A Framework for Formal Specification and Verification of Security Properties of the Android Permissions System

Abstract: Android is a widely deployed operating system that employs a permission-based access control model. The Android Permissions System (APS) is responsible for mediating resource requests from applications. APS is a critical component of the Android security mechanism. A failure in the design of APS can potentially lead to vulnerabilities that grant unauthorized access to resources by malicious applications. Researchers have employed formal methods for analyzing the security properties of APS. Since Android is constantly evolving, we intend to design and implement a framework for formal specification and verification of the security properties of APS. In particular, we intend to present a behavioral model of APS that represents the non-binary, context dependent permissions introduced in Android 10 and temporal permissions introduced in Android 11.