Increasing Android Security Using a Lightweight OVAL-Based Vulnerability Assessment Framework

  • Martín BarrèreEmail author
  • Gaëtan Hurel
  • Rémi Badonnel
  • Olivier Festor


Mobile computing devices and the services offered by them are utilized by millions of users on a daily basis. However, they operate in hostile environments getting exposed to a wide variety of threats. Accordingly, vulnerability management mechanisms are highly required. We present in this paper a novel approach for increasing the security of mobile devices by efficiently detecting vulnerable configurations. In that context, we propose a modeling for performing vulnerability assessment activities as well as an OVAL-based distributed framework for ensuring safe configurations within the Android platform. We also describe an implementation prototype and evaluate its performance through an extensive set of experiments.



This work was partially supported by the EU FP7 Univerself Project and the FI-WARE PPP.


  1. 1.
    Ahmed, M.S., Al-Shaer, E., Taibah, M.M., Abedin, M., Khan, L.: Towards autonomic risk-aware security configuration. In: Proceedings of the IEEE Network Operations and Management Symposium (NOMS’08), Salvador, Apr 2008, pp. 722–725Google Scholar
  2. 2.
    Android: Cited Aug 2012
  3. 3.
    Android Developers: Cited Aug 2012
  4. 4.
    Apple iOS: Cited Aug 2012
  5. 5.
    Banghart, J., Johnson, C.: The Technical Specification for the Security Content Automation Protocol (SCAP). NIST Special Publication. U.S. Department of Commerce, National Institute of Standards and Technology, Gaithersburg (2009)Google Scholar
  6. 6.
    Barrère, M., Badonnel, R., Festor, O.: Supporting vulnerability awareness in autonomic networks and systems with OVAL. In: Proceedings of the 7th IEEE International Conference on Network and Service Management (CNSM’11), Paris, Oct 2011Google Scholar
  7. 7.
    Barrère, M., Betarte, G., Rodríguez, M.: Towards machine-assisted formal procedures for the collection of digital evidence. In: Proceedings of the 9th Annual International Conference on Privacy, Security and Trust (PST’11), Montreal, July 2011, pp. 32–35Google Scholar
  8. 8.
    Barrère, M., Badonnel, R., Festor, O.: Towards the assessment of distributed vulnerabilities in autonomic networks and systems. In: Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS’12), Maui, Apr 2012Google Scholar
  9. 9.
    Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Automatically securing permission-based software by reducing the attack surface: an application to Android. CoRR abs/1206.5829 (2012)Google Scholar
  10. 10.
    Dalvik Virtual Machine: Cited Aug 2012
  11. 11.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Secur. Priv. 7(1), 50–57 (2009)CrossRefGoogle Scholar
  12. 12.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: Proceedings of the 20th USENIX Conference on Security (SEC’11), San Francisco. USENIX Association (2011)Google Scholar
  13. 13.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’11), Chicago, Oct 2011Google Scholar
  14. 14.
    Frei, S., Schatzmann, D., Plattner, B., Trammel, B.: Modelling the security ecosystem – the dynamics of (In)Security. In: Proceedings of the Workshop on the Economics of Information Security (WEIS’09), London, June 2009Google Scholar
  15. 15.
    Gartner: Cited Aug 2012
  16. 16.
    Java Architecture for XML Binding: Cited Aug 2012
  17. 17.
    Li, S.: Juxtapp and DStruct: detection of similarity among Android applications. Master’s thesis, EECS Department, University of California, Berkeley, May 2012Google Scholar
  18. 18.
    Lookout Mobile Security: Cited Aug 2012
  19. 19.
    MITRE Corporation: Cited Aug 2012
  20. 20.
    NIST, National Institute of Standards and Technology: Cited Aug 2012
  21. 21.
    Norton Mobile Security: Cited Aug 2012
  22. 22.
    Open Handset Alliance: Cited Aug 2012
  23. 23.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: On USENIX Security, Baltimore, 2005Google Scholar
  24. 24.
    Ovaldi: The OVAL Interpreter Reference Implementation. Cited Aug 2012
  25. 25.
    The Java Platform: Cited Aug 2012
  26. 26.
    The OVAL Language: Cited Aug 2012
  27. 27.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)CrossRefGoogle Scholar
  28. 28.
    Strassen, V.: Gaussian elimination is not optimal. Numer. Math. 13, 354–356 (1969). doi:10.1007/BF02165411MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Vidas, T., Votipka, D., Christin, N.: All your droid are belong to Us: a survey of current Android attacks. In: Proceedings of the 5th USENIX Conference on Offensive Technologies (WOOT’11), San Francisco, pp. 10–10. USENIX Association (2011)Google Scholar
  30. 30.
    VulnXML:url{},%20Specification,%20V1.pdf. Cited Aug 2012Google Scholar
  31. 31.
    X-Ray for Android: Cited Aug 2012
  32. 32.
    Ziring, N., Quinn, S.D.: Specification for the Extensible Configuration Checklist Description Format (XCCDF). NIST Special Publication. U.S. Department of Commerce, National Institute of Standards and Technology, Gaithersburg (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Martín Barrère
    • 1
    Email author
  • Gaëtan Hurel
    • 1
  • Rémi Badonnel
    • 1
  • Olivier Festor
    • 1
  1. 1.INRIA Nancy Grand Est – LORIA – University of LorraineNancy CedexFrance

Personalised recommendations