Stateful Usage Control for Android Mobile Devices

  • Aliaksandr Lazouski
  • Fabio Martinelli
  • Paolo Mori
  • Andrea Saracino
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8743)


This paper proposes a framework for regulating data sharing on Android mobile devices. In our approach, the user downloads a copy of the data on his Android device, then the framework controls the data usage by enforcing the usage control policies which have been embedded in the data itself by the data producer. The usage control policy is based on the Usage Control model, whose main feature is to allow the usage of the downloaded data as long as conditions specified in the policy are satisfied. The proposed framework secures the data access procedure relying on both the Android security mechanisms and the introduction of Trusted Platform Module functions. The paper details the proposed framework, presents some preliminary results from the prototype that has been developed, and discusses the security of the prototype.


Usage Control Mobile devices XACML Android 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Transactions on Information and System Security 7, 128–174 (2004)CrossRefGoogle Scholar
  2. 2.
    Morrow, B.: BYOD security challenges: control and protect your most sensitive data. Network Security 2012(12), 5–8 (2012)CrossRefGoogle Scholar
  3. 3.
    Costa, G., Martinelli, F., Mori, P., Schaefer, C., Walter, T.: Runtime monitoring for next generation java me platform. Computers & Security 29, 74–87 (2010)CrossRefGoogle Scholar
  4. 4.
    Aktug, I., Naliuka, K.: ConSpec: A formal language for policy specification. In: Proceedings of the First International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007), ESORICS, pp. 107–109 (2007)Google Scholar
  5. 5.
    Jia, L., Aljuraidan, J., Fragkaki, E., Bauer, L., Stroucken, M., Fukushima, K., Kiyomoto, S., Miyake, Y.: Run-time enforcement of information-flow properties on android. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 775–792. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Conti, M., Crispo, B., Fernandes, E., Zhauniarovich, Y.: Crêpe: A system for enforcing fine-grained context-related policies on android. IEEE Transactions on Information Forensics and Security 7(5), 1426–1438 (2012)CrossRefGoogle Scholar
  7. 7.
    Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related policy enforcement for android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: ACM (ed.) 16th ACM conference on Computer and Communications Security (CCS 2009), pp. 235–254 (2009)Google Scholar
  9. 9.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)CrossRefGoogle Scholar
  10. 10.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.R., Shastry, B.: Practical and Lightweight Domain Isolation on Android. In: ACM (ed.) ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2011), pp. 51–61 (2011)Google Scholar
  12. 12.
    Cerbo, F.D., Trabelsi, S., Steingruber, T., Dodero, G., Bezzi, M.: Sticky policies for mobile devices. In: The 18th ACM Symposium on Acces Control Model and Technologies (SACMAT 2013), pp. 257–260 (2013)Google Scholar
  13. 13.
    Trabelsi, S., Sendor, J., Reinicke, S.: Ppl: Primelife privacy policy engine. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 184–185. IEEE Computer Society (2011)Google Scholar
  14. 14.
    Colombo, M., Lazouski, A., Martinelli, F., Mori, P.: A proposal on enhancing XACML with continuous usage control features. In: Proceedings of CoreGRID ERCIM Working Group Workshop on Grids, P2P and Services Computing, pp. 133–146. Springer US (2010)Google Scholar
  15. 15.
    Trusted Computing Group: Tpm 2.0 mobile reference architecture (draft) (April 2014)Google Scholar
  16. 16.
    Bente, I., Dreo, G., Hellmann, B., Heuser, S., Vieweg, J., von Helden, J., Westhuis, J.: Towards permission-based attestation for the android platform. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 108–115. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Transactions on Information and System Security 8(4), 351–387 (2005)CrossRefGoogle Scholar
  18. 18.
    Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: Toward a usage-based security framework for collaborative computing systems. ACM Transactions on Information and System Security 11(11), 3:1–3:36 (2008)Google Scholar
  19. 19.
    Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: A survey. Computer Science Review 4(2), 81–99 (2010)CrossRefGoogle Scholar
  20. 20.
    Lazouski, A., Mancini, G., Martinelli, F., Mori, P.: Architecture, worflows, and prototype for stateful data usage control in cloud. In: 2014 IEEE Security and Privacy Workshop, pp. 23–30. IEEE Computer Society (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Aliaksandr Lazouski
    • 1
  • Fabio Martinelli
    • 1
  • Paolo Mori
    • 1
  • Andrea Saracino
    • 1
  1. 1.Istituto di Informatica e TelematicaConsiglio Nazionale delle Ricerche PisaItaly

Personalised recommendations