research-article

Constroid: data-centric access control for android

Authors:

Daniel Schreckling,

Joachim Posegga,

Daniel HausknechtAuthors Info & Claims

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

Pages 1478 - 1485

https://doi.org/10.1145/2245276.2232012

Published: 26 March 2012 Publication History

Abstract

We introduce Constroid, a data-centric security policy management framework for Android. It defines a new middleware which allows the developer to specify well defined data items of fine granularity. For these data items, Constroid administrates security policies which are based on the usage control model. They can only be modified by the user of an application not by the applications itself. We use Con-stroid's middle-ware to protect the security policies, ensure consistency between a data item and its corresponding security policy, and describe how our prototype implementation can enforce a subset of possible usage control policies. In this way, our contribution shows how we overcome the rigid API-driven approach to security in Android. The structure and implementation of our framework is presented and discussed in terms of security, performance, and usability.

References

[1]

Apple Inc. Core Data Tutorial for iOS. Available at: http://developer.apple.com/library/ios/. June 2011.

[2]

Apple Inc. Security Overview. Technical report, Cupertino, CA, USA, July 2010.

[3]

A. Castrucci, F. Martinelli, P. Mori, and F. Roperti. Enhancing Java ME Security Support with Resource Usage Monitoring. In 10th International Conference on Information and Communications Security, volume 5308, pages 256--266, Birmingham, UK, October 2008. Springer-Verlag Berlin Heidelberg.

Digital Library

[4]

G. Costa, A. Lazouski, N. Dragoni, R. Saadi, and D. Ingegneria. Security-by-Contract-with-Trust for Mobile Devices. Journal of Wireless Mobile Networks, Ubiquitous Computing and Dependable Applications (JoWUA), 1(4): 75--91, December 2010.

[5]

L. Desmet, W. Joosen, F. Massacci, P. Philippaerts, F. Piessens, I. Siahaan, and D. Vanoverberghe. Security-by-contract on the .NET platform. Information Security Technical Report, 13(1): 25--32, January 2008.

Digital Library

[6]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of OSDI 2010, pages 1--6, Vancouver, BC, USA, October 2010. USENIX Association.

Digital Library

[7]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, pages 235--245, New York, NY, USA, 2009. ACM Press.

Digital Library

[8]

W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. IEEE Security & Privacy Magazine, 7(1): 50--57, January 2009.

Digital Library

[9]

C. Heath. Symbian OS Platform Security, Software Development Using the Symbian OS Security Architecture. John Wiley & Sons Ltd., 2006.

Digital Library

[10]

J. Liu, M. D. George, K. Vikram, L. Waye, and A. C. Myers. Fabric: A Platform for Secure Distributed Computation and Storage. In 22nd ACM Symposium on Operating Systems Principles, pages 312--334, Big Sky, MT, USA, October 2009. ACM Press.

Digital Library

[11]

Microsoft Corporation. Windows Phone 7 Security Model. Technical report, December 2010.

[12]

S. Nair, P. Simpson, B. Crispo, and A. Tanenbaum. A Virtual Machine Based Information Flow Control System for Policy Enforcement. Electronic Notes in Theoretical Computer Science, 197(1): 3--16, February 2008.

Digital Library

[13]

S. Nair, P. Simpson, B. Crispo, and A. Tanenbaum. Trishul: A Policy Enforcement Architecture for Java Virtual Machines. Technical report, Vrije Universiteit, Amsterdam, Netherlands, 2008.

[14]

S. Nair, A. Tanenbaum, G. Gheorghe, and B. Crispo. Enforcing DRM policies across applications. In Proceedings of the 8th ACM workshop on Digital rights management - DRM '08, page 87, New York, New York, USA, 2008. ACM Press.

Digital Library

[15]

M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332, Beijing, China, 2010. ACM Press.

Digital Library

[16]

M. Ongtang, K. Butler, and P. McDaniel. Porscha: Policy Oriented Secure Content Handling in Android. In Proceedings of the 26th Annual Computer Security Applications Conference, New York, NY, USA, December 2010. ACM Press.

Digital Library

[17]

M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically Rich Application-Centric Security in Android. In 2009 Annual Computer Security Applications Conference, pages 340--349. IEEE Computer Society, December 2009.

Digital Library

[18]

J. Park and R. Sandhu. The UCON_ABC usage control model. ACM Transactions on Information and System Security, 7(1): 128--174, February 2004.

Digital Library

[19]

P. Philippaerts. Security of Software on Mobile Devices. PhD thesis, Department of Computer Science, Faculty of Engineering, Leuven, Belgium, October 2010.

[20]

Research in Motion Ltd. BlackBerry Enterprise Solution, Security Technical Overview for BlackBerry Enterprise Server Version 4.1 Service Pack 6 and BlackBerry Device Software Version 4.6. Technical report, Canada, March 2009.

[21]

R. Rogers, J. Lombardo, Z. Mednieks, and B. Meike. Android Application Development: Programming with the Google SDK. O'Reilly, Beijing, China, 2009.

Digital Library

[22]

C. Schaefer. Usage Control Reference Monitor Architecture. In Third International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU 2007), pages 13--18. Ieee, July 2007.

[23]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116--127, New York, NY, USA, 2007. ACM Press.

Digital Library

Cited By

Stach CMitschang B(2019)Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORSInformation Systems Security and Privacy10.1007/978-3-030-25109-3_3(40-65)Online publication date: 5-Jul-2019
https://doi.org/10.1007/978-3-030-25109-3_3
Schreckling DKöStler JSchaff M(2018)KynoidInformation Security Tech. Report10.1016/j.istr.2012.10.00617:3(71-80)Online publication date: 15-Dec-2018
https://dl.acm.org/doi/10.1016/j.istr.2012.10.006
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Show More Cited By

Index Terms

Constroid: data-centric access control for android
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Obligation Management Framework for Usage Control
SACMAT 2024: Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

Obligations were introduced in access and usage control as a mechanism to specify mandatory actions to be fulfilled as part of authorization. In this paper, we address challenges related to obligation management in access and usage control, focusing on ...
The UCON_ABC usage control model

In this paper, we introduce the family of UCON_ABC models for usage control (UCON), which integrate Authorizations (A), oBligations (B), and Conditions (C). We call these core models because they address the essence of UCON, leaving administration, ...
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development Lifecycle

Smart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '12: Proceedings of the 27th Annual ACM Symposium on Applied Computing

March 2012

2179 pages

ISBN:9781450308571

DOI:10.1145/2245276

Conference Chairs:
Sascha Ossowski
University Rey Juan Carlos, Spain
,
Paola Lecca
The Microsoft Research - University of Trento COSBI, Italy

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 March 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC 2012

Sponsor:

SIGAPP

SAC 2012: ACM Symposium on Applied Computing

March 26 - 30, 2012

Trento, Italy

Acceptance Rates

SAC '12 Paper Acceptance Rate 270 of 1,056 submissions, 26%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
385
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Stach CMitschang B(2019)Elicitation of Privacy Requirements for the Internet of Things Using ACCESSORSInformation Systems Security and Privacy10.1007/978-3-030-25109-3_3(40-65)Online publication date: 5-Jul-2019
https://doi.org/10.1007/978-3-030-25109-3_3
Schreckling DKöStler JSchaff M(2018)KynoidInformation Security Tech. Report10.1016/j.istr.2012.10.00617:3(71-80)Online publication date: 15-Dec-2018
https://dl.acm.org/doi/10.1016/j.istr.2012.10.006
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://doi.org/10.1109/TSE.2016.2615307
Xu MSong CJi YShih MLu KZheng CDuan RJang YLee BQian CLee SKim T(2016)Toward Engineering a Secure Android EcosystemACM Computing Surveys10.1145/296314549:2(1-47)Online publication date: 13-Aug-2016
https://dl.acm.org/doi/10.1145/2963145
Suarez-Tangil GTapiador JPeris-Lopez PRibagorda A(2014)Evolution, Detection and Analysis of Malware for Smart DevicesIEEE Communications Surveys & Tutorials10.1109/SURV.2013.101613.0007716:2(961-987)Online publication date: Oct-2015
https://doi.org/10.1109/SURV.2013.101613.00077
Schreckling DPosegga JKöstler JSchaff M(2012)KynoidProceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems10.1007/978-3-642-30955-7_18(208-223)Online publication date: 20-Jun-2012
https://dl.acm.org/doi/10.1007/978-3-642-30955-7_18

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten