The Secure Data Container: An Approach to Harmonize Data Sharing with Information Security

Smart devices became Marc Weiser's Computer of the 21st Century. Due to their versatility a lot of private data enriched by context data are stored on them. Even the health industry utilizes smart devices as portable health monitors and enablers for telediagnosis. So they represent a severe risk for information security. Yet the platform providers' countermeasures to these threats are by no means sufficient. In this paper we describe how information security can be improved. Therefore, we postulate requirements towards a secure handling of data. Based on this requirements specification, we introduce a secure data container as an extension for the Privacy Management Platform. Since a complete isolation of an app is usually not practicable, our approach also provides secure data sharing features. Finally, we evaluate our approach from a technical point of view as well as a security point of view and show its applicability in an eHealth scenario.

[1]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[2]  Yong Wang,et al.  Smartphone Security Challenges , 2012, Computer.

[3]  Bernhard Mitschang,et al.  Design and Implementation of the Privacy Management Platform , 2014, 2014 IEEE 15th International Conference on Mobile Data Management.

[4]  Alexander Pretschner,et al.  A Trustworthy Usage Control Enforcement Framework , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[5]  R. Istepanian,et al.  M-Health: Emerging Mobile Health Systems , 2006 .

[6]  Christoph Stach How to Deal with Third Party Apps in a Privacy System -- The PMP Gatekeeper -- , 2015, 2015 16th IEEE International Conference on Mobile Data Management.

[7]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[8]  Yulia Cherdantseva,et al.  Secure*BPMN : a graphical extension for BPMN 2.0 based on a reference model of information assurance & security , 2014 .

[9]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[10]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[11]  Mauro Conti,et al.  CRêPE: A System for Enforcing Fine-Grained Context-Related Policies on Android , 2012, IEEE Transactions on Information Forensics and Security.

[12]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[13]  Lubomir T. Chitkushev,et al.  DR BACA: dynamic role based access control for Android , 2013, ACSAC.

[14]  Bernhard Mitschang,et al.  Privacy Management for Mobile Platforms -- A Review of Concepts and Approaches , 2013, 2013 IEEE 14th International Conference on Mobile Data Management.

[15]  Jean-Yves Fourniols,et al.  Smart wearable systems: Current status and future challenges , 2012, Artif. Intell. Medicine.

[16]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[17]  Christoph Stach How to Assure Privacy on Android Phones and Devices? , 2013, 2013 IEEE 14th International Conference on Mobile Data Management.

[18]  Johannes Götzfried,et al.  Analysing Android's Full Disk Encryption Feature , 2014, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[19]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[20]  Yuval Elovici,et al.  Database encryption: an overview of contemporary challenges and design considerations , 2010, SGMD.

[21]  Jeremy Hilton,et al.  A Reference Model of Information Assurance & Security , 2013, 2013 International Conference on Availability, Reliability and Security.

[22]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.