Abstract
Today, cross-device communication and intelligent resource sharing among smart devices is limited and inflexible: Typically devices cooperate using fixed interfaces provided by custom-built applications, which users need to install manually. This is tedious, time consuming, bears security and privacy risks, and contrasts the idea of Internet of Things (IoT) where intelligent devices operate in concert to enrich the overall user experience by sharing resources and capabilities.
We present Xapp, a context-aware service mobility framework for Android. Our goal is to enable users to securely distribute the functionality of applications to mutually untrusted smart devices, e.g., to enable a smartphone to use a nearby Android TV screen as a display for a video call, let a smartphone navigation app direct an autonomous vehicle, or let it use the vehicle for an object-recognition task rather than using a cloud service with the attendant privacy risks. We built a prototype for Android as the first step towards this goal. Our system is a set of extensions to the existing Remote-OSGi service platform, an emerging industry standard which unfortunately does not secure the communications between devices. This paper describes our proposal for the required security architecture. We designed and implemented an authentication protocol suite, where trust is bootstrapped using NFC for the sake of usability. On top of this we built a fine-grained access control system so that mutually mistrustful Xapp apps can be used simultaneously in the same neighborhood and even on the same devices. Hence, with Xapp users can run an Android app across multiple devices without having to install it on each of them individually. As proof of concept we present the implementation and evaluation of a video call app.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
On PCs, IBM’s Java JVM 8 provides a multi-tenancy environment [26], which efficiently isolates Java applications executed in one Java VM and uses the Java Security Manager [27] for access control. Another approach particularly interesting in the context of cloud-based environments is the GuestVM project [46], which provides isolated Java runtime environments on top of the Xen hypervisor.
References
Android Auto. http://www.android.com/auto/
Android TV. http://www.android.com/tv/
Apache Felix. http://felix.apache.org/
Apache Felix UPnP. http://felix.apache.org/site/apache-felix-upnp.html
Apple Airplay. http://www.apple.com/de/airplay/
Arbanowski, S., Ballon, P., David, K., Droegehorn, O., Eertink, H., Kellerer, W., van Kranenburg, H., Raatikainen, K., Popescu-Zeletin, R.: I-centric communications: personalization, ambient awareness, and adaptability for future mobile services. Commun. Mag. IEEE 42(9), 63–69 (2004)
Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: trading privacy for application functionality on smartphones. In: HotMobile (2011)
Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.-R., Shastry, B.: Practical and lightweight domain isolation on android. In: SPSM (2011)
Bugiel, S., Heuser, S., Sadeghi, A.-R.: Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies. In: USENIX Security (2013)
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)
Cuervo, E., Balasubramanian, A., Cho, D.-K., Wolman, A., Saroiu, S., Chandra, R., Bahl, P.: MAUI: making smartphones last longer with code offload. In: MobiSys (2010)
Dang, Q.: Recommendation for existing application-specific key derivation functions. In: NIST (2010)
de Deugd, S., Carroll, R., Kelly, K., Millett, B., Ricker, J.: Soda: service oriented device architecture. Pervasive Comput. IEEE 5(3), 94–96 (2006)
de Souza, L.M.S., Spiess, P., Guinard, D., Köhler, M., Karnouskos, S., Savio, D.: SOCRADES: a web service based shop floor integration infrastructure. In: Floerkemeier, C., Langheinrich, M., Fleisch, E., Mattern, F., Sarma, S.E. (eds.) IOT 2008. LNCS, vol. 4952, pp. 50–67. Springer, Heidelberg (2008)
Diffie, W., Hellman, M.: New directions in cryptography. Inf. Theory, IEEE 22(6), 644–654 (1976)
Digital Living Network Alliance. http://www.dlna.org/
Dolev, D., Yao, A.C.: On the security of public key protocols. Inf. Theory, IEEE 29(2), 198–208 (1983)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14. ACM, New York (2012)
Gartner Says Worldwide Tablet Sales Grew 68% in 2013. http://www.gartner.com/newsroom/id/2674215
Goncalves, J., Ferreira, L.L., Pinho, L.M., Silva, G.: Handling mobility on a QoS-Aware service-based framework for mobile systems. In: EUC (2010)
Haerick, W., Wauters, T., Develder, C., Turck, F.D., Dhoedt, B.: Transparent resource sharing framework for internet services on handheld devices. Ann. Telecommun. 65(7–8), 419–432 (2010)
Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)
Haselsteiner, E., Breitfuss, K.: Security in near field communication. In: RFIDSec (2006)
Heuser, S., Nadkarni, A., Enck, W., Sadeghi, A.-R.: Asm: a programmable interface for extending android security. In: USENIX Security Symposium (2014)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: ACM CCS (2011)
Introduction to Java multitenancy. http://www.ibm.com/developerworks/java/library/j-multitenant-java/index.html
SecurityManager (Java Platform SE 7). http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html
Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. Android and Mr. Hide: fine-grained permissions in android applications. In: SPSM (2012)
jSLP - Java SLP (Service Location Protocol) Implementation. http://jslp.sourceforge.net/
King, J., Bose, R., Yang, H.-I., Pickles, S., Helal, A.: Atlas: a service-oriented sensor platform: Hardware and middleware to enable programmable pervasive spaces. In: 2006 Proceedings of 31st IEEE Conference on Local Computer Networks, pp. 630–638. November 2006
Kosta, S., Aucinas, A., Hui, P., Mortier, R., Zhang, X.: ThinkAir: dynamic resource allocation and parallel execution in the cloud for mobile code offloading. In: INFOCOM (2012)
Linpack Benchmark - Java Version. http://www.netlib.org/benchmark/linpackjava/
Nauman, M., Khan, S., Zhang, X.: Apex: Extending android permission model and enforcement with user-defined runtime constraints. In: AsiaCCS (2010)
Neuman, B.C., Tso, T.: Kerberos: an authentication service for computer networks. Commun. Mag. IEEE 32(9), 33–38 (1994)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: ACSAC (2009)
OSGi Alliance. OSGi Service Platform Release 4. http://www.osgi.org/Main/HomePage
Preuveneers, D., Berbers, Y.: Context-driven migration and diffusion of pervasive services on the OSGi framework. IJAACS 3(1), 3–22 (2010)
Rellermeyer, J.S., Duller, M., Gilmer, K., Maragkos, D., Papageorgiou, D., Alonso, G.: The software fabric for the internet of things. In: Floerkemeier, C., Langheinrich, M., Fleisch, E., Mattern, F., Sarma, S.E. (eds.) IOT 2008. LNCS, vol. 4952, pp. 87–104. Springer, Heidelberg (2008)
Rellermeyer, J.S., Alonso, G., Roscoe, T.: R-OSGi: distributed applications through software modularization. In: Cerqueira, R., Campbell, R.H. (eds.) Middleware 2007. LNCS, vol. 4834, pp. 1–20. Springer, Heidelberg (2007)
Samsung Allshare. http://developer.samsung.com/allshare-framework/technical-docs/FAQ
Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 6960 (Proposed Standard) June 2013
Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: NDSS. The Internet Society (2011)
Smalley, S., Craig, R.: Security Enhanced (SE) Android: bringing flexible MAC to android. In: Proceedings of NDSS (2013)
Stajano, F., Stajano, F.: The resurrecting duckling – what next?(transcript of discussion). In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 215–222. Springer, Heidelberg (2001)
Stajano, F., Anderson, R.J.: The resurrecting duckling: security issues for ad-hoc wireless networks. In: Proceedings of the 7th International Workshop on Security Protocols, pp. 172–194. Springer-Verlag, London (2000)
The Guest VM Project. https://kenai.com/projects/guestvm
Universal Plug-and-Play. http://www.upnp.org/
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Acknowledgements
This work has been supported by the European Union’s FP7 grant 318424 (FutureID) and by the DFG within CRC 1119 CROSSING. We would like to thank Ross Anderson for his feedback that guided the paper’s final revisions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Protocols
A Protocols
As explained in Sect. 3.3, the protocols assume a shared symmetric secret key between \(\mathcal {M}\) and \(\mathcal {H}\), denoted \(K_\mathcal {M} \in \{0,1\}^n\), which is used to authenticate and encrypt tokens with the help of an authenticated encryption scheme AE = (AEnc, ADec), where n is a security parameter.
Token Issuing Protocol. The Token Issuing Protocol (TI) is shown in Fig. 5(a). Both \(\mathcal {M}\) and \(\mathcal {C}\) generate a new asymmetric key pair. \(\mathcal {C}\) sends its public key \(pk_\mathcal {C}\) to \(\mathcal {M}\) over an out-of-band channel. Generally we require that this channel is integrity-protected at least in one direction (\(\mathcal {C}\) to \(\mathcal {M}\)), so that it is immune to man-in-the-middle attacks where an attacker attempts to replace \(pk_\mathcal {C}\) with a different public key. We use Near-Field Communication (NFC), which directly allows \(\mathcal {M}\) to verify the identity of \(\mathcal {C}\) due to the physical proximity required for NFC. However, alternative implementations are also feasible, for example using QR codes. \(\mathcal {M}\) creates a new Token \([T_\mathcal {L}]\), which contains the client key \(K_\mathcal {C}\), as well as a description of \(\mathcal {C}\) ’s privileges on \(\mathcal {H}\), denoted by the Policy \(P_{\mathcal {C,H}}\). \(K_\mathcal {C}\) is derived using a key agreement scheme DH (e.g., Diffie-Hellmann [15]) between \(\mathcal {C}\) and \(\mathcal {M}\). Finally, \(\mathcal {M}\) sends the token to \(\mathcal {C}\) together with its public key \(pk_\mathcal {M}\).
Secure Channel Establishment. The client \(\mathcal {C}\) uses the Secure Channel Establishment Protocol (SCE) to connect to the Loader \(\mathcal {L}\) as shown in Fig. 5(b): \(\mathcal {C}\) sends \([T_\mathcal {L}]\) and a randomly chosen nonce \(N_\mathcal {C}\) to \(\mathcal {L}\). \(\mathcal {L}\) decrypts \([T_\mathcal {L}]\) using \(K_\mathcal {M}\), thereby verifying its integrity due to the authenticated encryption. Next, \(\mathcal {L}\) extracts \(K_\mathcal {C}\) and the Policy \(P_{\mathcal {C,H}}\), which is forwarded to the Resource Controller RC. \(\mathcal {L}\) stores \(K_\mathcal {C}\) securely in a database and later provides a decryption service to instances of \(\mathcal {C}\), so that \(K_\mathcal {C}\) cannot be exfiltrated by modules in \(I_{\mathcal {C}}\). Then, \(\mathcal {L}\) generates a random nonce \(N_\mathcal {L}\), which it sends back to \(\mathcal {C}\). Finally, both sides compute a shared secret session key \(K_\mathcal {S} = \mathsf KDF (K_\mathcal {C} \; || \; N_\mathcal {L} \; || \; N_\mathcal {C})\) using a suitable key derivation function KDF [12]. In our implementation we use an HMAC/SHA1-based key derivation function. After this step, the secure channel establishment is completed and \(K_\mathcal {S}\) will be used to protect all further communication.
\(\mathcal {C}\) also uses SCE to connect to \(I_{\mathcal {C}}\). Therefore \(\mathcal {C}\) creates a new token \([T_{I_{\mathcal {C}}}]\) with a randomly chosen key \(K_I\). Since no policy is established between the client and the host it attaches an empty dummy policy and encrypts the complete token \([T_{I_{\mathcal {C}}}]\) with \(K_\mathcal {C}\). On the client side, \(I_{\mathcal {C}}\) decrypts \([T_{I_{\mathcal {C}}}]\) using the decryption service provided by \(\mathcal {L}\).
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Busold, C., Heuser, S., Rios, J., Sadeghi, AR., Asokan, N. (2015). Smart and Secure Cross-Device Apps for the Internet of Advanced Things. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)