The Android Open Source Project provides software stacks for mobile devices operating on the Android platform. The API provided by this project helps enforce restrictions on specific functions and process which are allowed to operate under the standard Android permission mechanism. Because of the fine-grained permissions of the model, combined with the lack of permissions maps, it is not clear which functions require which permissions to operate. Additionally, due to the constant development in the AOSP and API, required permissions change frequently, creating headaches for application security testers, app developers and security minded Android users.
During this talk, Andrew Reiter, security researcher, Veracode, will introduce the various methodologies used for building an Android permission map, and discuss the inherent deficiencies in each. The audience will learn why it is important to create a single group responsible for generating a permission map, and why Reiter believes this group should be Google. The discussion will also cover why permission mapping is an important part of securing this ever growing environment.
