Advertisement

Abstract

The mobile device market is booming. This gains among others from the growing of application markets for those devices. In Android the applications (apps) are controlled by permissions of what they are allowed to do. The problem here is that many users do not pay attention to these permissions because they are rather complex and the user is informed about them only shortly before installing an app. In this paper we present APEFS, an infrastructure that enables a user to filter apps by permissions before trying to install them. Thereby it simplifies the usage of the permission system by allowing users to think about security and privacy before even searching for an app. We also enhance APEFS to not only filter by permissions but also by possible information flows, using static information flow analysis combined with runtime assertions.

Keywords

Android Permissions Android Market Google Play Infrastructure Filter Information Flow Analysis 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: principles, techniques, and tools. Pearson/Addison Wesley (2007)Google Scholar
  2. 2.
    Android-Apps on Google Play, https://play.google.com/store/apps
  3. 3.
    Android Developer’s Guide – Security and Permissions, http://developer.android.com/guide/topics/security/security.html
  4. 4.
    Androlyzer – Know more about your apps, http://www.androlyzer.com
  5. 5.
    Barrera, D., Kayacik, H.G., van Oorshot, P.C., Somayaji, A.: A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In: Proceedings of the ACM Conference on Computer and Communications Security (2010)Google Scholar
  6. 6.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: Trading Privacy for Application Functionality on Smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile (2011)Google Scholar
  7. 7.
    Chaudhuri, A.: Language-Based Security on Android. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS (2009)Google Scholar
  8. 8.
    Enck, W.: Defending Users against Smartphone Apps: Techniques and Future Directions. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 49–70. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI (2010)Google Scholar
  10. 10.
    Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS (2009)Google Scholar
  11. 11.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android Permissions Demystified. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2011)Google Scholar
  12. 12.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: ScanDroid: Automated Security Certification of Android Applications, http://www.cs.umd.edu/~avik/projects/scandroidascaa/paper.pdf (accessed March 14, 2012)
  13. 13.
    Gartner, Inc.: Gartner Says Worldwide Smartphone Sales Soared in Fourth Quarter of 2011 With 47 Percent Growth, http://www.gartner.com/it/page.jsp?id=1924314
  14. 14.
    Genaim, S., Spoto, F.: Information Flow Analysis for Java Bytecode. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 346–362. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
  16. 16.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These Aren’t the Droids You’re Looking For: Retrofitting Android to Protect Data from Imperious Applications. In: Proceedings of the ACM Conference on Computer and Communications Security, CCS (2011)Google Scholar
  17. 17.
    Octeau, D., Enck, W., McDaniel, P.: The ded Decompiler. Tech. Rep. NAS-TR-0140-2010, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA (2010)Google Scholar
  18. 18.
    Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, pp. 291–307. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Teufl, P., Kraxberger, S., Orthacker, C., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., Prevenhueber, O.: Android Market Analysis with Activation Patterns. In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds.) MobiSec 2011. LNICST, vol. 94, pp. 1–12. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Valle-Rai, R., Hendren, L., Sundaresan, V., Lam, P., Gagnon, E., Co, P.: Soot – a Java optimization framework. In: Proceedings of CASCON 1999 (1999)Google Scholar
  21. 21.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming Information-Stealing Smartphone Applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2012

Authors and Affiliations

  • Simon Meurer
    • 1
  • Roland Wismüller
    • 1
  1. 1.University of SiegenGermany

Personalised recommendations