CA-ARBAC: privacy preserving using context-aware role-based access control on Android permission system

Existing mobile platforms are based on manual way of granting and revoking permissions to applications. Once the user grants a given permission to an application, the application can use it without limit, unless the user manually revokes the permission. This has become the reason for many privacy problems because of the fact that a permission that is harmless at some occasion may be very dangerous at another condition. One of the promising solutions for this problem is context-aware access control at permission level that allows dynamic granting and denying of permissions based on some predefined context. However, dealing with policy configuration at permission level becomes very complex for the user as the number of policies to configure will become very large. For instance, if there are A applications, P permissions, and C contexts, the user may have to deal with A × P × C number of policy configurations. Therefore, we propose a context-aware role-based access control model that can provide dynamic permission granting and revoking while keeping the number of policies as small as possible. Although our model can be used for all mobile platforms, we use Android platform to demonstrate our system. In our model, Android applications are assigned roles where roles contain a set of permissions and contexts are associated with permissions. Permissions are activated and deactivated for the containing role based on the associated contexts. Our approach is unique in that our system associates contexts with permissions as opposed to existing similar works that associate contexts with roles. As a proof of concept, we have developed a prototype application called context-aware Android role-based access control. We have also performed various tests using our application, and the result shows that our model is working as desired. Copyright © 2017 John Wiley & Sons, Ltd.

[1]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[2]  Ahmad-Reza Sadeghi,et al.  ConXsense: automated context classification for context-aware access control , 2013, AsiaCCS.

[3]  Juraj Varga,et al.  Presenting Risks Introduced by Android Application Permissions in a User-Friendly Way , 2014 .

[4]  Hongliang Liang,et al.  Enforcing Multiple Security Policies for Android System , 2013 .

[5]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[6]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[7]  Mauro Conti,et al.  CRêPE: A System for Enforcing Fine-Grained Context-Related Policies on Android , 2012, IEEE Transactions on Information Forensics and Security.

[8]  Lubomir T. Chitkushev,et al.  DR BACA: dynamic role based access control for Android , 2013, ACSAC.

[9]  Michael Backes,et al.  Android security framework: extensible multi-layered access control on Android , 2014, ACSAC '14.

[10]  Young Ik Eom,et al.  CA-RBAC: Context Aware RBAC Scheme in Ubiquitous Computing Environments , 2010, J. Inf. Sci. Eng..

[11]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[12]  Yanyan Zhuang,et al.  BlurSense: Dynamic fine-grained access control for smartphone privacy , 2014, 2014 IEEE Sensors Applications Symposium (SAS).

[13]  Dimitris Gritzalis,et al.  Assessing Privacy Risks in Android: A User-Centric Approach , 2013, RISK@ICTSS.

[14]  Michael Backes,et al.  Android Security Framework: Enabling Generic and Extensible Access Control on Android , 2014, ArXiv.

[15]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[16]  Michael Backes,et al.  AppGuard - Fine-Grained Policy Enforcement for Untrusted Android Applications , 2013, DPM/SETOP.

[17]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[18]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[19]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[20]  Thiri The'Wut Yee,et al.  Leveraging access control mechanism of Android smartphone using context-related role-based access control model , 2011, The 7th International Conference on Networked Computing and Advanced Information Management.

[21]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[22]  Elisa Bertino,et al.  Context-Based Access Control Systems for Mobile Devices , 2015, IEEE Transactions on Dependable and Secure Computing.

[23]  Liang Gu,et al.  Context-Aware Usage Control for Android , 2010, SecureComm.

[24]  Christopher D Stelly Dynamic User Defined Permissions for Android Devices , 2013 .

[25]  Seog Park,et al.  Context-Aware Role Based Access Control Using User Relationship , 2013 .