Principle of least privilege
Possibly one of the most important principles of secure system design is the Principle of Least Privilege.
Put simply, this says that each of the components that make up your system, or app in our case, should be given only the power, information, or resources, it needs to perform its assigned task. Nothing more.
If a component has permission to access resources that it does not need to perform its task, for example an image viewer that has the ability to read your email, or the ability to send SMS, then even though the component was never designed to do these things (it is just supposed to display an image), an attacker may be able to make the component do so (perhaps through a carefully crafted malformed image file), thus violating the user’s privacy, or running up a huge phone bill.
If we remove unnecessary privileges from the image viewer it becomes harder for an attacker to exploit bugs in the component.
Android incorporates many technologies that help us apply the Principle of Least Privilege. Some of these require no work on our behalf, like app sandboxing, others require us to carefully think about the design of our app.
© University of Southampton 2017