ABSTRACT
More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users' friends can help users set applications without the leakage of friends' preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.
- R. Anderson. Security engineering: A guide to building dependable distributed systems. 2001. Google ScholarDigital Library
- D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to Android. In Proceedings of the 17th ACM conference on Computer and communications security, pages 73--84. ACM, 2010. Google ScholarDigital Library
- Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In Proceedings of 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pages 97--106. IEEE, 2011. Google ScholarDigital Library
- I. Damgård and M. Jurik. A generalisation, a simpli. cation and some applications of Paillier's probabilistic public-key system. In Public Key Cryptography, pages 119--136. Springer, 2001. Google ScholarDigital Library
- T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology, pages 10--18. Springer, 1985. Google ScholarCross Ref
- W. Enck, M. Ongtang, P. D. McDaniel, et al. Understanding Android security. IEEE Security & Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
- Z. Fang, W. Han, and Y. Li. Permission based android security: Issues and countermeasures. Computers & Security (COSE), 43:205--218, 2014.Google Scholar
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
- C. Fontaine and F. Galand. A survey of homomorphic encryption for nonspecialists. EURASIP Journal on Information Security, 2007, 2007. Google ScholarDigital Library
- C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. Google ScholarDigital Library
- C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, STOC '09, pages 169--178, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- W. Han, Z. Fang, L. T. Yang, G. Pan, and Z. Wu. Collaborative policy administration. IEEE Transactions on Parallel and Distributed Systems (TPDS), 25(2):498--507, 2014. Google ScholarDigital Library
- M. Li, S. Yu, K. Ren, and W. Lou. Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In Proceedings of SecureComm 2010, pages 89--106. Springer, 2010.Google ScholarCross Ref
- N. Li and Z. Mao. Administration in role-based access control. In Proceedings of the 2nd ACM symposium on Information, computer and communications security, pages 127--138. ACM, 2007. Google ScholarDigital Library
- L. Lymberopoulos, E. C. Lupu, and M. S. Sloman. An adaptive policy-based framework for network services management. Journal of Network and Systems Management, 11(3):277--303, September 2003. Google ScholarDigital Library
- B. Moore, E. Ellesson, J. Strassner, and A. Westerinen. Policy core information model-version 1 specification. Technical report, RFC 3060, February, 2001. Google ScholarDigital Library
- M. Nauman, S. Khan, and X. Zhang. Apex: extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332. ACM, 2010. Google ScholarDigital Library
- P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in cryptology - EUROCRYPT' 99, pages 223--238. Springer, 1999. Google ScholarDigital Library
- R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, 1978. Google ScholarDigital Library
- R. Sandhu and Q. Munawer. The arbac99 model for administration of roles. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC'99), pages 229--238. IEEE, 1999. Google ScholarDigital Library
- C. E. Shannon. Communication theory of secrecy systems. Bell system technical journal, 28(4):656--715, 1949.Google Scholar
- M. Shehab and S. Marouf. Recommendation models for open authorization. IEEE Transactions on Dependable and Secure Computing, 9(4):583--596, 2012. Google ScholarDigital Library
- M. S. Sloman. Policy driven management for distributed systems. Journal of Network and Systems Management, 2(4):333--360, December 1994.Google ScholarCross Ref
- A. C. Squicciarini, M. Shehab, and F. Paci. Collective privacy management in social networks. In Proceedings of the 18th international conference on World wide web, pages 521--530. ACM, 2009. Google ScholarDigital Library
- D. Stehlé and R. Steinfeld. Faster fully homomorphic encryption. In Advances in Cryptology-ASIACRYPT 2010, pages 377--394. Springer, 2010.Google ScholarCross Ref
- Techinasia. 1.3 billion smartphones shipped in 2014; xiaomi ends year ranked 5th globally. https://www.techinasia.com/idc-smartphones-shipped-2014-apple-samsung-xiaomi/, Jan 2015.Google Scholar
- M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2010, pages 24--43. Springer, 2010. Google ScholarDigital Library
- Wikipedia. Homomorphic encryption, 2014. {Online; accessed 7-June-2014}.Google Scholar
- Wikipedia. Wechat, 2014. {Online; accessed 18-June-2014}.Google Scholar
- R. Wishart, D. Corapi, S. Marinovic, and M. Sloman. Collaborative privacy policy authoring in a social networking context. In POLICY, pages 1--8, 2010. Google ScholarDigital Library
Index Terms
- SPA: Inviting Your Friends to Help Set Android Apps
Recommendations
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Android: Changing the Mobile Landscape
The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Cross-Compiling Android Applications to iOS and Windows Phone 7
Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Comments