Advertisement

ESARA: A Framework for Enterprise Smartphone Apps Risk Assessment

  • Majid HatamianEmail author
  • Sebastian Pape
  • Kai Rannenberg
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 562)

Abstract

Protecting enterprise’s confidential data and infrastructure against adversaries and unauthorized accesses has been always challenging. This gets even more critical when it comes to smartphones due to their mobile nature which enables them to have access to a wide range of sensitive information that can be misused. The crucial questions here are: How the employees can make sure the smartphone apps that they use are trustworthy? How can the enterprises check and validate the trustworthiness of apps being used within the enterprise network? What about the security and privacy aspects? Are the confidential information such as passwords, important documents, etc. are treated safely? Are the employees’ installed apps monitoring/spying the enterprise environment? To answer these questions, we propose Enterprise Smartphone Apps Risk Assessment (ESARA) as a novel framework to support and enable enterprises to analyze and quantify the potential privacy and security risks associated with their employees’ installed apps. Given an app, ESARA first conducts various analyses to characterize its vulnerabilities. Afterwards, it examines the app’s behavior and overall privacy and security perceptions associated with it by applying natural language processing and machine learning techniques. The experimental results using app behavior and perception analyses indicate that: (1) ESARA is able to examine apps’ behavior for potential invasive activities; and (2) the analyzed privacy and security perceptions by ESARA usually reveal interesting information corresponding to apps’ behavior achieved with high accuracy.

Keywords

Smartphone App Security Privacy Risk Enterprise 

Notes

Acknowledgment

This research was supported by the European Union’s Horizon 2020 Research and Innovation program under the Marie Skłodowska-Curie “Privacy&Us” project (GA No. 675730).

References

  1. 1.
  2. 2.
    Mobile application security scanner. https://www.ostorlab.co/
  3. 3.
  4. 4.
  5. 5.
    Quick android review kit. https://github.com/linkedin/qark
  6. 6.
    Quixxi integrated app management system. https://quixxisecurity.com/
  7. 7.
    Sanddroid - an automatic android application analysis system. http://sanddroid.xjtu.edu.cn
  8. 8.
  9. 9.
    Protection of sensitive data and services (2012). https://www.sit.fraunhofer.de/en/bizztrust/
  10. 10.
  11. 11.
  12. 12.
    Framework for app security tests (2016). https://www.sit.fraunhofer.de/en/appicaptor/
  13. 13.
    Most vulnerable os of the year 2017 (2017). https://www.cybrnow.com/10-most-vulnerable-os-of-2017/
  14. 14.
    Agarwal, Y., Hall, M.: Protectmyprivacy: detecting and mitigating privacy leaks on IOs devices using crowdsourcing. In: Proceedings of MobiSys, pp. 97–110 (2013)Google Scholar
  15. 15.
    Beresford, A., Rice, A., Sohan, N.: Mockdroid: trading privacy for application functionality on smartphones. In: The Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, Phoenix, Arizona, USA, pp. 49–54 (2011)Google Scholar
  16. 16.
    Chandramohan, M., Tan, H.B.K.: Detection of mobile malware in the wild. Computer 45(9), 65–71 (2012).  https://doi.org/10.1109/MC.2012.36CrossRefGoogle Scholar
  17. 17.
    Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: The Proceedings of the the 9th ACM USENIX Conference on Operating Systems Design and Implementation, Vancouver, BC, Canada, pp. 393–407 (2010)Google Scholar
  18. 18.
    Hatamian, M., Serna, J., Rannenberg, K., Igler, B.: Fair: fuzzy alarming index rule for privacy analysis in smartphone apps. In: The Proceedings of the 14th International Conference on Trust and Privacy in Digital Business (TrustBus), Lyon, France, pp. 3–18 (2017)CrossRefGoogle Scholar
  19. 19.
    Hatamian, M., Serna-Olvera, J.: Beacon alarming: Informed decision-making supporter and privacy risk analyser in smartphone applications. In: Proceedings of the \(35^{\text{th}}\) IEEE International Conference on Consumer Electronics (ICCE), USA (2017)Google Scholar
  20. 20.
    Hatamian, M., Kitkowska, A., Korunovska, J., Kirrane, S.: “It’s Shocking!”: analysing the impact and reactions to the A3: Android Apps behaviour analyser. In: Kerschbaum, F., Paraboschi, S. (eds.) DBSec 2018. LNCS, vol. 10980, pp. 198–215. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-95729-6_13CrossRefGoogle Scholar
  21. 21.
    Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. (2019).  https://doi.org/10.1016/j.cose.2019.02.010. http://www.sciencedirect.com/science/article/pii/S0167404818313051CrossRefGoogle Scholar
  22. 22.
    Maggi, F., Valdi, A., Zanero, S.: Andrototal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the 3rd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 49–54 (2013)Google Scholar
  23. 23.
    Martínez-Pérez, B., De La Torre-Díez, I., López-Coronado, M.: Privacy and security in mobile health apps: a review and recommendations. J. Med. Syst. 39(1), 1–8 (2015)CrossRefGoogle Scholar
  24. 24.
    Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 328–332 (2010)Google Scholar
  25. 25.
    Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  26. 26.
    Plachkinova, M., Andres, S., Chatterjee, S.: A taxonomy of mhealth apps - security and privacy concerns. In: 2015 48th HICSS, pp. 3187–3196, January 2015Google Scholar
  27. 27.
    Zhou, Y., Zhang, X., Jiang, X., Freech, V.W.: Taming information-stealing smartphone applications (on android). In: the Proceedings of the 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA, USA, pp. 39–107 (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Chair of Mobile Business & Multilateral SecurityGoethe University FrankfurtFrankfurtGermany
  2. 2.Chair of Information SystemsUniversity of RegensburgRegensburgGermany

Personalised recommendations