A change in how Android 6.0 handles permissions introduces an app crash risk; Galois’ DARPA-funded tool helps developers rapidly address permissions handling
Portland, OR (PRWEB) October 28, 2015
The newest version of Android (Android 6.0 Marshmallow) introduces a significant change in the way mobile apps handle permissions – a change that can cause applications to crash if developers do not test to see if the apps handle permissions properly.
To address this app crash risk, Galois today announced the release of Fuse Analyzer: Permissions – a new tool capability that will, among other things, enable Android developers to pinpoint the changes they need to make for their apps to work on Android 6 properly. Fuse Analyzer is part of Galois’ DARPA-funded tool developed for security analysts to evaluate Android app security.
Previously, Android apps requested all permissions when they were installed. That's how an app would gain access to, for example, the Internet, the camera, the microphone, and so on. If users wanted to install an app, they had to approve all the permissions. Android 6 allows users to pick and choose what permissions are OK when an application actually needs access, which means that every method that is protected by a permission must be guarded by a check to see if the application currently has access to that permission. If an app does not make that check or it does not have access to the permission, the app could crash.
“We are excited to be able to offer this tool to the community,” said Rogan Creswick, Human Computer Interaction research lead at Galois. “An app’s codebase can quickly get very large. Our tool will save Android developers considerable amounts of time, by not having to manually pinpoint everything that needs fixing for the migration to Android 6.”
Fuse Analyzer: Permissions enables Android 6 developers to quickly discover the locations of the unguarded methods that need developer attention. The list of methods and locations can then be used to put checks in place to ensure safe permissions handling. Fuse Analyzer: Permissions is free for up to three apps, and does not require source code to generate the list.
Permissions is part of Fuse Analyzer: Complete, which goes beyond permissions handling to provide developers a comprehensive security assessment suite for all apps. Fuse Analyzer Complete produces detailed reports on:
- Vulnerabilities: Is your app vulnerable to outside attacks? Fuse Analyzer checks for a wide variety of vulnerable behavior.
- Data leaks: Is there unexpected data transfer at runtime? Fuse Analyzer identifies and highlights data flows that are exposed to other applications and flags cases where internal data is shared broadly.
- Weak encryption: Is your app using crypto correctly? Fuse Analyzer uncovers common mistakes in how crypto APIs are used that could compromise security.
- Permissions: Have you handled permissions correctly? Fuse Analyzer verifies that the permissions you need are included, and flag any permissions you do not use.
“Android developers have very few choices when assessing the privacy and security of their apps,” adds Mr. Creswick. “Fuse Analyzer is the most comprehensive, publicly available security assessment tool for Android developers.”
Android developers interested in testing their app to make sure it behaves properly under all permission situations can access Fuse Analyzer at https://fuseanalyzer.com
Galois has been performing computer science research and development since 1999. With many of the world’s foremost expects in computer science and mathematics and a world-class team of programmers and engineers, Galois is uniquely positioned to take on the world’s most difficult challenges in computer science. Galois is a trusted partner in the defense and intelligence industries, proving the feasibility of cutting edge research as it applies to critical systems. Technology companies turn to Galois to build reliability, safety and security into their product development efforts from day one. For additional information, visit http://www.galois.com.
For the original version on PRWeb visit: http://www.prweb.com/releases/2015/10/prweb13047818.htm