Context-Based Access Control Systems for Mobile Devices

Mobile Android applications often have access to sensitive data and resources on the user device. Misuse of this data by malicious applications may result in privacy breaches and sensitive data leakage. An example would be a malicious application surreptitiously recording a confidential business conversation. The problem arises from the fact that Android users do not have control over the application capabilities once the applications have been granted the requested privileges upon installation. In many cases, however, whether an application may get a privilege depends on the specific user context and thus we need a context-based access control mechanism by which privileges can be dynamically granted or revoked to applications based on the specific context of the user. In this paper we propose such an access control mechanism. Our implementation of context differentiates between closely located sub-areas within the same location. We have modified the Android operating system so that context-based access control restrictions can be specified and enforced. We have performed several experiments to assess the efficiency of our access control mechanism and the accuracy of context detection.

[1]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[3]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[4]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[5]  Konstantinos N. Plataniotis,et al.  Intelligent Dynamic Radio Tracking in Indoor Wireless Local Area Networks , 2010, IEEE Transactions on Mobile Computing.

[6]  Ernesto Damiani,et al.  Supporting location-based conditions in access control policies , 2006, ASIACCS '06.

[7]  Sandeep Kumar,et al.  Location based services using android , 2009 .

[8]  Andrea Vitaletti,et al.  Cell-ID location technique, limits and benefits: an experimental study , 2004, Sixth IEEE Workshop on Mobile Computing Systems and Applications.

[9]  Muneendra Ojha,et al.  Location Based Services using Android Mobile Operating System , 2011 .

[10]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[11]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[12]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[13]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[14]  Elisa Bertino,et al.  Enforcing spatial constraints for mobile RBAC systems , 2010, SACMAT '10.

[15]  Ravi S. Sandhu,et al.  Secure information sharing enabled by Trusted Computing and PEI models , 2006, ASIACCS '06.

[16]  Anna Cinzia Squicciarini,et al.  User Centric Policy Management in Online Social Networks , 2010, 2010 IEEE International Symposium on Policies for Distributed Systems and Networks.

[17]  Kathi Fisler,et al.  A model of triangulating environments for policy authoring , 2010, SACMAT '10.

[18]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[19]  Josef Langer,et al.  NFC Devices: Security and Privacy , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[20]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[21]  Simson L. Garfinkel,et al.  Security and Usability , 2005 .

[22]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[23]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[24]  Chris Wullems,et al.  Towards context-aware security: an authorization architecture for intranet environments , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[25]  J LaMance,et al.  ASSISTED GPS : A LOW-INFRASTRUCTURE APPROACH , 2002 .

[26]  Shahrokh Valaee,et al.  Received-Signal-Strength-Based Indoor Positioning Using Compressive Sensing , 2012, IEEE Transactions on Mobile Computing.

[27]  N. Asokan,et al.  Intuitive Security Policy Configuration in Mobile Devices Using Context Profiling , 2012, 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing.

[28]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[29]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[30]  Sandeep Kumar,et al.  Location based services using android (LBSOID) , 2009, 2009 IEEE International Conference on Internet Multimedia Services Architecture and Applications (IMSAA).

[31]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[32]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[33]  Eric A. Wan,et al.  RSSI-Based Indoor Localization and Tracking Using Sigma-Point Kalman Smoothers , 2009, IEEE Journal of Selected Topics in Signal Processing.

[34]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[35]  Lujo Bauer,et al.  More than skin deep: measuring effects of the underlying model on access-control system usability , 2011, CHI.

[36]  Mustaque Ahamad,et al.  Generalized role-based access control , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[37]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[38]  Ilir F. Progri,et al.  Wireless-enabled GPS indoor geolocation system , 2010, IEEE/ION Position, Location and Navigation Symposium.

[39]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[40]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[41]  Elisa Bertino,et al.  IdentiDroid: Android can finally Wear its Anonymous Suit , 2014, Trans. Data Priv..

[42]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[43]  David J. Crandall,et al.  PlaceRaider: Virtual Theft in Physical Spaces with Smartphones , 2012, NDSS.

[44]  Mauro Conti,et al.  MOSES: supporting operation modes on smartphones , 2012, SACMAT '12.

[45]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[46]  Anand R. Tripathi,et al.  Context-aware role-based access control in pervasive computing systems , 2008, SACMAT '08.

[47]  Ahmad-Reza Sadeghi,et al.  Practical and lightweight domain isolation on Android , 2011, SPSM '11.

[48]  Jay Ligatti,et al.  LoPSiL: A Location-Based Policy-Specification Language , 2009, MobiSec.

[49]  Lujo Bauer,et al.  Composing expressive runtime security policies , 2009, TSEM.

[50]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[51]  William Enck,et al.  Defending Users against Smartphone Apps: Techniques and Future Directions , 2011, ICISS.

[52]  Simo Ali-Löytty,et al.  Fingerprint Kalman Filter in indoor positioning applications , 2009, 2009 IEEE Control Applications, (CCA) & Intelligent Control, (ISIC).