a novel dynamic analysis that can trace in real time the permissions requested by apps and can discriminate those requested by the app’s core functionality from those requested by the app’s third-party libraries. To a greater extent, they have deployed a sophisticated UI automator that can dynamically analyse apps and infer the origin of Permission Protected Calls (PPCs) and non-protected calls that access Personally Identifiable Information (PII). Reaper consists of three main components: (i) the UIHarvester, which is a sophisticated UI automation tool for testing apps, (ii) the PermissionHarvester, an inline hooking for passive monitoring of the internals of the Android Operating System (OS) leading to permission checks, and (iii) the StackAnalyzer which can stacktrace and infer the third-party library origin and its type. REAPER requires root access but do not rely on any OS, which makes it applicable to all stock Android versions. The authors have conducted a thorough evaluation of their system’s performance. Furthermore, REAPER used to scrutinize 5K popular Android apps and their findings concern valuable input. Indicatively, they found that: (i) 90% of the apps engage more PPCs against the core app itself., (ii) 65% of used permissions are derived from third-party libraries, (iii) 34% of the apps never issue PPCs from their core code as the requested permissions originate solely from library code and 48-59% dangerous permissions are linked to third-party libraries. For instance, they’ve explored Google Play services which direct to several libraries. In conclusion, REAPER can be utilized to enhance Android’s fine-grained run time permission system allowing users to deny unwanted permissions that do not rely on app’s core functionality. Hence, users can prevent third-party libraries from obtaining access to their personal and sensitive information.