research-article

FireDroid: hardening security in almost-stock Android

Authors:

Giovanni Russello,

Arturo Blas Jimenez,

Habib Naderi,

Wannes van der MarkAuthors Info & Claims

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

Pages 319 - 328

https://doi.org/10.1145/2523649.2523678

Published: 09 December 2013 Publication History

Get Access

Abstract

Malware poses a serious threat to Android smartphones. Current security mechanisms offer poor protection and are often too inflexible to quickly mitigate new exploits. In this paper we present FireDroid, a policy-based framework for enforcing security policies by interleaving process system calls. The main advantage of FireDroid is that it is completely transparent to the applications as well as to the Android OS. FireDroid enforces security policies without modifying either the Android OS or its applications. FireDroid is able to perform security checks on third-party and pre-installed applications, as well as malicious native code. We have implemented a novel mechanism that is able to attach, identify, monitor and enforce polices for any process spawned by the Android's mother process Zygote. We have tested the effectiveness of FireDroid against real malware. Moreover, we show how FireDroid can be used as a swift solution for blocking OS and application vulnerabilities before patches are available. Finally, we provide an experimental evaluation of our approach showing that it has only a limited overhead. Given these facts, FireDroid represents a practical solution for strengthening security on Android smartphones.

References

[1]

http://www.gartner.com/it/page.jsp?id= 2227215.

Google Scholar

[2]

http://www.gartner.com/newsroom/id/2482816.

Google Scholar

[3]

http://news.cnet.com/8301-1035_3-57545513-94/five-years-of-android-by-the-numbers/.

Google Scholar

[4]

http://www.appbrain.com/stats/number-of-android-apps.

Google Scholar

[5]

http://www.ibtimes.co.uk/articles/401395/20121105/android-malware-increae-ten-fold.htm.

Google Scholar

[6]

http://www.computerworld.com/s/article/9231758/USSD_attack_hit_SIM_cards_and_Samsung_Android_devices.

Google Scholar

[7]

http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad_history-of-support.

Google Scholar

[8]

http://www.angryredplanet.com/~hackbod/openbinder/docs/html/BinderIPCMechanism.html.

Google Scholar

[9]

http://www.citi.umich.edu/u/provos/systrace/index.html.

Google Scholar

[10]

http://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty_Act.

Google Scholar

[11]

http://eur-lex.europa.eu/Notice.do?val=330258:cs&lang=en&list=340508:cs,330258:cs,&pos=2&page=1&nbl=2&pgs=10&hwords=&checktexte=checkbox&visu=#texte.

Google Scholar

[12]

http://www.malgenomeproject.org/.

Google Scholar

[13]

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094.

Google Scholar

[14]

http://source.android.com/compatibility/overview.html.

Google Scholar

[15]

http://static.googleusercontent.com/external_content/untrusted_dlcp/source.android.com/en//compatibility/4.2/android-4.2-cdd.pdf.

Google Scholar

[16]

http://tomoyo.sourceforge.jp/.

Google Scholar

[17]

Android Project. http://www.android.com.

Google Scholar

[18]

Andrus, J., Dall, C., and et al. Cells: a virtual mobile smartphone architecture. In Proc. of the 23th ACM Symposium on OS Principles (New York, NY, USA, 2011), ACM, pp. 173--187.

Digital Library

Google Scholar

[19]

Backes, M., Gerling, S., and et al. Appguard - real-time policy enforcement for third-party applications. Tech. Rep. A/02/2012, Saarland Uni., Germany, 2012.

Google Scholar

[20]

Beresford, A. R., Rice, A., and Skehin, N. Mock-Droid: trading privacy for application functionality on smartphones. In Proc. HotMobile '11 (2011).

Digital Library

Google Scholar

[21]

Bugiel, S., Davi, L., and et al. Practical and lightweight domain isolation on android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (2011), pp. 51--62.

Digital Library

Google Scholar

[22]

Bugiel, S., Davi, L., and et al. Towards taming privilege-escalation attacks on Android. In Proc. of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).

Google Scholar

[23]

Chin, E., Felt, A. P., and et al. Analyzing inter-application communication in android. In Proc. of the 9th international conf. on Mobile systems, applications, and services (New York, NY, USA, 2011), ACM, pp. 239--252.

Digital Library

Google Scholar

[24]

Conti, M., Nguyen, V. T. N., and Crispo, B. Crepe: context-related policy enforcement for android. In Proc. of the 13th international conf. on Information security (Berlin, Heidelberg, 2011), Springer-Verlag, pp. 331--345.

Digital Library

Google Scholar

[25]

Davi, L., Dmitrienko, A., and et al. Privilege escalation attacks on android. In Proc. of the 13th international conf. on Information security (2011), pp. 346--360.

Digital Library

Google Scholar

[26]

Davis, B., Sanders, B., and et al. I-arm-droid: A rewriting framework for in-app reference monitors for android applications. IEEE Mobile Security Technologies, San Francisco, CA (2012).

Google Scholar

[27]

Dietz, M., Shekhar, S., and et al. Quire: Lightweight provenance for smart phone operating systems. In 20th USENIX Security Symposium (2011).

Digital Library

Google Scholar

[28]

Enck, W., Gilbert, P., and et al. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of OSDI 2010 (Oct. 2010).

Digital Library

Google Scholar

[29]

Enck, W., Octeau, D., and et al. A study of android application security. In Proc. of the 20th USENIX conf. on Security (San Francisco, CA, 2011), pp. 21--21.

Digital Library

Google Scholar

[30]

Enck, W., Ongtang, M., and McDaniel, P. On lightweight mobile phone application certification. In Proc. CCS '09 (2009), pp. 235--245.

Digital Library

Google Scholar

[31]

Enck, W., Ongtang, M., and McDaniel, P. Understanding android security. IEEE Security and Privacy 7, 1 (Jan. 2009), 50--57.

Digital Library

Google Scholar

[32]

Felt, A. P., Chin, E., and et al. Android permissions demystified. In Proc. of the 18th ACM conf. on Computer and communications security (New York, NY, USA, 2011), ACM, pp. 627--638.

Digital Library

Google Scholar

[33]

Felt, A. P., Finifter, M., and et al. A survey of mobile malware in the wild. In Proc. of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (New York, NY, USA, 2011), ACM, pp. 3--14.

Digital Library

Google Scholar

[34]

Garfinkel, T. Traps and pitfalls: Practical problems in system call interposition based security tools. In In Proc. Network and Distributed Systems Security Symposium (2003), pp. 163--176.

Google Scholar

[35]

Grace, M., Zhou, Y., and et al. Riskranker: scalable and accurate zero-day android malware detection. In Proc. of the 10th international conf. on Mobile systems, applications, and services (New York, NY, USA, 2012), ACM, pp. 281--294.

Digital Library

Google Scholar

[36]

Grace, M., Zhou, Y., and et al. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS) (Feb. 2012).

Google Scholar

[37]

Hornyack, P., Han, S., and et al. These aren't the droids you're looking for": Retroffiting android to protect data from imperious applications. In 18th ACM Conf. on Computer and Communications Security (CCS'11) (2011).

Digital Library

Google Scholar

[38]

Jeon, J., Micinski, K. K., and et al. Dr. android and mr. hide: fine-grained permissions in android applications. In Proc. of the 2nd ACM workshop on Security and privacy in smartphones and mobile devices (New York, NY, USA, 2012), ACM, pp. 3--14.

Digital Library

Google Scholar

[39]

Lange, M., Liebergeld, S., and et al. L4android: a generic operating system framework for secure smartphones. In Proc. of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (Chicago, USA, 2011), ACM, pp. 39--50.

Digital Library

Google Scholar

[40]

Nauman, M., Khan, S., and Zhang, X. Apex: extending android permission model and enforcement with user-defined runtime constraints. In Proc. ASIACCS '10 (2010), pp. 328--332.

Digital Library

Google Scholar

[41]

Peng, H., Gates, C. S., and et al. Using probabilistic generative models for ranking risks of android apps. In the ACM Conf. on Computer and Communications Security, CCS'12, Raleigh, NC, USA, Oct. 16-18, 2012 (2012), pp. 241--252.

Digital Library

Google Scholar

[42]

Provos, N. Improving host security with system call policies. In Proc. of the 12th conf. on USENIX Security Symposium (Washington, DC, 2003), vol. 12, pp. 18--18.

Digital Library

Google Scholar

[43]

Rastogi, V., Chen, Y., and Jiang, X. Droidchameleon: evaluating android anti-malware against transformation attacks. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security (New York, NY, USA, 2013), ASIA CCS '13, ACM, pp. 329--334.

Digital Library

Google Scholar

[44]

Reddy, N., Jeon, J., and et al. Application-centric security policies on unmodified Android. Tech. Rep. UCLA TR 110017, University of California, LA, Computer Science Department, July 2011.

Google Scholar

[45]

Russello, G., Conti, M., and et al. Moses: supporting operation modes on smartphones. In SACMAT (2012), V. Atluri, J. Vaidya, and et al., Eds., ACM, pp. 3--12.

Digital Library

Google Scholar

[46]

Shabtai, A., Fledel, Y., and et al. Google android: A comprehensive security assessment. IEEE Security and Privacy 8 (2010), 35--44.

Digital Library

Google Scholar

[47]

Smalley, S., and Craig, R. Security enhanced (se) android: Bringing flexible mac to android. In Proc. of the 20th Network and Distributed System Security Symposium (NDSS 2013) (2013).

Google Scholar

[48]

Wagner, D. A. Janus: an approach for confinement of untrusted applications. Tech. Rep. UCB/CSD-99-1056, EECS Department, University of California, 1999.

Digital Library

Google Scholar

[49]

Xu, R., and Anderson, H. S. R. Aurasium: Practical policy enforcement for android applications. In Proceedings of the 21st conf. on USENIX Security Symposium (2012), vol. 21.

Digital Library

Google Scholar

[50]

Zhou, W., Zhou, Y., and et al. Detecting repackaged smartphone applications in third-party android marketplaces. In Proc. of the 2nd ACM conf. on Data and Application Security and Privacy (New York, NY, USA, 2012), ACM, pp. 317--326.

Digital Library

Google Scholar

[51]

Zhou, Y., and Jiang, X. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy (2012), pp. 95--109.

Digital Library

Google Scholar

[52]

Zhou, Y., Wang, Z., and et al. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proc. of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).

Google Scholar

[53]

Zhou, Y., Zhang, X., and et al. Taming Information-Stealing Smartphone Applications (on Android). In Proc. TRUST 2011 (2011).

Digital Library

Google Scholar

Cited By

View all

Senanayake JKalutarage HAl-Kadri MPetrovski APiras L(2023)Android Source Code Vulnerability Detection: A Systematic Literature ReviewACM Computing Surveys10.1145/355697455:9(1-37)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3556974
Ahmad MBergadano FCostamagna VCrispo BRussello G(2023)AppBox: A Black-Box Application Sandboxing Technique for Mobile App Management Solutions2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10217861(1-7)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10217861
V.T JAmala Bai V(2023)Analysis of Security and Privacy Challenges Associated with Byod in the Education Sector: State-of-the-Art Strategy2023 7th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI56765.2023.10125767(665-675)Online publication date: 11-Apr-2023
https://doi.org/10.1109/ICOEI56765.2023.10125767
Show More Cited By

Index Terms

FireDroid: hardening security in almost-stock Android
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android
SPSM '15: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices

Malware poses a serious threat to the Android ecosystem. Moreover, even benign applications can sometimes constitute security and privacy risks to their users, as they might contain vulnerabilities, or they might perform unwanted actions. Previous ...
Switchblade: enforcing dynamic personalized system call models
Eurosys '08: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008

System call interposition is a common approach to restrict the power of applications and to detect code injections. It enforces a model that describes what system calls and/or what sequences thereof are permitted. However, there exist various issues ...
Switchblade: enforcing dynamic personalized system call models
EuroSys '08

System call interposition is a common approach to restrict the power of applications and to detect code injections. It enforces a model that describes what system calls and/or what sequences thereof are permitted. However, there exist various issues ...

Reviews

Reviewer: Edgar R. Weippl

This paper proposes a policy-based framework to enforce security policies by intercepting system calls to the Linux kernel beneath the Android operating system (OS). By using this approach it is possible to detect security breaches by third-party apps, pre-installed apps by Google or the device vendors, but also malicious native code activity. The framework states several advantages, including the total transparency of the system to the application itself as well as to the Android OS. FireDroid works on every process that is spawned by the Android main process Zygote. FireDroid basically performs the following four features: it attaches to, identifies, monitors, and most importantly executes policies on a target process. Due to the fact that defining policies for low-level vetting mechanisms is very error-prone, the paper proposes a novel policy language for specifying high-level policies that are then mapped to policies enforceable at the level of the intercepted system calls. Furthermore, the paper carries out an extensive performance analysis, which can be summarized as follows: there is a total performance overhead of about 12 percent over the measured factors central processing unit (CPU), memory, input/output (I/O), 2D, and 3D. Regarding the executed application programming interface (API) operations under FireDroid, HttpGet produces an overhead of one percent, BroadcastIntent produces an overhead of five percent, QueryContact produces an overhead of four percent, and GetLastLocation produces an overhead of 30 percent, which seems reasonable. Compared to related approaches, FireDroid is totally complementary, as in the case of ComDroid [1] and Woodpecker [2], which can be used by system administrators to detect vulnerabilities and then specify FireDroid policies to prevent successful exploitation. Finally, FireDroid works similar to other projects, like Aurasium [3], which also detects a system call ( dlopen ) but with improvements regarding robustness and extensiveness. FireDroid gives a company complete control over device applications and therefore the company is not forced to trust the user. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ACSAC '13: Proceedings of the 29th Annual Computer Security Applications Conference

December 2013

374 pages

ISBN:9781450320153

DOI:10.1145/2523649

Conference Chair:
Charles N. Payne
Adventium Labs

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Auckland UniServices Limited

Conference

ACSAC '13

Sponsor:

ACSA

ACSAC '13: Annual Computer Security Applications Conference

December 9 - 13, 2013

Louisiana, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
1,183
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)4

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Senanayake JKalutarage HAl-Kadri MPetrovski APiras L(2023)Android Source Code Vulnerability Detection: A Systematic Literature ReviewACM Computing Surveys10.1145/355697455:9(1-37)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3556974
Ahmad MBergadano FCostamagna VCrispo BRussello G(2023)AppBox: A Black-Box Application Sandboxing Technique for Mobile App Management Solutions2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10217861(1-7)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10217861
V.T JAmala Bai V(2023)Analysis of Security and Privacy Challenges Associated with Byod in the Education Sector: State-of-the-Art Strategy2023 7th International Conference on Trends in Electronics and Informatics (ICOEI)10.1109/ICOEI56765.2023.10125767(665-675)Online publication date: 11-Apr-2023
https://doi.org/10.1109/ICOEI56765.2023.10125767
Tyagi VSingh RTripathi AAgarwal VPandey S(2022)An Android App Permission Analysis for User Privacy and SecurityFuturistic Trends for Sustainable Development and Sustainable Ecosystems10.4018/978-1-6684-4225-8.ch006(89-103)Online publication date: 24-Jun-2022
https://doi.org/10.4018/978-1-6684-4225-8.ch006
Hung HLiu YSani A(2022)SifterProceedings of the 28th Annual International Conference on Mobile Computing And Networking10.1145/3495243.3560548(623-635)Online publication date: 14-Oct-2022
https://dl.acm.org/doi/10.1145/3495243.3560548
Niu YLei LWang YChang JJia SKou C(2020)SASAK: Shrinking the Attack Surface for Android Kernel with Stricter “seccomp” Restrictions2020 16th International Conference on Mobility, Sensing and Networking (MSN)10.1109/MSN50589.2020.00070(387-394)Online publication date: Dec-2020
https://doi.org/10.1109/MSN50589.2020.00070
Zungur OSuarez-Tangil GStringhini GEgele M(2019)BorderPatrol: Securing BYOD using Fine-Grained Contextual Information2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2019.00054(460-472)Online publication date: Jun-2019
https://doi.org/10.1109/DSN.2019.00054
Muthumanickam KSenthil Mahesh P(2019)A collaborative policy-based security scheme to enforce resource access controlling mechanismWireless Networks10.1007/s11276-019-01984-xOnline publication date: 2-Apr-2019
https://doi.org/10.1007/s11276-019-01984-x
Botacin MGeus Pgrégio A(2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
https://dl.acm.org/doi/10.1145/3199673
Iqbal SZulkernine M(2018)SpyDroid: A Framework for Employing Multiple Real-Time Malware Detectors on Android2018 13th International Conference on Malicious and Unwanted Software (MALWARE)10.1109/MALWARE.2018.8659365(1-8)Online publication date: Oct-2018
https://doi.org/10.1109/MALWARE.2018.8659365
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

NJAS: Sandboxing Unmodified Applications in non-rooted Devices Running stock Android

Switchblade: enforcing dynamic personalized system call models

Switchblade: enforcing dynamic personalized system call models

Reviews

Access critical reviews of Computing literature here