Advertisement

How to Block the Malicious Access to Android External Storage

  • Sisi Yuan
  • Yuewu Wang
  • Pingjian WangEmail author
  • Lingguang Lei
  • Quan Zhou
  • Jun Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11396)

Abstract

External storage (e.g., SD card) is an important component of the Android mobile terminals, commonly used for storing of the user information (including sensitive data such as photos). However, current protection mechanisms (e.g., the permission mechanism) on the external storage are somehow coarse-grained, where the external storage is controlled as a whole, which means all files on the external storage are accessible once the permission is assigned to an APP. This coarse-grained control weakness could be easily leveraged by the attackers. For example, the ransomware can obtain the access permission of the external storage and encrypt the files on external storage stealthily for ransom. In this paper, we introduce an Access Control List (ACL) mechanism to enforce the fine-grained control on the external storage. With ACL, the access control policy can be defined at the file granularity, and the access permissions will only be granted to legitimate APPs specified in a white list. First, we activate the Linux ACL mechanism on Android system and extend it to the Filesystem in Userspace (FUSE). Because the external storage is built on the FUSE filesystem, which is different from the traditional Linux filesystems (e.g., EXT4) and thus not supported by the traditional Linux ACL mechanism. Second, we introduce ACL-policy configuration interface in the Android framework, which enables the device owner and APP developers to set the fine-grained ACL access policies for their files on the external storage. Finally, we implement a prototype based on the Nexus 6 devices deployed Android 6.0.1 and Linux kernel 3.10.4, and evaluate it on the stability, effectiveness and performance. The results show our prototype system can effectively prevent illegal access to the files on the external storage with negligible performance overhead. As far as we know, this is the first work that can really enforce ACL access control on the external storage of Android.

Keywords

Access Control List Android access control External storage Ransomware 

Notes

Acknowledgements

We would like to thank our anonymous reviewers for their valuable comments and suggestions. This work is supported by the National Key Research and Development Program of China under Grant No. 2016YFB0800102, the National Cryptography Development Fund under Award No. MMJJ20170215, and the Youth Innovation Promotion Association CAS.

References

  1. 1.
  2. 2.
  3. 3.
    Acl open source community. http://savannah.nongnu.org/projects/acl
  4. 4.
  5. 5.
  6. 6.
    Arena, V., Catania, V., Torre, G.L., Monteleone, S., Ricciato, F.: Securedroid: an android security framework extension for context-aware policy enforcement. In: 2013 International Conference on Privacy and Security in Mobile Systems, PRISMS 2013, Atlantic City, NJ, USA, 24–27 June 2013, pp. 1–8 (2013).  https://doi.org/10.1109/PRISMS.2013.6927185
  7. 7.
    Bai, G., Gu, L., Feng, T., Guo, Y., Chen, X.: Context-aware usage control for android. In: Proceedings 6th International ICST Conference Security and Privacy in Communication Networks - SecureComm 2010, Singapore, 7–9 September 2010, pp. 326–343 (2010).  https://doi.org/10.1007/978-3-642-16161-2_19Google Scholar
  8. 8.
  9. 9.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012 (2012). http://www.internetsociety.org/towards-taming-privilege-escalation-attacks-android
  10. 10.
    Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A., Shastry, B.: Practical and lightweight domain isolation on android. In: SPSM 2011, Proceedings of the 1st ACM Workshop Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2011, 17 October 2011, Chicago, pp. 51–62 (2011).  https://doi.org/10.1145/2046614.2046624
  11. 11.
    Bugiel, S., Heuser, S., Sadeghi, A.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, 14–16 August 2013, pp. 131–146 (2013). https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/bugiel
  12. 12.
    Cai, X., Gu, X., Wang, Y., Zhou, Q., Cao, Z.: Enforcing ACL access control on android platform. In: Proceedings 20th International Conference Information Security - ISC 2017, Ho Chi Minh City, Vietnam, 22–24 November 2017, pp. 366–383 (2017).  https://doi.org/10.1007/978-3-319-69659-1_20Google Scholar
  13. 13.
    Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crêpe: a system for enforcing fine-grained context-related policies on android. IEEE Trans. Inf. Forensics Secur. 7(5), 1426–1438 (2012).  https://doi.org/10.1109/TIFS.2012.2204249CrossRefGoogle Scholar
  14. 14.
    Do, Q., Martini, B., Choo, K.R.: Enforcing file system permissions on android external storage: android file system permissions (AFP) prototype and owncloud. In: 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2014, Beijing, China, 24–26 September 2014, pp. 949–954 (2014).  https://doi.org/10.1109/TrustCom.2014.53
  15. 15.
    Enck, W., et al.: TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014).  https://doi.org/10.1145/2494522CrossRefGoogle Scholar
  16. 16.
    Enck, W., Ongtang, M., McDaniel, P.D.: On lightweight mobile phone application certification. In: Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, 9–13 November 2009, pp. 235–245 (2009).  https://doi.org/10.1145/1653662.1653691
  17. 17.
  18. 18.
  19. 19.
  20. 20.
  21. 21.
    Grünbacher, A.: POSIX access control lists on linux. In: Proceedings of the FREENIX Track: 2003 USENIX Annual Technical Conference, San Antonio, Texas, USA, 9–14 June 2003, pp. 259–272 (2003). http://www.usenix.org/events/usenix03/tech/freenix03/gruenbacher.html
  22. 22.
    Huang, F., Wu, W., Yang, M., Luo, J.: A fine-grained permission control mechanism for external storage of android. In: 2016 IEEE International Conference on Systems, Man, and Cybernetics, SMC 2016, Budapest, Hungary, 9–12 October 2016, pp. 2911–2916 (2016).  https://doi.org/10.1109/SMC.2016.7844682
  23. 23.
    Jung, C., Feth, D., Seise, C.: Context-aware policy enforcement for android. In: IEEE 7th International Conference on Software Security and Reliability, SERE 2013, Gaithersburg, MD, USA, 18–20 June 2013, pp. 40–49 (2013).  https://doi.org/10.1109/SERE.2013.15
  24. 24.
    Liu, X., Zhou, Z., Diao, W., Li, Z., Zhang, K.: An empirical study on android for saving non-shared data on public storage. In: Proceedings 30th IFIP TC 11 International Conference, ICT Systems Security and Privacy Protection - SEC 2015, Hamburg, Germany, 26–28 May 2015, pp. 542–556 (2015).  https://doi.org/10.1007/978-3-319-18467-8_36CrossRefGoogle Scholar
  25. 25.
    Nakamura, Y., Sameshima, Y.: SELinux for consumer electronics devices. In: 2008 Proceedings of the Linux Symposium OLS, Ottawa, Ontario, Canada, 23–26 July 2008, pp. 125–134 (2008)Google Scholar
  26. 26.
    Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, Beijing, China, 13–16 April 2010, pp. 328–332 (2010).  https://doi.org/10.1145/1755688.1755732
  27. 27.
    Ongtang, M., McLaughlin, S.E., Enck, W., McDaniel, P.D.: Semantically rich application-centric security in android. Secur. Commun. Netw. 5(6), 658–673 (2012).  https://doi.org/10.1002/sec.360CrossRefGoogle Scholar
  28. 28.
  29. 29.
    Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: rethinking permission granting in modern operating systems. In: IEEE Symposium on Security and Privacy, SP 2012, San Francisco, California, USA, 21–23 May 2012, pp. 224–238 (2012).  https://doi.org/10.1109/SP.2012.24
  30. 30.
    Security-enhanced linux. http://www.nsa.gov/research/selinux
  31. 31.
    Shabtai, A., Fledel, Y., Elovici, Y.: Securing android-powered mobile devices using selinux. IEEE Secur. Priv. 8(3), 36–44 (2010).  https://doi.org/10.1109/MSP.2009.144CrossRefGoogle Scholar
  32. 32.
    Smalley, S., Craig, R.: Security enhanced (SE) android: bringing flexible MAC to android. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013 (2013). https://www.ndss-symposium.org/ndss2013/
  33. 33.
  34. 34.
    Tomoyo linux home page. http://tomoyo.sourceforge.jp/
  35. 35.
    Wang, Z., Murmuria, R., Stavrou, A.: Implementing and optimizing an encryption filesystem on android. In: 13th IEEE International Conference on Mobile Data Management, MDM 2012, Bengaluru, India, 23–26 July 2012, pp. 52–62 (2012).  https://doi.org/10.1109/MDM.2012.31
  36. 36.
    Wu, L., Du, X., Zhang, H.: An effective access control scheme for preventing permission leak in android. In: International Conference on Computing, Networking and Communications, ICNC 2015, Garden Grove, CA, USA, 16–19 February 2015, pp. 57–61 (2015).  https://doi.org/10.1109/ICCNC.2015.7069315

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Sisi Yuan
    • 1
    • 2
    • 3
  • Yuewu Wang
    • 2
    • 3
  • Pingjian Wang
    • 2
    • 3
    Email author
  • Lingguang Lei
    • 2
    • 3
  • Quan Zhou
    • 2
    • 3
  • Jun Li
    • 4
  1. 1.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  2. 2.Institute of Information Engineering, CASBeijingChina
  3. 3.Data Assurance and Communication Security Research Center, CASBeijingChina
  4. 4.Zhongxing Telecommunication Equipment CorporationShenzhenChina

Personalised recommendations