Advertisement

Decentralized Dynamic Security Enforcement for Mobile Applications with CliSeAuDroid

  • Tobias HamannEmail author
  • Heiko Mantel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11358)

Abstract

To date, Android is by far the most prevalent operating system for mobile devices. With Android devices taking a vital role in the everyday life of users, applications on these devices are handling vast amounts of private and potentially sensitive information, as well as sensitive sensor data like the device location. The built-in security mechanisms of the Android platform offer only limited protection for this data and device resources, and are not sufficient to enforce fine-grained policies on how data is used by applications. We present CliSeAuDroid, a runtime enforcement mechanism for Android applications that can enforce fine-grained security policies, either locally within a single application, across multiple applications, or even across multiple devices. We show that CliSeAuDroid can effectively ensure user-defined security requirements that protect sensitive data and resources on Android devices and adds only little runtime overhead to protected applications.

Notes

Acknowledgments

This work was supported by the DFG under the project RSCP (MA 3326/4-3) in the priority program RS\(^{3}\) (SPP 1496).

References

  1. 1.
    Android Distribution Dashboard. https://developer.android.com/about/dashboards/. Accessed 3 Sept 2018
  2. 2.
    F-Droid. https://www.f-droid.org. Accessed 3 Sept 2018
  3. 3.
    Firebase Cloud Messaging (FCM). https://firebase.google.com/docs/cloud-messaging/. Accessed 3 Sept 2018
  4. 4.
    Arzt, S., Rasthofer, S., Bodden, E.: Instrumenting Android and Java applications as easy as abc. In: Legay, A., Bensalem, S. (eds.) RV 2013. LNCS, vol. 8174, pp. 364–381. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40787-1_26CrossRefGoogle Scholar
  5. 5.
    Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: PLDI 2014, pp. 259–269 (2014)Google Scholar
  6. 6.
    Backes, M., Bugiel, S., Gerling, S., von Styp-Rekowsky, P.: Android security framework: extensible multi-layered access control on Android. In: ACSAC 2014, pp. 46–55 (2014)Google Scholar
  7. 7.
    Banuri, H., et al.: An Android runtime security policy enforcement framework. Pers. Ubiquitous Comput. 16(6), 631–641 (2012)CrossRefGoogle Scholar
  8. 8.
    Chen, H., Tiu, A., Xu, Z., Liu, Y.: A permission-dependent type system for secure information flow analysis. In: CSF 2018, pp. 218–232 (2018)Google Scholar
  9. 9.
    Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-18178-8_29CrossRefGoogle Scholar
  10. 10.
    Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014)CrossRefGoogle Scholar
  11. 11.
    Gay, R., Hu, J., Mantel, H.: CliSeAu: securing distributed Java programs by cooperative dynamic enforcement. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 378–398. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-13841-1_21CrossRefGoogle Scholar
  12. 12.
    Gay, R., Hu, J., Mantel, H., Mazaheri, S.: Relationship-based access control for resharing in decentralized online social networks. In: Imine, A., Fernandez, J.M., Marion, J.-Y., Logrippo, L., Garcia-Alfaro, J. (eds.) FPS 2017. LNCS, vol. 10723, pp. 18–34. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-75650-9_2CrossRefGoogle Scholar
  13. 13.
    Gay, R., Hu, J., Mantel, H., Schickel, J.: Towards accelerated usage control based on access correlations. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds.) NordSec 2017. LNCS, vol. 10674, pp. 245–261. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70290-2_15CrossRefGoogle Scholar
  14. 14.
    Gay, R., Mantel, H., Sprick, B.: Service automata. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 148–163. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29420-4_10CrossRefGoogle Scholar
  15. 15.
    Graa, M., Cuppens-Boulahia, N., Cuppens, F., Lanet, J.-L.: Tracking explicit and control flows in Java and native Android apps code. In: ICISSP 2016, pp. 307–316 (2016)Google Scholar
  16. 16.
    Lazouski, A., Martinelli, F., Mori, P., Saracino, A.: Stateful data usage control for Android mobile devices. Int. J. Inf. Secur. 16(4), 345–369 (2017)CrossRefGoogle Scholar
  17. 17.
    Li, L., Bissyandé, T.F., Papadakis, M., Rasthofer, S., Bartel, A., Octeau, D., Klein, J., Le Traon, Y.: Static analysis of Android apps: a systematic literature review. Inf. Softw. Technol. 88, 67–95 (2017)CrossRefGoogle Scholar
  18. 18.
    Lortz, S., Mantel, H., Starostin, A., Bähr, T., Schneider, D., Weber, A.: Cassandra: towards a certifying app store for Android. In: SPSM 2014, pp. 93–104 (2014)Google Scholar
  19. 19.
    Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: DroidForce: enforcing complex, data-centric, system-wide policies in Android. In: ARES 2014, pp. 40–49 (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany

Personalised recommendations