“Applications permissions”的意思、由来-开放百科全书

Applications permissions are a widespread coarse-grained way to limit applications' access to sensitive information, for example sound recorded by microphone, and valuable resources, like the battery, internet traffic and account balance. They are implemented in major state of the art PDA{{clarify|What is this jargon?|date=October 2018}} operation systems (Android, iOS, Windows), web browsers and web services providing an OAuth API.

Mobile devices

On Android <6 permissions are not usually revokable, though there is AppOps mechanism in some OSes (it's usually present in vanilla Android and aftermarket OSes, but usually removed in stock OSes) allowing to deprive apps access to some personal data. In Android ≥6 apps can request permissions in run time, but this requires app developer collaboration (developer is free to use non-runtime permissions only and the app will likely crash if permission is not granted and the ones not granting the permission is not a target audience of an app) ^[9] and some permissions marked as permissions in previous versions of the OS, like internet access, are non-revocable and are not even show on apps installation. This can be fixed with XPrivacy.

In Android ecosystem usage of permissions is often abused in order to spy on users, many applications require as much permissions as they can and monetize by integrating libraries by advertising networks, showing ads and spying on users to better target them.

WebPermissions

[https://w3c.github.io/permissions/ WebPermissions] is a permission system for web browsers. When a web application needs some data behind a permission, it must request it first. When it does it, a user sees a window asking him to make a choice. The choice is remembered, but can be cleared lately.

Analysis

In some cases permissions are implemented in 'all-or-nothing' approach: a user either has to grant all the requested permissions to an app, or be unable to use the app. Even if a user can revoke a permission, the app can blackmail a user by refusing to operate, for example just crashing. There are some solutions, such as XPrivacy, which instead of providing access to the requested data instead of throwing an exception and crashing an app returning disinformation to make an app operate as if the permission was granted. It is also possible to use static analysis to analyze the requested permissions.^[16]

References

1. ^{{cite web|url=https://developer.android.com/reference/android/Manifest.permission.html|title=Manifest.permission - Android Developers|website=developer.android.com}}
2. ^{{cite web|url=https://www.apple.com/business/docs/iOS_Security_Guide.pdf|title=iOS Security Guide}}
3. ^{{Cite journal|last=Michalevsky|first=Yan|last2=Boneh|first2=Dan|last3=Nakibly|first3=Gabi|year=2014|title=Gyrophone: Recognizing Speech from Gyroscope Signals|url=https://crypto.stanford.edu/gyrophone/files/gyromic.pdf|format=PDF|journal=USENIX Security Symposium|volume=23|pages=1053–1067|isbn=978-1-931971-15-7|via=}}
4. ^https://cse.sc.edu/~wyxu/719Spring12/papers/US-vibr-Phone.pdf
5. ^{{cite arxiv|last=Michalevsky|first=Yan|last2=Nakibly|first2=Gabi|last3=Schulman|first3=Aaron|last4=Veerapandian|first4=Gunaa Arumugam|last5=Boneh|first5=Dan|date=2015-02-10|title=PowerSpy: Location Tracking using Mobile Device Power Analysis|eprint=1502.03182|class=cs.CR}}
6. ^{{Cite journal|last=Mosenia|first=Arsalan|last2=Dai|first2=Xiaoliang|last3=Mittal|first3=Prateek|last4=Jha|first4=Niraj|date=2017|title=PinMe: Tracking a Smartphone User around the World|journal=IEEE Transactions on Multi-Scale Computing Systems|pages=1|doi=10.1109/TMSCS.2017.2751462|issn=2332-7766|arxiv=1802.01468}}
7. ^{{cite arxiv|last=Hua|first=Jingyu|last2=Shen|first2=Zhenyu|last3=Zhong|first3=Sheng|date=2015-05-22|title=We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones|eprint=1505.05958|class=cs.CR}}
8. ^{{cite arxiv|title=MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields|last=Guri|first=Mordechai|last2=Daidakulov|first2=Andrey|date=2018-02-07|eprint=1802.02317|last3=Elovici|first3=Yuval|class=cs.CR}}
9. ^{{cite web|url=https://source.android.com/devices/tech/config/runtime_perms|title=Runtime Permissions - Android Open Source Project|website=Android Open Source Project}}
10. ^{{cite web|url=https://developer.apple.com/ios/human-interface-guidelines/app-architecture/requesting-permission/|title=Requesting Permission - App Architecture - iOS Human Interface Guidelines|first=Apple|last=Inc.|website=developer.apple.com}}
11. ^{{cite web|url=https://www.w3.org/TR/geolocation-API/|title=Geolocation API Specification 2nd Edition|website=www.w3.org}}
12. ^{{cite web|url=https://notifications.spec.whatwg.org/|title=Notifications API Standard|website=notifications.spec.whatwg.org}}
13. ^{{cite web|url=https://www.w3.org/TR/push-api/|title=Push API|website=www.w3.org}}
14. ^{{cite web|url=https://wicg.github.io/BackgroundSync/spec/|title=Web Background Synchronization|website=wicg.github.io}}
15. ^¹{{cite web|url=https://w3c.github.io/mediacapture-main/|title=Media Capture and Streams|website=w3c.github.io}}
16. ^{{cite journal|last1=Bartel|first1=Alexandre|last2=Klein|first2=Jacques|last3=Le Traon|first3=Yves|last4=Monperrus|first4=Martin|title=Automatically securing permission-based software by reducing the attack surface: an application to Android|year=2012|url=https://hal.archives-ouvertes.fr/hal-00726196/document|doi=10.1145/2351676.2351722}}