Skip to main content
SpringerLink
Log in

Practical Context-Aware Permission Control for Hybrid Mobile Applications

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

The rapid growth of mobile computing has resulted in the development of new programming paradigms for quick and easy development of mobile applications. Hybrid frameworks, such as PhoneGap, allow the use of web technologies for development of applications with native access to device’s resources. These untrusted third-party applications desire access to user’s data and device’s resources, leaving the content vulnerable to accidental or malicious leaks by the applications. The hybrid frameworks present new opportunities to enhance the security of mobile platforms by providing an application-layer runtime for controlling an application’s behavior.

In this work, we present a practical design of a novel framework, named MobileIFC, for building privacy-preserving hybrid applications for mobile platforms. We use information flow models to control what untrusted applications can do with the information they receive. We utilize the framework to develop a fine-grained, context-sensitive permission model that enables users and application developers to specify rich policies. We show the viability of our design by means of a framework prototype. The usability of the framework and the permission model is further evaluated by developing sample applications using the framework APIs. Our evaluation and experience suggests that MobileIFC provides a practical and performant security solution for hybrid mobile applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. ADSafe, http://www.adsafe.org

  2. Apps Created with PhoneGap, http://phonegap.com/app/

  3. Chrome OS, http://www.chromium.org/chromium-os

  4. Firefox OS, https://developer.mozilla.org/Firefox_OS

  5. IBM Worklight, http://www-03.ibm.com/software/products/us/en/worklight/

  6. IGN Dominate, http://wireless.ign.com/articles/116/1167824p1.html

  7. Microsoft HealthVault, http://www.microsoft.com/en-us/healthvault/

  8. Mint, https://www.mint.com/

  9. Norton Safe Web, http://safeweb.norton.com/

  10. PhoneGap, http://www.phonegap.com

  11. Sencha, http://www.sencha.com

  12. Bergstein, B.: IBM Faces the Perils of “Bring Your Own Device” (May 2012), http://www.technologyreview.com/news/427790/ibm-faces-the-perils-of-bring-your-own-device/

  13. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: NDSS, San Diego, CA (February 2012)

    Google Scholar 

  14. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related Policy Enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)

    Google Scholar 

  15. Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege Escalation Attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  16. Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS, San Diego, CA (February 2011)

    Google Scholar 

  17. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: OSDI, Vancouver, Canada (October 2010)

    Google Scholar 

  18. Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: CCS, Chicago, IL (November 2009)

    Google Scholar 

  19. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium, San Fransisco, CA (August 2011)

    Google Scholar 

  20. Finifter, M., Mettler, A., Sastry, N., Wagner, D.: Verifiable Functional Purity in Java. In: CCS, Alexandria, VA (October 2008)

    Google Scholar 

  21. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: “These Aren’t the Droids You’re Looking For”: Retrofitting Android to Protect Data from Imperious Applications. In: CCS, Chicago, IL (October 2011)

    Google Scholar 

  22. Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In: SPSM Workshop, Raleigh, NC (October 2012)

    Google Scholar 

  23. McDougall, P.: IBM Acquires Mobile Specialist Worklight, http://www.informationweek.com/news/development/mobility/232500829

  24. Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: SOSP, Saint Malo, France (October 1997)

    Google Scholar 

  25. Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In: ASIACCS, Beijing, China (April 2010)

    Google Scholar 

  26. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically Rich Application-Centric Security in Android. In: ACSAC, Honolulu, HI (December 2009)

    Google Scholar 

  27. Singh, K., Bhola, S., Lee, W.: xBook: Redesigning Privacy Control in Social Networking Platforms. In: USENIX Security Symposium, Montreal, Canada (August 2009)

    Google Scholar 

  28. Verma, M.: XML Security: Control information access with XACML, http://www.ibm.com/developerworks/xml/library/x-xacml/

  29. Xu, R., Sadi, H., Anderson, R.: Aurasium: Practical Policy Enforcement for Android Applications. In: USENIX Security Symposium, Bellevue, WA (August 2012)

    Google Scholar 

  30. Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making Information Flow Explicit in HiStar. In: OSDI, Seattle, WA (November 2006)

    Google Scholar 

  31. Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: IEEE S&P, San Fransisco, CA (May 2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM T.J. Watson Research Center, USA

    Kapil Singh

Authors
  1. Kapil Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Singh, K. (2013). Practical Context-Aware Permission Control for Hybrid Mobile Applications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation