Don't Just BYOD, Bring-Your-Own-App Too! Protection via Virtual Micro Security Perimeters

Mobile devices are increasingly becoming a melting pot of different types of data ranging from sensitive corporate documents to commercial media to personal content produced and shared via online social networks. While it is desirable for such diverse content to be accessible from the same device via a unified user experience and through a rich plethora of mobile apps, ensuring that this data remains protected has become challenging. Even though different data types have very different security and privacy needs and accidental instances of data leakage are common, today's mobile operating systems include few, if any, facilities for fine-grained data protection and isolation. In this paper, we present SWIRLS, an Android-based mobile OS that provides a rich policy-based information-flow data protection abstraction for mobile apps to support BYOD (bring-your-own-device) use cases. SWIRLS allows security and privacy policies to be attached to individual pieces of data contained in signed and encrypted capsules, and enforces these policies as the data flows through the device. Unlike current BYOD solutions like VMs and containers that create duplication and cognitive overload, SWIRLS provides a single environment that allows users to access content belonging to different security contexts using the same applications without fear of inadverdant or malicious data leakage. SWIRLS also unburdens app developers from having to worry about security policies, and provides APIs through which they can create seamless multi-security-context user interfaces. To implement it's abstractions, SWIRLS develops a cryptographically protected capsule distribution and installation scheme, enhances Taintdroid-based taint-tracking mechanisms to support efficient kernel and user-space security policy enforcement, implements techniques for persisting security context along with data, and provides transparent security-context switching mechanisms. Using our Android-based prototype (>25K LOC), we show a number of data protection use-cases such as isolation of personal and work data, limiting document sharing and preventing leakage based on document classification, and security policies based on geo-and time-fencing. Our experiments show that SWIRLS imposes a very minimal overhead in both battery consumption and performance.

[1]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[2]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[3]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[4]  Peng Ning,et al.  EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning , 2015, USENIX Security Symposium.

[5]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[6]  Yuewu Wang,et al.  DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices , 2015, NDSS.

[7]  William Enck,et al.  Preventing accidental data disclosure in modern operating systems , 2013, CCS.

[8]  Matthias Lange,et al.  L4Android: a generic operating system framework for secure smartphones , 2011, SPSM '11.

[9]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[10]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[11]  Yang Tang,et al.  CleanOS: Limiting Mobile Data Exposure with Idle Eviction , 2012, OSDI.

[12]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[13]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[14]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[16]  Ninghui Li,et al.  Android permissions: a perspective combining risks and benefits , 2012, SACMAT '12.

[17]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[18]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[19]  Jeremy Andrus,et al.  Cells: a virtual mobile smartphone architecture , 2011, SOSP '11.

[20]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[21]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[22]  Harvey Tuch,et al.  The VMware mobile virtualization platform: is that a hypervisor in your pocket? , 2010, OPSR.

[23]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[24]  Patrick D. McDaniel,et al.  Porscha: policy oriented secure content handling in Android , 2010, ACSAC '10.

[25]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[26]  Ahmad-Reza Sadeghi,et al.  Practical and lightweight domain isolation on Android , 2011, SPSM '11.

[27]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[28]  Mani B. Srivastava,et al.  ipShield: A Framework For Enforcing Context-Aware Privacy , 2014, NSDI.