Compac: enforce component-level access control in android

In Android applications, third-party components may bring potential security problems, because they have the same privilege as the applications but cannot be fully trusted. It is desirable if their privileges can be restricted. To minimize the privilege of the third-party components, we develop Compac to achieve a fine-grained access control at application's component level. Compac allows developers and users to assign a subset of an application's permissions to some of the application's components. By leveraging the runtime Java package information, the system can acquire the component information that is running in the application. After that, the system makes decisions on privileged access requests according to the policy defined by the developer and user. We have implemented the prototype in Android 4.0.4, and have conducted a comprehensive evaluation. Our case studies show that Compac can effectively restrict the third-party components' permissions. Antutu benchmark shows that the overall score of our work achieves 97.4%, compared with the score of the original Android. In conclusion, Compac can mitigate the damage caused by third-party components with ignorable overhead.

[1]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[2]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[3]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[4]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[5]  Ahmad-Reza Sadeghi,et al.  Practical and lightweight domain isolation on Android , 2011, SPSM '11.

[6]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[7]  Gang Tan,et al.  JVM-Portable Sandboxing of Java's Native Libraries , 2012, ESORICS.

[8]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[9]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[11]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[12]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[13]  Hao Chen,et al.  I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications , 2012 .

[14]  J. Gregory Morrisett,et al.  Robusta: taming the native beast of the JVM , 2010, CCS '10.

[15]  Xiao Zhang,et al.  AFrame: isolating advertisements from mobile applications in Android , 2013, ACSAC.

[16]  W. G. Smith,et al.  Angry Birds , 1888, Nature.

[17]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[18]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[19]  Aline Bousquet,et al.  Mandatory Access Control for the Android Dalvik Virtual Machine , 2013, ESOS.

[20]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[21]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[22]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[24]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[25]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[26]  Li Gong Java Security Architecture (JDK1.2) , 1997 .

[27]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[28]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[29]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[30]  Ahmad-Reza Sadeghi,et al.  Towards a Framework for Android Security Modules: Extending SE Android Type Enforcement to Android Middleware , 2012 .

[31]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[32]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[33]  Wenliang Du,et al.  On the effectiveness of API-level access control using bytecode rewriting in Android , 2013, ASIA CCS '13.

[34]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[35]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[36]  Luo Hong JAVA Security Architecture , 2000 .

[37]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.