DroidForce: Enforcing complex, data-centric, system-wide policies in android

Proceedings - 9th International Conference on Availability, Reliability and Security, ARES 2014

Volumn , Issue , 2014, Pages 40-49

  Rasthofer, Siegfried ^a   Arzt, Steven ^a   Lovat, Enrico ^b   Bodden, Eric ^a  

^a DARMSTADT UNIVERSITY OF TECHNOLOGY   (Germany)

^b TECHNICAL UNIVERSITY OF MUNICH   (Germany)

Author keywords

Android; Data flow; Data centric; Enforcement; Policy; System wide

Indexed keywords

PUBLIC POLICY; SECURITY OF DATA; SMARTPHONES;

ANDROID; DATA CENTRIC; DATA FLOW; ENFORCEMENT; SYSTEM-WIDE;

ANDROID (OPERATING SYSTEM);

EID: 84920622630     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2014.13     Document Type: Conference Paper

References (35)

1. International Data Corporation, "Worldwide quarterly mobile phone tracker 3q12," Nov. 2012, http://www. idc. com/tracker/showproductinfo. jsp?prod id=37.
2. I. Security, "Mcafee mobile security report," 2012, http://www. mcafee. com/us/resources/reports/rp-mobile-security-consumer-trends. pdf.
3. E. Chien, "Motivations of recent android malware," Feb. 2014, http://www. mcafee. com/us/resources/reports/ rp-mobile-security-consumer-trends. pdf.
4. "Top 10 spy software," April 2014, http://www. top10spysoftware. com/.
5. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel, "Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps," in Proc. of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, 2014, p. 29.
6. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, "Chex: statically vetting android apps for component hijacking vulnerabilities," in CCS 2012.
7. Z. Yang and M. Yang, "Leakminer: Detect information leakage on android with static taint analysis," in Software Engineering (WCSE), 2012 Third World Congress on, 2012, pp. 101-104.
8. J. Kim, Y. Yoon, K. Yi, and J. Shin, "ScanDal: Static analyzer for detecting privacy leaks in android applications," in MoST 2012: Mobile Security Technologies 2012. IEEE, May 2012.
9. T. Cannon, "No-permission android app gives remote shell," https:// viaforensics. com/security/nopermission-android-app-remote-shell. html, 2011.
10. K. Makan, "Path traversal vulnerability in oi file manager for android," http://blog. k3170makan. com/2014/02/ path-disclosure-vulnerability-in-io. html, 2014.
11. A. Alkassar, S. Schulz, C. Stble, and S. Wohlgemuth, "Securing smartphone compartments: Approaches and solutions," in ISSE 2012. Springer Fachmedien Wiesbaden, 2012, pp. 260-268.
12. M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter, "A policy language for distributed usage control," in Proc. 12th Europ. Conf. on Research in Computer Security. Springer-Verlag, pp. 531-546.
13. R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, "Soot-a java bytecode optimization framework," in Proc. 1999 Conf. of Centre for Advanced Studies on Collaborative Research. IBM Press.
14. M. Spreitzenbarth, "Detailed analysis of android. fakeregsms. b," http://forensics. spreitzenbarth. de/2012/02/03/ detailed-analysis-of-android-fakeregsms-b/, 2012.
15. C. Marforio, A. Francillon, and S. Capkun, "Application collusion attack on the permission-based security model and its implications for modern smartphone systems," ETH Zurich, Tech. Rep. 724, April 2011.
16. D. Hausknecht, "Variability-aware Data-flow Analysis for Smartphone Applications," Master's thesis, University of Passau, 2013.
17. L. Lamport, "Proving the correctness of multiprocess programs," IEEE Trans. Softw. Eng., vol. 3, no. 2, pp. 125-143, Mar. 1977.
18. A. Pretschner, E. Lovat, and M. Büchler, "Representation-independent data usage control," in Proc DPM 2011, 2011, pp. 122-140.
19. P. Kumari and A. Pretschner, "Deriving implementation-level policies for usage control enforcement," in Proc. CODASPY '12.
20. S. Rasthofer, S. Arzt, and E. Bodden, "A machine-learning approach for classifying and categorizing android sources and sinks," in Proc. NDSS 2014, Feb. 2014.
21. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, "Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets," in Proc. NDSS 2012, Feb. 2012.
22. K. Hazelwood and A. Klauser, "A dynamic binary instrumentation engine for the arm architecture," in Proceedings of the 2006 international conference on Compilers, architecture and synthesis for embedded systems. ACM, 2006, pp. 261-270.
23. C. Gibler, J. Crussell, J. Erickson, and H. Chen, "Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale," in Proc. TRUST 2012, 2012.
24. M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang, "Systematic detection of capability leaks in stock android smartphones," in Proc. NDSS 2012.
25. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, "Analyzing interapplication communication in android," in Proc. MobiSys 2011, 2011.
26. D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon, "Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis," in Proc. USENIX 2013, 2013.
27. M. Backes, S. Gerling, C. Hammer, M. Maffei, and P. von Styp-Rekowsky, "Appguard-real-time policy enforcement for third-party applications," Tech. Rep., 2012.
28. D. Schreckling, J. Posegga, J. Kstler, and M. Schaff, "Kynoid: Realtime enforcement of fine-grained, user-defined, and data-centric security policies for android," in Information Security Theory and Practice. Security, Privacy and Trust in Computing Systems and Ambient Intelligent Ecosystems, 2012.
29. W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth, "Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones," in OSDI, 2010, pp. 393-407.
30. D. Feth and A. Pretschner, "Flexible data-driven security for android," in Proc. IEEE Intl. Conf. Software Security and Reliability SERE'12.
31. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, "Xmandroid: A new android evolution to mitigate privilege escalation attacks," Technische Universität Darmstadt, Tech. Rep., Apr. 2011.
32. R. Xu, H. Sädi, and R. Anderson, "Aurasium: practical policy enforcement for android applications," in USENIX Security 2012.
33. M. Zhang and H. Yin, "Appsealer: Automatic generation of vulnerabilityspecific patches for preventing component hijacking attacks in android applications," in Proc. NDSS 2014.
34. A. Castrucci, F. Martinelli, P. Mori, and F. Roperti, "Enhancing java me security support with resource usage monitoring," in ICICS, 2008, pp. 256-266.
35. L. Desmet, W. Joosen, F. Massacci, K. Naliuka, P. Philippaerts, F. Piessens, and D. Vanoverberghe, "A flexible security architecture to support third-party applications on mobile devices," in Proc. 2007 ACM Workshop on Computer Security Architecture, ser. CSAW '07.