research-article

SPA: Inviting Your Friends to Help Set Android Apps

Authors:
Zeqing Guo

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Weili Han

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Liangxing Liu

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Wenyuan Xu

Zhejiang University, Hangzhou, China

Zhejiang University, Hangzhou, China
View Profile

,
Ruiqi Bu

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Minyue Ni

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and TechnologiesJune 2015Pages 221–231https://doi.org/10.1145/2752952.2752974

Published:01 June 2015Publication History

SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies

Pages 221–231

ABSTRACT

More and more powerful personal smart devices take users, especially the elder, into a disaster of policy administration where users are forced to set personal management policies in these devices. Considering a real case of this issue in the Android security, it is hard for users, even some programmers, to generally identify malicious permission requests when they install a third-party application. Motivated by the popularity of mutual assistance among friends (including family members) in the real world, we propose a novel framework for policy administration, referring to Socialized Policy Administration (SPA for short), to help users manage the policies in widely deployed personal devices. SPA leverages a basic idea that a user may invite his or her friends to help set the applications. Especially, when the size of invited friends increases, the setting result can be more resilient to a few malicious or unprofessional friends. We define the security properties of SPA, and propose an enforcement framework where users' friends can help users set applications without the leakage of friends' preferences with the supports of a privacy preserving mechanism. In our prototype, we only leverage partially homomorphic encryption cryptosystems to implement our framework, because the fully homomorphic encryption is not acceptable to be deployed in a practical service at the moment. Based on our prototype and performance evaluation, SPA is promising to support major types of policies in current popular applications with acceptable performance.

References

R. Anderson. Security engineering: A guide to building dependable distributed systems. 2001. Google ScholarDigital Library
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for empirical analysis of permission-based security models and its application to Android. In Proceedings of the 17th ACM conference on Computer and communications security, pages 73--84. ACM, 2010. Google ScholarDigital Library
Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In Proceedings of 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pages 97--106. IEEE, 2011. Google ScholarDigital Library
I. Damgård and M. Jurik. A generalisation, a simpli. cation and some applications of Paillier's probabilistic public-key system. In Public Key Cryptography, pages 119--136. Springer, 2001. Google ScholarDigital Library
T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology, pages 10--18. Springer, 1985. Google ScholarCross Ref
W. Enck, M. Ongtang, P. D. McDaniel, et al. Understanding Android security. IEEE Security & Privacy, 7(1):50--57, 2009. Google ScholarDigital Library
Z. Fang, W. Han, and Y. Li. Permission based android security: Issues and countermeasures. Computers & Security (COSE), 43:205--218, 2014.Google Scholar
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
C. Fontaine and F. Galand. A survey of homomorphic encryption for nonspecialists. EURASIP Journal on Information Security, 2007, 2007. Google ScholarDigital Library
C. Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. Google ScholarDigital Library
C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, STOC '09, pages 169--178, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
W. Han, Z. Fang, L. T. Yang, G. Pan, and Z. Wu. Collaborative policy administration. IEEE Transactions on Parallel and Distributed Systems (TPDS), 25(2):498--507, 2014. Google ScholarDigital Library
M. Li, S. Yu, K. Ren, and W. Lou. Securing personal health records in cloud computing: Patient-centric and fine-grained data access control in multi-owner settings. In Proceedings of SecureComm 2010, pages 89--106. Springer, 2010.Google ScholarCross Ref
N. Li and Z. Mao. Administration in role-based access control. In Proceedings of the 2nd ACM symposium on Information, computer and communications security, pages 127--138. ACM, 2007. Google ScholarDigital Library
L. Lymberopoulos, E. C. Lupu, and M. S. Sloman. An adaptive policy-based framework for network services management. Journal of Network and Systems Management, 11(3):277--303, September 2003. Google ScholarDigital Library
B. Moore, E. Ellesson, J. Strassner, and A. Westerinen. Policy core information model-version 1 specification. Technical report, RFC 3060, February, 2001. Google ScholarDigital Library
M. Nauman, S. Khan, and X. Zhang. Apex: extending Android permission model and enforcement with user-defined runtime constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 328--332. ACM, 2010. Google ScholarDigital Library
P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in cryptology - EUROCRYPT' 99, pages 223--238. Springer, 1999. Google ScholarDigital Library
R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, 1978. Google ScholarDigital Library
R. Sandhu and Q. Munawer. The arbac99 model for administration of roles. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC'99), pages 229--238. IEEE, 1999. Google ScholarDigital Library
C. E. Shannon. Communication theory of secrecy systems. Bell system technical journal, 28(4):656--715, 1949.Google Scholar
M. Shehab and S. Marouf. Recommendation models for open authorization. IEEE Transactions on Dependable and Secure Computing, 9(4):583--596, 2012. Google ScholarDigital Library
M. S. Sloman. Policy driven management for distributed systems. Journal of Network and Systems Management, 2(4):333--360, December 1994.Google ScholarCross Ref
A. C. Squicciarini, M. Shehab, and F. Paci. Collective privacy management in social networks. In Proceedings of the 18th international conference on World wide web, pages 521--530. ACM, 2009. Google ScholarDigital Library
D. Stehlé and R. Steinfeld. Faster fully homomorphic encryption. In Advances in Cryptology-ASIACRYPT 2010, pages 377--394. Springer, 2010.Google ScholarCross Ref
Techinasia. 1.3 billion smartphones shipped in 2014; xiaomi ends year ranked 5th globally. https://www.techinasia.com/idc-smartphones-shipped-2014-apple-samsung-xiaomi/, Jan 2015.Google Scholar
M. Van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the integers. In Advances in Cryptology - EUROCRYPT 2010, pages 24--43. Springer, 2010. Google ScholarDigital Library
Wikipedia. Homomorphic encryption, 2014. {Online; accessed 7-June-2014}.Google Scholar
Wikipedia. Wechat, 2014. {Online; accessed 18-June-2014}.Google Scholar
R. Wishart, D. Corapi, S. Marinovic, and M. Sloman. Collaborative privacy policy authoring in a social networking context. In POLICY, pages 1--8, 2010. Google ScholarDigital Library

Index Terms

SPA: Inviting Your Friends to Help Set Android Apps
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More
Android: Changing the Mobile Landscape

The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Read More
Cross-Compiling Android Applications to iOS and Windows Phone 7

Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies
June 2015
242 pages
ISBN:9781450335560
DOI:10.1145/2752952
General Chair:
Edgar Weippl
SBA Research, Austria
,
Program Chairs:
Florian Kerschbaum
SAP, Germany
,
Adam J. Lee
University of Pittsburgh, USA
Copyright © 2015 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 June 2015
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android
policy administration
policy based management
social computing
socialized policy administration
Qualifiers
- research-article
Conference

Acceptance Rates
SACMAT '15 Paper Acceptance Rate17of59submissions,29%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 167
  Total Downloads
- Downloads (Last 12 months)4
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

SPA: Inviting Your Friends to Help Set Android Apps

SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

Android: Changing the Mobile Landscape

Cross-Compiling Android Applications to iOS and Windows Phone 7