I-ARM-Droid : A Rewriting Framework for In-App Reference Monitors for Android Applications

Mobile applications are a major force behind the explosive growth of mobile devices. While they greatly extend the functionality of mobile devices, they also raise security and privacy concerns, especially when they have not gone through a rigorous review process. To protect users from untrusted and potentially malicious applications, we design and implement a rewriting framework for embedding In-App Reference Monitors (I-ARM) into Android applications. The framework user identifies a set of security-sensitive API methods and specifies their security policies, which may be tailored to each application. Then, our framework automatically rewrites the Dalvik bytecode of the application, where it interposes on all the invocations of these API methods to implement the desired security policies. We have implemented a prototype of the rewriting framework and evaluated it on compatibility, functionality, and performance in time and size overhead. We showcase example security policies that this rewriting framework supports. Keywords-Mobile applications; Reference monitor; Rewriting; Security policy

[1]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Insik Shin,et al.  Mobile code security by Java bytecode instrumentation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3]  Thierry Coupaye,et al.  ASM: a code manipulation tool to implement adaptable systems , 2002 .

[4]  Dan S. Wallach,et al.  Enforcing Java Run-Time Properties Using Bytecode Rewriting , 2002, ISSS.

[5]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[6]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[7]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[8]  Todd Millstein,et al.  Application-centric security policies on unmodified Android , 2011 .

[9]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[10]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[11]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[12]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[13]  Dawn Xiaodong Song,et al.  FreeMarket: Shopping for free in Android applications , 2012, NDSS.

[14]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.