The Android-based IoT(Internet of Things) platform just like the existing Android provides an environment that makes it easy to utilize Google’s infrastructure services including development tools and APIs through which it helps to control the sensors of IoT devices. Applications running on the Android-based IoT platform are often UI free and are used without the user’s consent to registered permissions. It is difficult to respond to the misuse of permissions as well as to check them when they are registered indiscriminately while updating applications. This paper analyzes the versions of before and after an application the update running on the Android-based IoT platform and the collected permission lists. It aims to identify the same permissions before and after the update, and deleted and newly added permissions after the update were identified, and thereby respond to security threats that can arise from the permissions that is not needed for IoT devices to perform certain functions. CodeShoppy
Android-based IoT platform The Android-based IoT platform named “Android-Things” was first unveiled by Google. It is the first platform dedicated to IoT devices. “Android-Things” is an upgraded version of the existing Google’s Internet platform, Brillo. Unlike the C/C++ language used in Brilo, it enables Android developers to easily develop IoT products [2, 3] by using existing Android development tools such as Android Studio, JAVA language, Android SDK in the same way. In addition, the hardware of “Android-Things” includes Intel Edison, Pico NXP, Raspberry Pi 3, etc. Each hardware is equipped with SOC (System On Chip), RAM, and wireless communication devices. “Android-Things” basically supports various sample code examples such as Doorbell and Bluetooth Audio, making it easier for developers to access. 2.2. AndroidManifes.xml file The AndroidManifest.xml file of an application used in the Android-based IoT platform environment has a similar structure to that in the conventional Android smartphone. The AndroidManifest.xml file contains information on the application including <activity>, <Intent-filter>, and <uses-permission> [4-6]. This paper analyzes permissions of the versions of before and after application the update by analyzing the AnadroidManifest.xml file. The following shows the structure of the AndroidManifest.xml file for a sample application provided for the use in the Android-based IoT platform environment. 2.3. Android permission protection level Android applications must register their permissions in the AndroidManifest.xml file to gain access to the information on the Android device and obtain the user’s consent to the use of permissions. The permission protection level for registered permissions can be specified by the developer. It is classified into Normal, Dangerous, Signature, and Signature Or System. our permission protection levels and its definition [4, 7, 8].
When an application is updated in the Android-based IoT platform environment, it does not require the user’s consent to permissions to be added due to the nature of most IoT devices unlike Android smartphone, which might lead to various security threats. In addition, security threats on Android smartphone can occur in applications in the Android-based IoT platform because it, in similar way to the existing Android, provides certain functions and accesses the device information through permissions. This paper comparatively analyzed permissions before and after the application update by examining the AndroidManifest.xml file in the application when it was updated in the Android-based IoT platform environment. The analysis results show that the same permissions before and after the update, deleted and newly added permissions after the update were identified. We should be able to respond to security threats that may arise after the application update through the information on permissions that are identified and exist in many malicious applications that have previously been studied. In the future, we will build a real-time automatic permission analysis service when an application is updated in the Android-based IoT platform environment by carrying out research on a real-time permission change monitoring system based on the permission management method implemented in this paper.