AppShell: Making data protection practical for lost or stolen Android devices

Mobile apps continue to consume increasing amounts of sensitive data, such as banking credentials and classified documents. At the same time, the number of smartphone thefts is increasing at a rapid speed. As a result, there is an imperative need to protect sensitive data on lost or stolen mobile devices. In this work, we develop a practical solution to protect sensitive data on mobile devices. Our solution enables adaptive protection by pro-actively stepping up or stepping down data security based on perceived contextual risk of the device. We realize our solution for the Android platform in the form of a system called AppShell. AppShell does not require root privilege, nor need any modification to the underlying framework, and hence is a ready-to-deploy solution. It supports both in-memory and on-disk data protection by transparently encrypting the data, and discarding the encryption key, when required, for enhanced protection. We implement a working prototype of AppShell and evaluate it against several popular Android apps. Our results show that AppShell can successfully protect sensitive data in the lost devices with a reasonable performance overhead.

[1]  Jonathon T. Giffin,et al.  Automatic Reverse Engineering of Malware Emulators , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Tilo Müller,et al.  FROST - Forensic Recovery of Scrambled Telephones , 2013, ACNS.

[3]  Niels Provos,et al.  Encrypting Virtual Memory , 2000, USENIX Security Symposium.

[4]  William K. Robertson,et al.  PrivExec: Private Execution as an Operating System Service , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Chuan Qin,et al.  Progressive Authentication: Deciding When to Authenticate on Mobile Phones , 2012, USENIX Security Symposium.

[6]  Xiaoxin Chen,et al.  Overshadow: a virtualization-based approach to retrofitting protection in commodity operating systems , 2008, ASPLOS.

[7]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[8]  Lynne Baillie,et al.  Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors , 2014, ArXiv.

[9]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[10]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[11]  Paul C. van Oorschot,et al.  Deadbolt: locking down android disk encryption , 2013, SPSM '13.

[12]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[13]  IEEE/IFIP Network Operations and Management Symposium, NOMS 2010, 19-23 April 2010, Osaka, Japan , 2010, IEEE/IFIP Network Operations and Management Symposium.

[14]  Yang Tang,et al.  CleanOS: Limiting Mobile Data Exposure with Idle Eviction , 2012, OSDI.