AppGuard – Enforcing User Requirements on Android Apps
The success of Android phones makes them a prominent target for malicious software, in particular since the Android permission system turned out to be inadequate to protect the user against security and privacy threats. This work presents AppGuard, a powerful and flexible system for the enforcement of user-customizable security policies on untrusted Android applications. AppGuard does not require any changes to a smartphone’s firmware or root access. Our system offers complete mediation of security-relevant methods based on callee-site inline reference monitoring. We demonstrate the general applicability of AppGuard by several case studies, e.g., removing permissions from overly curious apps as well as defending against several recent real-world attacks on Android phones. Our technique exhibits very little space and runtime overhead. AppGuard is publicly available, has been invited to the Samsung Apps market, and has had more than 500,000 downloads so far.
KeywordsSecurity Policy Android Application Runtime Overhead Native Code Address Book
Unable to display preview. Download preview PDF.
- 1.Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: Appguard - real-time policy enforcement for third-party applications. Tech. Rep. A/02/2012, Saarland University, Computer Science (July 2012)Google Scholar
- 2.Davis, B., Sanders, B., Khodaverdian, A., Chen, H.: I-ARM-Droid: A rewriting framework for in-app reference monitors for android applications. In: Mobile Security Technologies 2012, MoST 2012 (2012)Google Scholar
- 3.Erlingsson, Ú.: The Inlined Reference Monitor Approach to Security Policy Enforcement. Ph.D. thesis, Cornell University (January 2004)Google Scholar
- 4.Erlingsson, Ú., Schneider, F.B.: IRM enforcement of java stack inspection. In: Proc. 2002 IEEE Symposium on Security and Privacy (Oakland 2002), pp. 246–255 (2002)Google Scholar
- 5.Gootee, R.: Evil tea timer (2012), https://github.com/ralphleon/EvilTeaTimer
- 6.Gruver, B.: Smali: A assembler/disassembler for android’s dex formatGoogle Scholar
- 7.Jeon, J., Micinski, K.K., Vaughan, J., Fogel, A., Reddy, N., Foster, J., Millstein, T.: Dr. Android and Mr. Hide: Fine-grained permissions in android applications. In: ACM CCS Works. on Sec. & Privacy in Smartphones and Mobile Devices (2012)Google Scholar
- 8.Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In: Proc. NDSS 2012 (February 2012)Google Scholar