Introduction to HICSS-47 Software Security for Mobile Platforms Minitrack

This minitrack focuses on the research and automation techniques that can be applied to mobile platforms to ensure that software developed for these devices is secure without compromising other system properties such as performance or reliability. In both the personal computer and mobile platform arena, current security engineering methods are demonstrably inadequate at identifying software vulnerabilities. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws. This been especially true in the area of mobile platforms where one study found that, from 2010 to 2011, the number of new vulnerabilities in mobile operating systems jumped 93 percent. Additionally, according to Symantec Corp, 2011 was the also first year that mobile malware presented a tangible threat. Android is the most widely used mobile platform, capturing a slight majority of the US and world smartphone markets. Android offers strong isolation for apps to prevent a potentially malicious app from accessing the protected data of other apps. However, there are two major weaknesses. First, Android lacks a fine-grained permission-granting mechanism. When a user installs an app, the app must request all potentially needed permissions upfront, and the user must either grant all requested permissions or cancel installing the app. The user cannot selectively grant only some permissions. So, users often grant potentially malicious apps more permissions than desired. A second major weakness in Android lies in its complex inter-app communication system. Although this system is very powerful, it is hard for app developers to get security right [4]. Since the same system