TySA: Enforcing Security Policies for Safeguarding Against Permission-Induced Attacks in Android Applications

Android applications (apps) are ubiquitous in complex environments. Although permission- based access control mechanism in Android apps can ensure the proper access of information to a certain extent, it cannot enforce security policies on information propagation, which may cause permission-induced attacks. Our work is motivated by the problem of enforcing security policies on explicit and implicit information flows under the premise of the permission checks/requests at runtime in the Inter-Component Communication (ICC). To this end, we design a formal calculus for reasoning operations (e.g., permission checks and permission requests at runtime) and interactions (e.g., ICC) in Android apps. In addition, we introduce a novel type system based on the proposed formal calculus for checking secure information flow to prevent permission-induced attacks in Android apps. A soundness theorem of this type system is also proved with respect to non-interference property in Android apps.Finally, we realize a prototype Tysa based on the K-framework (K) and illustrate its effectiveness.