Skip to main content
SpringerLink
Log in

Securing Android with Local Policies

  • Chapter
  • First Online:
Programming Languages with Applications to Biology and Security

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9465))

Abstract

Local policies have been proposed in [6] as a formalism for efficient and effective policy verification and enforcement. The basic approach consists of an enriched syntax of a programming language with a scope operator that the developer uses to apply a local policy to a specific portion of her code. Due to their fair expressiveness and modularity, they have been successfully applied also to object-orienter languages and web services. In this paper we apply the existing approach to the Android application framework. To this aim, we present a novel programming language, namely

, which includes both the Android IPC logic and local policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://developer.android.com/training/articles/security-tips.html.

  2. 2.

    For brevity, we write a.p instead of android.permission.

  3. 3.

    More precisely, it is the interpreter of the intermediate language obtained from the compilation of the high level one. As far as the compilation process is semantic-preserving, the argument holds.

  4. 4.

    We assume an evaluation function \(\mathcal {B}\) to be defined.

  5. 5.

    http://developer.android.com/guide/components/intents-filters.html.

  6. 6.

    Notice that here we use a simplified version of the \(\Cup \) operator. For the detailed version see [8].

  7. 7.

    In this section we generally refer to local policies without distinguishing between safety and liveness.

  8. 8.

    Notice that, although acceptance is only defined for \(\omega \)-traces, we can extend finite traces with \(\tau ^\omega \) where \(\tau \in \mathrm {\mathsf {Act}}\) is a special event denoting the termination.

  9. 9.

    http://developer.android.com/guide/topics/admin/device-admin.html.

  10. 10.

    Here \(\alpha _{cam}\) stands for the Android API CameraManager.openCamera(\(\ldots \)).

References

  1. Armando, A., Carbone, R., Costa, G., Merlo, A.: Android permissions unleashed. In: Proceedings of the 28th IEEE Computer Security Foundations Symposium, CSF 2015, Italy, Verona (2015)

    Google Scholar 

  2. Armando, A., Costa, G., Merlo, A.: Bring your own device, securely. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC 2013, Coimbra, Portugal, 18–22 March 2013, pp. 1852–1858 (2013)

    Google Scholar 

  3. Armando, A., Merlo, A., Migliardi, M., Verderame, L.: Would you mind forking this process? a denial of service attack on android (and some countermeasures). In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 13–24. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Bartoletti, M., Costa, G., Degano, P., Martinelli, F., Zunino, R.: Securing java with local policies. J. Object Technol. 8(4), 5–32 (2009)

    Article  Google Scholar 

  5. Bartoletti, M., Costa, G., Zunino, R.: Jalapa: Securing java with local policies: Tool demonstration. Electr. Notes Theor. Comput. Sci. 253(5), 145–151 (2009)

    Article  Google Scholar 

  6. Bartoletti, M., Degano, P., Ferrari, G.L.: Enforcing secure service composition. In: Proceedings of the 18th Computer Security Foundations Workshop (CSFW) (2005)

    Google Scholar 

  7. Bartolett, M., Degano, P., Ferrari, G.-L.: History-based access control with local policies. In: Sassone, V. (ed.) FOSSACS 2005. LNCS, vol. 3441, pp. 316–332. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  8. Bartoletti, M., Degano, P., Ferrari, G.L.: Planning and verifying service composition. J. Comput. Secur. 17(5), 799–837 (2009)

    Article  Google Scholar 

  9. Bartoletti, M., Degano, P., Ferrari, G.-L., Zunino, R.: Types and effects for resource usage analysis. In: Seidl, H. (ed.) FOSSACS 2007. LNCS, vol. 4423, pp. 32–47. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Model checking usage policies. Math. Struct. Comput. Sci. 25(3), 710–763 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  11. Bartoletti, M., Zunino, R.: LocUsT: a tool for checking usage policies. Technical report TR-08-07, Dip. Informatica, Univ. Pisa (2008)

    Google Scholar 

  12. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: a new android evolution to mitigate privilege escalation attacks. Technical report TR-2011-04, Technische Univ. Darmstadt, April 2011

    Google Scholar 

  13. Burguera, I., Zurutuza, U., Nadjm-Therani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2011) (2011)

    Google Scholar 

  14. Chaudhuri, A.: Language-based security on android. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 1–7. ACM, New York (2009)

    Google Scholar 

  15. Costa, G., Martinelli, F., Mori, P., Schaefer, C., Walter, T.: Runtime monitoring for next generation java ME platform. Comput. Secur. 29(1), 74–87 (2010)

    Article  Google Scholar 

  16. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association, Berkeley (2011)

    Google Scholar 

  17. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM, New York (2011)

    Google Scholar 

  18. Felt, A.P., Hanna, S., Chin, E., Wang, H.J., Moshchuk, E.: Permission re-delegation: attacks and defenses. In: 20th Usenix Security Symposium (2011)

    Google Scholar 

  19. Furia, C.A., Mandrioli, D., Morzenti, A., Rossi, M.: Modeling Time in Computing. Monographs in Theoretical Computer Science. An EATCS Series. Springer, Heidelberg (2012)

    Google Scholar 

  20. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332. ACM, New York (2010)

    Google Scholar 

  21. Necula, G.C.: Proof-carrying code. In: Twenty-Fourth ACM Symposium on Principles of Programming Languages (1997)

    Google Scholar 

  22. Ongtang, M., Mclaughlin, S., Enck, W., Mcdaniel, P.: Semantically rich application-centric security in android. In: ACSAC 2009: Annual Computer Security Applications Conference (2009)

    Google Scholar 

  23. Schlegel, R., Zhang, K., Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: a stealthy and context-aware sound trojan for smartphones. In: Proceedings of the 18th Annual Network & Distributed System Security Symposium (2011)

    Google Scholar 

  24. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)

    Article  Google Scholar 

  25. Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the android framework. In: Proceedings of the 2010 IEEE Second International Conference on Social Computing, SOCIALCOM 2010, pp. 944–951. IEEE Computer Society, Washington, DC (2010)

    Google Scholar 

  26. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: Beres, Y., Balacheff, B., Sadeghi, A.-R., Sasse, A., McCune, J.M., Perrig, A. (eds.) TRUST 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIBRIS, Università di Genova, Genova, Italy

    Gabriele Costa

Authors
  1. Gabriele Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gabriele Costa .

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Pisa, Italy

    Chiara Bodei

  2. Dipartimento di Informatica, Università di Pisa, Pisa, Italy

    Gianluigi Ferrari

  3. Università degli Studi di Trento, Povo, Italy

    Corrado Priami

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Costa, G. (2015). Securing Android with Local Policies. In: Bodei, C., Ferrari, G., Priami, C. (eds) Programming Languages with Applications to Biology and Security. Lecture Notes in Computer Science(), vol 9465. Springer, Cham. https://doi.org/10.1007/978-3-319-25527-9_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25527-9_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25526-2

  • Online ISBN: 978-3-319-25527-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation