Poster: Android System Broadcast Actions Broadcasts Your Privacy

Android provides finer-grained security features through a "permission" mechanism that puts limitations on the resources that each application can access. Upon installing a new Android application, a user is prompted to grant it a set of permissions. There are two typical assumptions made regarding permissions and mobile application security and privacy. The first one is that malicious applications need to retain many permissions. Secondly, mobile devices users assume that installed applications do not access data if they are not in the foreground. In this project, we show that malicious Android applications can still fulfill their objectives with minimum permissions and that they can access user data while in the background. This could happen with the help of another Android component, called broadcast receiver. We study the evaluation of Android broadcast actions. We demonstrate an attack scenario made possible by the broadcast receivers. Moreover, we propose solutions to protect from such attacks.