{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,12]],"date-time":"2025-03-12T04:33:11Z","timestamp":1741753991912,"version":"3.38.0"},"reference-count":36,"publisher":"SAGE Publications","issue":"3","license":[{"start":{"date-parts":[[2016,11,15]],"date-time":"2016-11-15T00:00:00Z","timestamp":1479168000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2017,5,29]]},"abstract":"<jats:p> Root is the administrative privilege on Android, which is however inaccessible on stock Android devices. Due to the desire for privileged functionalities and the reluctance of rooting their devices, Android users seek for no-root approaches, which provide users with part of root privileges without rooting their devices. Existing no-root approaches require users to launch a separate service via Android Debug Bridge (ADB) on an Android device, which would perform user-desired tasks. However, it is unusual for a third-party Android application to work with a separate native service via sockets, and it requires the application developers to have extra knowledge such as Linux programming in application development. In this paper, we propose a feasible no-root approach based on new functionalities added on Android, which creates no separate service but an ADB loopback. To ensure such no-root approach is not misused in a proactive instead of reactive manner, we examine its dark side. We find out that while this approach makes it easy for no-root applications to work, it may lead to a \u201c permission explosion,\u201d which enables any third-party application to attain shell permissions beyond its granted permissions. The permission explosion can further lead to exploits including privacy leakage, account takeover, application UID abuse, and user input inference. A\u00a0practical experiment is carried out to evaluate the situation in the real world, which shows that many real-world applications from Google Play and four third-party application markets are indeed vulnerable to these exploits. To mitigate the dark side of the new no-root approach and make it more suitable for users to adopt, we identify the causes of the exploits, and propose a permission-based solution. We also provide suggestions to application developers and application markets on how to prevent these exploits. <\/jats:p>","DOI":"10.3233\/jcs-16866","type":"journal-article","created":{"date-parts":[[2016,11,15]],"date-time":"2016-11-15T15:43:46Z","timestamp":1479224626000},"page":"231-253","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":1,"title":["A study on a feasible no-root approach on\u00a0Android"],"prefix":"10.1177","volume":"25","author":[{"given":"Yao","family":"Cheng","sequence":"first","affiliation":[{"name":"School of Information Systems, Singapore Management University, Singapore"}]},{"given":"Yingjiu","family":"Li","sequence":"additional","affiliation":[{"name":"School of Information Systems, Singapore Management University, Singapore"}]},{"given":"Robert","family":"Deng","sequence":"additional","affiliation":[{"name":"School of Information Systems, Singapore Management University, Singapore"}]},{"given":"Lingyun","family":"Ying","sequence":"additional","affiliation":[{"name":"Institute of Software, Chinese Academy of Sciences, Beijing, P.R. China"},{"name":"University of Chinese Academy of Sciences, Beijing, P.R. China"}]},{"given":"Wei","family":"He","sequence":"additional","affiliation":[{"name":"Singapore Institute of Manufacturing Technology, Singapore, Singapore"}]}],"member":"179","published-online":{"date-parts":[[2016,11,15]]},"reference":[{"key":"ref001","unstructured":"Clockworkmod tether (no root). https:\/\/play.google.com\/store\/apps\/details?id=com.koushikdutta.tether."},{"key":"ref002","unstructured":"No root screenshot it. https:\/\/play.google.com\/store\/apps\/details?id=com.edwardkim.android.screenshotitfullnoroot."},{"key":"ref003","unstructured":"Log. http:\/\/developer.android.com\/reference\/android\/util\/Log.html."},{"key":"ref004","unstructured":"Android debug bridge. http:\/\/developer.android.com\/tools\/help\/adb.html."},{"key":"ref005","unstructured":"Android security. http:\/\/googlemobile.blogspot.sg\/2012\/02\/android-and-security.html."},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"D.\u00a0Barrera, H.\u00a0G\u00fcne\u015f Kayacik, P.C.\u00a0van Oorschot and A.\u00a0Somayaji, A methodology for empirical analysis of permission-based security models and its application to Android, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010, pp.\u00a073\u201384.","DOI":"10.1145\/1866307.1866317"},{"key":"ref007","unstructured":"L.\u00a0Cai and H.\u00a0Chen, Touchlogger: Inferring keystrokes on touch screen from smartphone motion, in: HotSec, 2011."},{"key":"ref008","doi-asserted-by":"crossref","unstructured":"L.\u00a0Davi, A.\u00a0Dmitrienko, A.R.\u00a0Sadeghi and M.\u00a0Winandy, Privilege escalation attacks on Android, in: Information Security, 2011, pp.\u00a0346\u2013360. doi:10.1007\/978-3-642-18178-8_30.","DOI":"10.1007\/978-3-642-18178-8_30"},{"key":"ref009","doi-asserted-by":"crossref","unstructured":"W.\u00a0Enck, M.\u00a0Ongtang and P.\u00a0McDaniel, On lightweight mobile phone application certification, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009, pp.\u00a0235\u2013245.","DOI":"10.1145\/1653662.1653691"},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"S.\u00a0Fahl, M.\u00a0Harbach, M.\u00a0Oltrogge, T.\u00a0Muders and M.\u00a0Smith, Hey, you, get off of my clipboard, in: Financial Cryptography and Data Security, 2013, pp.\u00a0144\u2013161. doi:10.1007\/978-3-642-39884-1_12.","DOI":"10.1007\/978-3-642-39884-1_12"},{"key":"ref011","unstructured":"A.P.\u00a0Felt and D.\u00a0Wagner, Phishing on Mobile Devices, 2011."},{"key":"ref012","unstructured":"Flurry. http:\/\/www.flurry.com\/."},{"key":"ref013","unstructured":"Helium - app sync and backup. https:\/\/play.google.com\/store\/apps\/details?id=com.koushikdutta.backup."},{"key":"ref014","doi-asserted-by":"crossref","unstructured":"S.\u00a0Hwang, S.\u00a0Lee, Y.\u00a0Kim and S.\u00a0Ryu, Bittersweet adb: Attacks and defenses, in: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, pp.\u00a0579\u2013584.","DOI":"10.1145\/2714576.2714638"},{"key":"ref015","unstructured":"Y.Z.X.\u00a0Jiang, Detecting passive content leaks and pollution in Android applications, in: NDSS, 2013."},{"key":"ref016","doi-asserted-by":"crossref","unstructured":"C.C.\u00a0Lin, H.\u00a0Li, X.\u00a0Zhou and X.\u00a0Wang, Screenmilker: How to milk your Android screen for secrets, in: NDSS, 2014.","DOI":"10.14722\/ndss.2014.23049"},{"key":"ref017","unstructured":"A.\u00a0Lineberry, D.L.\u00a0Richardson and T.\u00a0Wyatt, These aren\u2019t the permissions you\u2019re looking for. https:\/\/www.defcon.org\/images\/defcon-18\/dc-18-presentations\/Lineberry\/DEFCON-18-Lineberry-Not-The-Permissions-You-Are-Looking-For.pdf (2010)."},{"key":"ref018","unstructured":"C.\u00a0Marforio, A.\u00a0Francillon, S.\u00a0Capkun, S.\u00a0Capkun and S.\u00a0Capkun, Application Collusion Attack on the Permission-Based Security Model and Its Implications for Modern Smartphone Systems, Department of Computer Science, ETH, Zurich, 2011."},{"key":"ref019","doi-asserted-by":"crossref","unstructured":"E.\u00a0Owusu, J.\u00a0Han, S.\u00a0Das, A.\u00a0Perrig and J.\u00a0Zhang, Accessory: Password inference using accelerometers on smartphones, in: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, HotMobile \u201912, 2012, pp.\u00a09:1\u20139:6.","DOI":"10.1145\/2162081.2162095"},{"key":"ref020","unstructured":"Platform versions distribution. http:\/\/developer.android.com\/about\/dashboards\/index.html."},{"key":"ref021","unstructured":"A.\u00a0Porter Felt, E.\u00a0Ha, S.\u00a0Egelman, A.\u00a0Haney, E.\u00a0Chin and D.\u00a0Wagner, Android permissions: User attention, comprehension, and behavior, in: Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM, 2012, p.\u00a03."},{"key":"ref022","unstructured":"A.\u00a0Porter Felt, H.J.\u00a0Wang, A.\u00a0Moshchuk, S.\u00a0Hanna and E.\u00a0Chin, Permission re-delegation: Attacks and defenses, in: USENIX Security Symposium, 2011."},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"R.\u00a0Raguram, A.M.\u00a0White and D.\u00a0Goswami, Fabian Monrose, and Jan-Michael Frahm. ispy: Automatic reconstruction of typed input from compromising reflections, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, 2011, pp.\u00a0527\u2013536.","DOI":"10.1145\/2046707.2046769"},{"key":"ref024","unstructured":"R.\u00a0Schlegel, K.\u00a0Zhang, X.\u00a0Zhou, M.\u00a0Intwala, A.\u00a0Kapadia and X.\u00a0Wang, Soundcomber: A stealthy and context-aware sound trojan for smartphones, in: NDSS, 2011, pp.\u00a017\u201333."},{"key":"ref025","unstructured":"Screenshot free. https:\/\/play.google.com\/store\/apps\/details?id=com.androidscreenshotapptool.free."},{"key":"ref026","unstructured":"Screenshot shakeshot trial. https:\/\/play.google.com\/store\/apps\/details?id=com.designkontrol.screenshottrial."},{"key":"ref027","unstructured":"Screenshot ultimate. https:\/\/play.google.com\/store\/apps\/details?id=com.icecoldapps.screenshotultimate."},{"key":"ref028","doi-asserted-by":"crossref","unstructured":"Smartphone OS market share, q1 2015. http:\/\/www.idc.com\/prodserv\/smartphone-os-market-share.jsp.","DOI":"10.1002\/9781118785317.weom120159"},{"key":"ref029","unstructured":"Snapchat. https:\/\/play.google.com\/store\/apps\/details?id=com.snapchat.android."},{"key":"ref030","unstructured":"T.\u00a0Vidas, D.\u00a0Votipka and N.\u00a0Christin, All your droid are belong to us: A survey of current Android attacks, in: WOOT, 2011, pp.\u00a081\u201390."},{"key":"ref031","unstructured":"Vine. https:\/\/play.google.com\/store\/apps\/details?id=co.vine.android."},{"key":"ref032","unstructured":"Windows malware attempts to infect android devices. http:\/\/www.symantec.com\/connect\/blogs\/windows-malware-attempts-infect-android-devices."},{"key":"ref033","doi-asserted-by":"crossref","unstructured":"X.\u00a0Zhang and W.\u00a0Du, Attacks on Android clipboard, in: Detection of Intrusions and Malware, and Vulnerability Assessment, 2014, pp.\u00a072\u201391.","DOI":"10.1007\/978-3-319-08509-8_5"},{"key":"ref034","doi-asserted-by":"crossref","unstructured":"W.\u00a0Zhou, Y.\u00a0Zhou, X.\u00a0Jiang and P.\u00a0Ning, Detecting repackaged smartphone applications in third-party Android marketplaces, in: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, 2012, pp.\u00a0317\u2013326.","DOI":"10.1145\/2133601.2133640"},{"key":"ref035","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Zhou and X.\u00a0Jiang, Dissecting Android malware: Characterization and evolution, in: 2012 IEEE Symposium on Security and Privacy (SP), 2012, pp.\u00a095\u2013109. doi:10.1109\/SP.2012.16.","DOI":"10.1109\/SP.2012.16"},{"key":"ref036","unstructured":"Y.\u00a0Zhou, Z.\u00a0Wang, W.\u00a0Zhou and X.\u00a0Jiang, Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets, in: NDSS, 2012."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-16866","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-16866","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-16866","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,11]],"date-time":"2025-03-11T10:38:12Z","timestamp":1741689492000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-16866"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,11,15]]},"references-count":36,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,5,29]]}},"alternative-id":["10.3233\/JCS-16866"],"URL":"https:\/\/doi.org\/10.3233\/jcs-16866","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"type":"print","value":"0926-227X"},{"type":"electronic","value":"1875-8924"}],"subject":[],"published":{"date-parts":[[2016,11,15]]}}}