Abstract
Mobile applications security is nowadays one of the most important topics in the field of information security, due to their pervasivity in the people’s life. Among mobile applications, those that interact with social network profiles, have a great potential for development, as they intercept another powerful asset of the today cyberspace. However, one of the problems that can limit the diffusion of social network applications is the lack of fine-grained control when an application use the APIs of a social network to access a profile. For instance, in Twitter, the supported access control policy is basically on/off, so that if a (third party) application needs the right to write in a user profile, the user is enforced to grant this right with no restriction in the entire profile. This enables a large set of security threats and can make (even inexpert) users reluctant to run these applications. To overcome this problem, we propose an effective solution working for Android Twitter applications based on a middleware approach. The proposed solution enables other possible benefits, as anomaly-based malware detection leveraging API-call patterns, and it can be extended to a multiple social network scenario.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Security SSL. http://developer.android.com/training/articles/security-ssl.html#Concepts
Android Developers (2015). https://developer.android.com/index.html
bitShark (2016). https://play.google.com/store/apps/details?id=blake.hamilton.bitshark
DroidWall (2016). https://code.google.com/p/droidwall/
Dumpster image and video restore (2016). https://play.google.com/store/apps/details?id=com.baloota.dumpster
Firewall analyzer (2016). https://www.manageengine.com/products/firewall/employee-internet-monitoring.html
Firewall pk+ (2016). https://play.google.com/store/apps/details?id=com.ikramshah.firewallpk
Gravitybox unlocker (2016). https://play.google.com/store/apps/details?id=com.ceco.gravitybox.unlocker
iptables (2016). http://www.netfilter.org/projects/iptables/
Mobile security and antivirus (2016). https://play.google.com/store/apps/details?id=com.avast.android.mobilesecurity
Network Log (2016). https://play.google.com/store/apps/details?id=com.googlecode.networklog
Setcpu for root users (2016). https://play.google.com/store/apps/details?id=com.mhuang.overclocking
SniffDroid (2016). https://play.google.com/store/apps/details?id=com.serious.sniffdroid
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A.: A privacy-preserving solution for tracking people in critical environments. In: Proceedings of International Workshop on Computers, Software & Applications (COMPSAC 2014), pp. 146–151. IEEE Computer Society, V\(\ddot{a}\)ster\(\dot{a}\)s (2014)
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A.: Comparing Twitter and Facebook user behavior: privacy and other aspects. Comput. Hum. Behav. 52, 87–95 (2015)
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A.: A model to support design and development of multiple-social-network applications. Inf. Sci. 331, 99–119 (2016)
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A., Ursino, D.: Measuring betweenness centrality in social internetworking scenarios. In: Demey, Y.T., Panetto, H. (eds.) OTM 2013. LNCS, vol. 8186, pp. 666–673. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41033-8_84
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A., Ursino, D.: Driving global team formation in social networks to obtain diversity. In: Casteleyn, S., Rossi, G., Winckler, M. (eds.) ICWE 2014. LNCS, vol. 8541, pp. 410–419. Springer, Heidelberg (2014). doi:10.1007/978-3-319-08245-5_26
Burt, C.C., Bryant, B.R., Raje, R.R., Olson, A., Auguston, M.: Model driven security: unification of authorization models for fine-grain access control. In: Proceedings of 7th IEEE International Enterprise Distributed Object Computing Conference, pp. 159–171. IEEE (2003)
Butt, A.R., Adabala, S., Kapadia, N.H., Figueiredo, R., Fortes, J., et al.: Fine-grain access control for securing shared resources in computational grids. In: Proceedings of IEEE-IEE Vehicle Navigation and Information Systems Conference, 8-p. IEEE (1993)
Caviglione, L., Lalande, J.-F., Mazurczyk, W., Wendzel, S.: Analysis of human awareness of security, privacy threats in smart environments (2015). arXiv preprint arXiv:1502.00868
Cirani, S., Picone, M., Gonizzi, P., Veltri, L., Ferrari, G.: IoT-OAS: an OAuth-based authorization service architecture for secure services in IoT scenarios. IEEE Sens. J. 15(2), 1224–1234 (2015)
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011). doi:10.1007/978-3-642-18178-8_29
Czajkowski, K., Foster, I., Karonis, N., Kesselman, C., Martin, S., Smith, W., Tuecke, S.: A resource management architecture for metacomputing systems. In: Feitelson, D.G., Rudolph, L. (eds.) JSSPP 1998. LNCS, vol. 1459, pp. 62–82. Springer, Heidelberg (1998). doi:10.1007/BFb0053981
Denning, P.J.: Fault tolerant operating systems. ACM Comput. Surv. (CSUR) 8(4), 359–389 (1976)
Domingo-Pascual, J., Shavitt, Y., Uhlig, S.: Traffic Monitoring and Analysis, vol. 6613. Springer Science & Business Media, Heidelberg (2011)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of 16th ACM Conference on Computer and Communications Security, pp. 235–245. ACM (2009)
Ferrara, P., Tripp, O., Pistoia, M.: Morphdroid: fine-grained privacy verification. In: Proceedings of 31st Annual Computer Security Applications Conference, pp. 371–380. ACM (2015)
Ferreira, D., Kostakos, V., Beresford, A.R., Lindqvist, J., Dey, A.K.: Securacy: an empirical investigation of android applications network usage, privacy and security. In: Proceedings of 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) (2015)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, University of Maryland, 2(3), (2009). http://www.cs.umd.edu/avik/projects/scandroidascaa
Hammer-Lahav, E.: The OAuth 1.0 protocol (2010)
Hardt, D.: The OAuth 2.0 authorization framework (2012)
Jeon, W., Kim, J., Lee, Y., Won, D.: A practical analysis of smartphone security. In: Smith, M.J., Salvendy, G. (eds.) Human Interface 2011. LNCS, vol. 6771, pp. 311–320. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21793-7_35
Keahey, K., Von, W.: Fine-grain authorization for resource management in the grid environment. In: Parashar, M. (ed.) GRID 2002. LNCS, vol. 2536, pp. 199–206. Springer, Heidelberg (2002). doi:10.1007/3-540-36133-2_18
La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. IEEE Commun. Surv. Tutor. 15(1), 446–471 (2013)
Lax, G., Buccafurri, F., Nicolazzo, S., Nocera, A., Fotia, L.: A new approach for electronic signature. In: Proceedings of International Conference on Information Systems Security and Privacy (ICISSP 2016), Rome, IT (2016)
Maxion, R., Tan, K., et al.: Benchmarking anomaly-based detection systems. In: Proceedings of International Conference on Dependable Systems and Networks, DSN 2000, pp. 623–630. IEEE (2000)
Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)
Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of 5th ACM Symposium on Information, Computer and Communications Security, pp. 328–332. ACM (2010)
Nikou, S., Bouwman, H.: Ubiquitous use of mobile social network services. Telematics Inform. 31(3), 422–433 (2014)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. Secur. Commun. Netw. 5(6), 658–673 (2012)
Schiffman, J., Zhang, X., Gibbs, S.: Dauth: fine-grained authorization delegation for distributed web application consumers. In: IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 95–102. IEEE (2010)
Shehab, M., Marouf, S., Hudel, C.: RoAuth: recommendation based open authorization. In: Proceedings of 7th Symposium on Usable Privacy and Security, p. 11. ACM (2011)
Acknowledgment
This work has been partially supported by the Program “Programma Operativo Nazionale Ricerca e Competitività” 2007–2013, Distretto Tecnologico CyberSecurity funded by the Italian Ministry of Education, University and Research.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Buccafurri, F., Lax, G., Nicolazzo, S., Nocera, A. (2016). A Middleware to Allow Fine-Grained Access Control of Twitter Applications. In: Boumerdassi, S., Renault, É., Bouzefrane, S. (eds) Mobile, Secure, and Programmable Networking. MSPN 2016. Lecture Notes in Computer Science(), vol 10026. Springer, Cham. https://doi.org/10.1007/978-3-319-50463-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-50463-6_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-50462-9
Online ISBN: 978-3-319-50463-6
eBook Packages: Computer ScienceComputer Science (R0)