ABSTRACT
Android is a massively popular platform in the fast-growing smartphone industry. The core Android security model follows an all-or-nothing policy which either allows an application access to all requested permissions or doesn't install it at all. Several extensions to this core model are surfacing with different syntax and semantics and each manufacturer may choose a different mechanism for policy enforcement on its devices. In this paper, we present a framework that allows stakeholder to specify their policies in a high-level language independent of the target model. These high-level requirements are transformed to the target model depending on the scenario. We present the design decisions regarding this new language, formally specify its syntax and semantics and provide an eclipse-based plug-in that integrates with the official Android Development Tools to perform the transformations. The end product is a tool which allows stakeholder to easily specify and manage their policies independent of the target model.
- C. A. Ardagna, M. Cremonini, E. Damiani, S. D. C. di Vimercati, and P. Samarati. Supporting location-based conditions in access control policies. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS'06), page 222. ACM, 2006. Google ScholarDigital Library
- M. Bartoletti, P. Degano, and G. L. Ferrari. History-based Access Control with Local Policies. In Proceedings of the 8th International Conference on Foundations of Software Science and Computational Structures, pages 4--8. Springer, 2005. Google ScholarDigital Library
- J. L. Bentley. Little languages. CACM, 29(8):711--721, 1986. Google ScholarDigital Library
- DFC Brewer and MJ Nash. The Chinese Wall Security Policy. In Proceedings of the IEEE Symposium on Security and Privacy, pages 206--214, 1989.Google Scholar
- A. Chaudhuri. Language-based security on android. In Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, pages 1--7. ACM, 2009. Google ScholarDigital Library
- M. Conti, V. Nguyen, and B. Crispo. CRePE: context-related policy enforcement for android. Information Security, 6531:331--345, 2011. Google ScholarDigital Library
- Eclipse Organization. Eclipse. Available at: http://www.eclipse.org.Google Scholar
- G. Edjlali, A. Acharya, and V. Chaudhary. History-based Access Control for Mobile Code. In Proceedings of the 5th ACM Conference on Computer and Communications Security, pages 38--48. ACM Press New York, NY, USA, 1998. Google ScholarDigital Library
- A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In Proceedings of the 8th Symposium on Usable Privacy and Security, page 3. ACM, 2012. Google ScholarDigital Library
- Google. Android Reference: Security and Permissions, 2010. Available at: http://developer.android.com/guide/topics/security/security.html. Accessed on 10 May, 2010.Google Scholar
- Google. ADT Plugin, 2013.Google Scholar
- Google Inc. Celebrating Google play's first birthday. Google Press Release, March 06, 2013.Google Scholar
- W. Johnston, S. Mudumbai, and M. Thompson. Authorization and attribute certificates for widely distributed access control. In Proceedings of the 7th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'98), pages 340--345, 1998. Google ScholarDigital Library
- Weiliang Luo, Shouhuai Xu, and Xuxian Jiang. Real-time detection and prevention of android SMS permission abuses. In Proceedings of the 1st International Workshop on Security in Embedded Systems and Smartphones, pages 11--18. ACM, 2013. Google ScholarDigital Library
- Mohammad Nauman, Sohail Khan, Abutalib Othman, and Shahrulniza Musa. Realization of a user-centric, privacy preserving permission framework for android. Submitted to International Journal of Security and Communications Network, 2013.Google Scholar
- M. Ongtang, K. Butler, and P. McDaniel. Porscha: policy oriented secure content handling in android. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 221--230. ACM, 2010. Google ScholarDigital Library
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically rich application-centric security in android. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'09), pages 340--349. IEEE, 2009. Google ScholarDigital Library
- T. Parr. StringTemplate template engine, 2013.Google Scholar
- Terrance Parr. The Definitive ANTLR Reference: Building Domain-Specific Languages. The Pragmatic Bookshelf, 2007. Google ScholarDigital Library
- T. J. Parr and R. W. Quong. ANTLR: A predicated-LL(k) parser generator. Software: Practice and Experience, 25(7):789--810, 1995. Google ScholarDigital Library
- I. Ray and M. Kumar. Towards a location-based mandatory access control model. Computers & Security, 25(1):36--44, 2006.Google ScholarDigital Library
- Ravi Sandhu. Rationale for the RBAC96 Family of Access Control Models. In Proceedings of the first ACM Workshop on Role-based Access Control (RBAC'95), page 9, New York, NY, USA, 1996. ACM Press. Google ScholarDigital Library
- A. Van Deursen and P. Klint. Little Languages: Little Maintenance? Journal of Software Maintenance: Research and Practice, 10(2):75--92, 1998. Google ScholarDigital Library
- Y. Zhou, X. Zhang, X. Jiang, and V. Freeh. Taming information-stealing smartphone applications (on android). Trust and Trustworthy Computing, pages 93--107, 2011. Google ScholarDigital Library
Index Terms
- Transforming high-level requirements to executable policies for Android
Recommendations
Sleeping android: the danger of dormant permissions
SPSM '13: Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devicesAn Android app must be authorized for permissions, defined by the Android platform, in order to access certain capabilities of an Android device. An app developer specifies which permissions an app will require and these permissions must be authorized ...
Realization of a user-centric, privacy preserving permission framework for Android
Android has been steadily gaining market share, and the number of available applications is increasing at a healthy pace. Because of the myriad of third-party applications, privacy concerns are starting to surface in the community. Application ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Comments