Erika Chin and I have been working with Fortify’s Security Research Group to integrate Android permission warnings into Fortify SCA. Specifically, Fortify SCA now warns Android developers when permissions are missing or unnecessary (i.e., when an application is over- or under-privileged). Here’s an excerpt from the Q4 release notes:
Google Android – Updated support now provides improved detection of underprivileged Android applications, including missing permissions for privileged API calls, as well as sending and receiving intents. In addition, Fortify now detects overprivileged Android applications that request unnecessary permissions. This update introduces three new categories related to privilege management.
Hopefully this will help developers avoid permission errors.
For those of you looking for a free alternative, Stowaway can tell you if your application has extra permissions. Stowaway has the advantage of working on binaries (i.e., libraries), but it doesn’t warn developers about missing permissions (which Fortify SCA does).
Dear Adrienne
I am trying to help a major mobile network operator find a senior research engineer – preferably a masters or even a phd graduate (or soon to be graduate), specialising in security in mobile (ie android/ios) application development, based in London. Your credentials are impeccable, and I wondered if you had any ideas as to where I could look – Google has provided some very interesting leads, but no suitable candidates as yet! Any help gratefully received, with kind regards Sarah-Jane Gravener
Hi Sarah-Jane, I’ll send you an e-mail.
Adrienne