Skip to main content
SpringerLink
Log in

Owner-Centric Protection of Unstructured Data on Smartphones

  • Conference paper
Trust and Trustworthy Computing (Trust 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8564))

Included in the following conference series:

Abstract

Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user’s geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app’s interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user’s banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data.

In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner’s policies at strategic exit points. Based on this approach, we design and implement a system, called DataChest. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. CaffeineMark 3.0, http://www.benchmarkhq.ru/cm30/

  2. Layouts, http://developer.android.com/guide/topics/ui/declaring-layout.html

  3. Mobile Payment Libraries, https://www.x.com/developers/paypal/products/mobile-payment-libraries

  4. Rogue phishing app smuggled onto Android Marketplace, http://www.theregister.co.uk/2010/01/11/android_phishing_app/

  5. UI Overview, http://developer.android.com/guide/topics/ui/overview.html

  6. Will Your Next TV Manual Ask You to Run a Scan Instead of Adjusting the Antenna? http://www.symantec.com/connect/blogs/will-your-next-tv-manual-ask-you-run-scan-instead-adjusting-antenna

  7. YouDao Dictionary, https://play.google.com/store/apps/details?id=com.youdao.dict

  8. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: NDSS (2012)

    Google Scholar 

  9. Chen, Y.-Y., Jamkhedkar, P.A., Lee, R.B.: A Software-Hardware Architecture for Self-Protecting Data. In: CCS (2012)

    Google Scholar 

  10. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing Inter-Application Communication in Android. In: MobiSys (2011)

    Google Scholar 

  11. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In: USENIX Security Symposium (2011)

    Google Scholar 

  12. Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS (2011)

    Google Scholar 

  13. Enck, W., Gilbert, P., gon Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: USENIX Symposium on OSDI (2010)

    Google Scholar 

  14. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium (2011)

    Google Scholar 

  15. Grace, M., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe Exposure Analysis of Mobile In-App Advertisements. In: ACM WiSec (2012)

    Google Scholar 

  16. Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: NDSS (2012)

    Google Scholar 

  17. Gu, B., Li, X., Li, G., Champion, A.C., Chen, Z., Qin, F., Xuan, D.: D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources. In: INFOCOM (2013)

    Google Scholar 

  18. Hardy, N.: The Confused Deputy (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22 (October 1998)

    Google Scholar 

  19. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These Aren’t the Droids You’re Looking For”: Retroffiting Android to Protect Data from Imperious Applications. In: ACM CCS (2011)

    Google Scholar 

  20. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In: CCS (2012)

    Google Scholar 

  21. Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In: ASIACCS (2010)

    Google Scholar 

  22. Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege Separation for Applications and Advertisers in Android. In: ASIACCS (2012)

    Google Scholar 

  23. Sarwar, G., Mehani, O., Boreli, R., Kaafarn, M.A.: On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information Leaks on Android-based Devices. In: SECRYPT (2013)

    Google Scholar 

  24. Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: Separating smartphone advertising from applications. In: USENIX Security Symposium (2012)

    Google Scholar 

  25. Shneiderman, B.: Designing the User Interface: Strategies for Effective Human-Computer Interaction, 3rd edn. Addison-Wesley (1998)

    Google Scholar 

  26. Tang, Y., Ames, P., Bhamidipati, S., Bijlani, A., Geambasu, R., Sarda, N.: CleanOS: Limiting Mobile Data Exposure with Idle Eviction. In: USENIX Symposium on OSDI (2012)

    Google Scholar 

  27. Xu, R., Saidi, H., Anderson, R.: Aurasium: Practical Policy Enforcement for Android Applications. In: USENIX Security Symposium (2012)

    Google Scholar 

  28. Zhou, Y., Jian, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: NDSS (2013)

    Google Scholar 

  29. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In: NDSS (2012)

    Google Scholar 

  30. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming Information-Stealing Smartphone Applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  31. Zhu, D.Y., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. In: ACM Operating Systems Review (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. North Carolina State University, USA

    Yajin Zhou & Xuxian Jiang

  2. IBM T.J. Watson Research Center, USA

    Kapil Singh

Authors
  1. Yajin Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kapil Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Chair for Systems Security, Ruhr-University Bochum, Universitätsstr. 150, ID 2/439, 44780, Bochum, Germany

    Thorsten Holz

  2. Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH), Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhou, Y., Singh, K., Jiang, X. (2014). Owner-Centric Protection of Unstructured Data on Smartphones. In: Holz, T., Ioannidis, S. (eds) Trust and Trustworthy Computing. Trust 2014. Lecture Notes in Computer Science, vol 8564. Springer, Cham. https://doi.org/10.1007/978-3-319-08593-7_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08593-7_4

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08592-0

  • Online ISBN: 978-3-319-08593-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation