Android operating system uses the permission-based model which allows Android applications to access user information, system information, device information and external resources of Smartphone. The developer needs to declare the permissions for the Android application. The user needs to accept these permissions for successful installation of an Android application. These permissions are declarations. At the time of installation, if the permissions are allowed by the user, the app can access resources and information anytime. It need not re-request for permissions again. Android OS is susceptible to various security attacks due to its weakness in security. This paper tells about the misuse of app permissions using Shared User ID, how two-factor authentications fail due to inappropriate and improper usage of app permissions using spyware, data theft in Android applications, security breaches or attacks in Android and analysis of Android, iOS and Windows operating system regarding its security
A versatile working framework (OS) is programming that permits cell phones, tablet PCs, and different gadgets to run applications and projects. There are several types of mobile operating system available in the market. The commonly used mobile operating systems are Android, iOS, Windows and BlackBerry OS. The Android working framework is an open source and source code discharge by Google under Apache permit license, based on Linux-Kernel designed for smartphones and tablets. Android is one of the most popular operating systems for smartphones. At the last quarter of 2016, the total number of applications available in Google play store was 2.6 Million , and a total number of Android operating system-based smartphones sold was 2.1 Billion . The market share of Android in the first quarter of 2016 was 84.1% whereas iOS, Windows, BlackBerry, and others hold 14.8%, 0.7%, 0.2% and 0.2% respectively . Therefore, it is clear that Android has the widest market when compared to others mobile operating systems. iOS (iPhone OS) developed by Apple Inc. and used only by Apple devices such as iPhone, iPad, and iPod touch. It is the second most popular operating system next to Android . In Android, other than google play store, it is possible to install the applications from unknown sources. But, in iOS, the apps can be only installed from AppStore. It is one of the major security breaches in Android. Due to various security breaches in Android, attackers already regard smartphone as the target to steal personal information using various malware. In 2013, Mohd Shahdi Ahmad et al.  indicated the analysis of Android and iOS regarding security and declared iOS more secure than Android. In 2014, A. Kaur et al.  indicated that it is possible to revoke granted permissions from android application. The rest of the paper organizes as Section II describes various security attacks on Android such as permission escalation attack, confused deputy attack, direct collision attack, indirect collision attack and TOCTOU (Time Of Check and Time of Use) attack. Section III describes different types of Android app permissions, over-claiming of app permissions, misuse of app permissions using Shared User ID and failure of two-factor authentication in Android-based smartphones due to spyware. Section IV presents the comparison of security between Android and iOS. Section V presents the proposed method to avoid misuse of app permissions and the conclusion of the paper. codeshoppy
the same user id SHAREDUSERID, then it is possible for application A to use the permissions granted to itself and the permissions granted to B. Similarly, it is possible for application B to use the permissions granted to itself and the permissions granted to A. Every Android application has unique ID that is its package name. Android supports shared User ID. It is an attribute in AndroidManifest.xml file. If this attribute assigned with the same value in two or more applications and if the same certificate signs these applications. They can access permissions granted to each other. Collision attack has been classified as direct collision attack and indirect collision attack. A direct collision attack is wherein application communicates directly. In Indirect collision attack application communicates via third party application or component. C. Time of Check and Time of Use Attack The main reason for TOCTOU Attack is naming collision. No naming rule or constraint is applied to a new permission declaration. Moreover, permissions in Android are represented as strings, and any two permissions with the same name string are treated as equivalent even if they belong to separate applications. D. Spyware Spyware is a type of malware. It is an apk file which is downloaded automatically when the user visits malicious website and apps installed from unknown sources. In Android, other than google play store, it is possible to install the applications from unknown sources. Spyware is one of the main reasons for major security threats in Android operating system.
The Android operating system uses the permission-based model to access various resources and information. These permissions are not requests; they are declarations. These permissions are declared in Android Manifest.xml file. Once the permissions are granted, the permissions remain static for Android versions less than 6 . But, in Android versions, 7.0 and higher the app permissions are classified into normal permissions  and dangerous permissions . A. Normal Permissions Normal permissions don’t specifically hazard the client’s privacy. Normal permissions need not be declared in the AndroidManifest.xml file. These permissions are granted automatically.Android Marshmallow 6.0 has classified the permissions into normal and dangerous permissions. Whenever the app needs to use dangerous permissions, it explicitly asks the user to confirm with the permission. Thus, Android 6.0 and higher versions provide explicit permission notification to access critical resources. But, Marshmallow is available only on 1.2 percent of Android devices .The Android operating system updates are not available for most of the older devices. Therefore, security threats related to app permissions are still not solved.Application Sandboxing Android uses application sandboxing which is used to limit the application to access the resources. If an app needs to access the resources outside of its sandbox, it needs to request the appropriate permission