ABSTRACT
Smartphones are very effective tools for increasing the productivity of business users. With their increasing computational power and storage capacity, smartphones allow end users to perform several tasks and be always updated while on the move. As a consequence, end users require that their personal smartphones are connected to their work IT infrastructure. Companies are willing to support employee-owned smartphones because of the increase in productivity of their employees. However, smartphone security mechanisms have been discovered to offer very limited protection against malicious applications that can leak data stored on them. This poses a serious threat to sensitive corporate data. In this paper we present MOSES, a policy-based framework for enforcing software isolation of applications and data on the Android platform. In MOSES, it is possible to define distinct security profiles within a single smartphone. Each security profile is associated with a set of policies that control the access to applications and data. One of the main characteristics of MOSES is the dynamic switching from one security profile to another.
- Android malware steals info from one million phone owners. http://nakedsecurity.sophos.com/2010/07/29/android_malware_steals_info_million_phone_owners/.Google Scholar
- Android Project. http://www.android.com.Google Scholar
- Gartner says android to command nearly half of worldwide smartphone operating system market by year-end 2012. http://www.gartner.com/it/page.jsp?id=1622614.Google Scholar
- Mobile app malware menace grows. http://www.theregister.co.uk/2011/08/04/mobile_malware_trends/.Google Scholar
- These 26 Android Apps Will Steal Your Phone's Information. http://www.businessinsider.com/up_to_120000_android_phones_have_been_infected_with_malware_2011_5.Google Scholar
- Unisys establishes a bring your own device (byod) policy. http://www.insecureaboutsecurity.com/2011/03/14/unisys_establishes_a_bring_your_own_device_byod_policy/.Google Scholar
- Worldwide smartphone market expected to grow 55% in 2011 and approach shipments of one billion in 2015. http://www.idc.com/getdoc.jsp?containerId=prUS22871611.Google Scholar
- Guangdong Bai, Liang Gu, Tao Feng, Yao Guo, and Xiangqun Chen. Context-aware usage control for android. In Proc. SecureComm 2010, pages 326--343, 2010.Google ScholarCross Ref
- Alastair R Beresford, Andrew Rice, and Nicholas Skehin. MockDroid: trading privacy for application functionality on smartphones. In Proc. HotMobile '11, 2011. Google ScholarDigital Library
- Jeffrey Bickford, Ryan O'Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode. Rootkits on smart phones: Attacks, implications and opportunities. In Proceedings of HotMobile 2010, 2010. Google ScholarDigital Library
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, and Ahmad-Reza Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical report, Technische Universität Darmstadt, D-64293 Darmstadt, Germany, June 2011. Available at: http://www.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/xmandroid.pdf.Google Scholar
- Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Stephan Heuser, Ahmad-Reza Sadeghi, and Bhargava Shastry. Practical and lightweight domain isolation on android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, pages 51--62, 2011. Google ScholarDigital Library
- Mauro Conti, Vu Thien Nga Nguyen, and Bruno Crispo. Crepe: context-related policy enforcement for android. In Proceedings of the 13th international conference on Information security, ISC'10, pages 331--345, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. Privilege escalation attacks on android. In Proceedings of the 13th international conference on Information security, ISC'10, pages 346--360, 2011. Google ScholarDigital Library
- Michael Dietz, Shashi Shekhar, Yuliy Pisetsky, Anhei Shu, and Dan S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
- Technische Universitat Dresden and University of Technology Berlin. L4android.Google Scholar
- William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of OSDI 2010, October 2010. Google ScholarDigital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. Understanding android security. IEEE Security and Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
- Nancy Gohring. VMWare Shows off Mobile Virtualization on Android. Internet Article, February 2011.Google Scholar
- Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and David Wetherall. "These aren't the droids you're looking for": Retroffiting android to protect data from imperious applications. In 18th ACM Conference on Computer and Communications Security (CCS'11), CCS 2011, 2011. Google ScholarDigital Library
- Matthias Lange, Steffen Liebergeld, Adam Lackorzynski, Alexander Warg, and Michael Peter. L4android: a generic operating system framework for secure smartphones. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, pages 39--50, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Anthony Lineberry, David Luke Richardson, and Tim Wyatt. These aren't the permissions you're looking, 2010. Available at: http://dtors.files.wordpress.com/2010/08/blackhat-2010-slides.pdf.Google Scholar
- Mohammad Nauman, Sohail Khan, and Xinwen Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proc. ASIACCS '10, pages 328--332, 2010. Google ScholarDigital Library
- Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically rich application-centric security in android. In Proc. ACSAC '09, pages 73--82, 2009. Google ScholarDigital Library
- SYBASE White Paper. Are Your Sales Reps Missing Important Sales Opportunities? http://m.sybase.com/files/White_Papers/Solutions_SAP_Reps.pdf.Google Scholar
- Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, and Herbert Bos. Paranoid android: versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC '10, pages 347--356, 2010. Google ScholarDigital Library
- Giovanni Russello, Bruno Crispo, Earlence Fernandes, and Yuri Zhauniarovich. Yaase: Yet another android security extension. In SocialCom/PASSAT, pages 1033--1040. IEEE, 2011.Google ScholarCross Ref
- Roman Schlegel, Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the 18th Annual Network & Distributed System Security Symposium, NDSS '11, pages 17--33, 2011.Google Scholar
- Asaf Shabtai, Yuval Fledel, Uri Kanonov, Yuval Elovici, Shlomi Dolev, and Chanan Glezer. Google android: A comprehensive security assessment. IEEE Security and Privacy, 8:35--44, 2010. Google ScholarDigital Library
- Yang Xu, Felix Bruns, Elizabeth Gonzalez, Shadi Traboulsi, Klaus Mott, and Attila Bilgic. Performance evaluation of para-virtualization on modern mobile phone platform. In Proceedings of the International Conference on Computer, Electrical, and Systems Science, and Engineering, 2010.Google Scholar
- Yajin Zhou, Xinwen Zhang, Xuxian Jiang, and V.W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). In Proc. TRUST 2011, 2011. Google ScholarDigital Library
Recommendations
MockDroid: trading privacy for application functionality on smartphones
HotMobile '11: Proceedings of the 12th Workshop on Mobile Computing Systems and ApplicationsMockDroid is a modified version of the Android operating system which allows a user to 'mock' an application's access to a resource. This resource is subsequently reported as empty or unavailable whenever the application requests access. This approach ...
Sub-operating systems: a new approach to application security
EW 10: Proceedings of the 10th workshop on ACM SIGOPS European workshopUsers regularly exchange apparently innocuous data files using email and ftp. While the users view these data as passive, there are situations when they are interpreted as code by some system application. In that case the data become "active". Some ...
FireDroid: hardening security in almost-stock Android
ACSAC '13: Proceedings of the 29th Annual Computer Security Applications ConferenceMalware poses a serious threat to Android smartphones. Current security mechanisms offer poor protection and are often too inflexible to quickly mitigate new exploits. In this paper we present FireDroid, a policy-based framework for enforcing security ...
Comments