Bring your own device, securely

Modern mobile devices offer users powerful computational capabilities and complete customization. As a matter of fact, today smartphones and tablets have remarkable hardware profiles and a cornucopia of applications. Yet, the security mechanisms offered by most popular mobile operating systems offer only limited protection to the threats posed by malicious applications that may be inadvertently installed by the users and therefore they do not meet the security standards required in corporate environments. In this paper we propose a security framework for mobile devices that ensures that only applications complying with the organization security policy can be installed. This is done by inferring behavioral models from applications and by validating them against the security policy. We also present BYODroid, a prototype implementation of our proposed security framework for the Android OS.

[1]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[2]  Gian Luigi Ferrari,et al.  Planning and verifying service composition , 2009, J. Comput. Secur..

[3]  Alessandro Armando,et al.  Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures) , 2012, SEC.

[4]  Massimo Bartoletti,et al.  Securing Java with Local Policies , 2009, J. Object Technol..

[5]  Toshiaki Tanaka,et al.  A Formal Model to Analyze the Permission Authorization and Enforcement in the Android Framework , 2010, 2010 IEEE Second International Conference on Social Computing.

[6]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[7]  Yuval Elovici,et al.  Google Android: A Comprehensive Security Assessment , 2010, IEEE Security & Privacy.

[8]  Alessandro Armando,et al.  Formal Modeling and Reasoning about the Android Security Framework , 2012, TGC.

[9]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[10]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[11]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[12]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[13]  Gian Luigi Ferrari,et al.  History-Based Access Control with Local Policies , 2005, FoSSaCS.

[14]  Avik Chaudhuri,et al.  Language-based security on Android , 2009, PLAS '09.

[15]  Scott F. Smith,et al.  History Effects and Verification , 2004, APLAS.

[16]  Henrik Reif Andemen Partial Model Checking (Extended Abstract) , 1995 .

[17]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[18]  David Van Horn,et al.  A Type and Effect System for Flexible Abstract Interpretation of Java: (Extended Abstract) , 2005, Electron. Notes Theor. Comput. Sci..

[19]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[20]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[21]  Gian Luigi Ferrari,et al.  Types and Effects for Resource Usage Analysis , 2007, FoSSaCS.