Abstract
The rapid growth of mobile computing has resulted in the development of new programming paradigms for quick and easy development of mobile applications. Hybrid frameworks, such as PhoneGap, allow the use of web technologies for development of applications with native access to device’s resources. These untrusted third-party applications desire access to user’s data and device’s resources, leaving the content vulnerable to accidental or malicious leaks by the applications. The hybrid frameworks present new opportunities to enhance the security of mobile platforms by providing an application-layer runtime for controlling an application’s behavior.
In this work, we present a practical design of a novel framework, named MobileIFC, for building privacy-preserving hybrid applications for mobile platforms. We use information flow models to control what untrusted applications can do with the information they receive. We utilize the framework to develop a fine-grained, context-sensitive permission model that enables users and application developers to specify rich policies. We show the viability of our design by means of a framework prototype. The usability of the framework and the permission model is further evaluated by developing sample applications using the framework APIs. Our evaluation and experience suggests that MobileIFC provides a practical and performant security solution for hybrid mobile applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
ADSafe, http://www.adsafe.org
Apps Created with PhoneGap, http://phonegap.com/app/
Chrome OS, http://www.chromium.org/chromium-os
Firefox OS, https://developer.mozilla.org/Firefox_OS
IBM Worklight, http://www-03.ibm.com/software/products/us/en/worklight/
IGN Dominate, http://wireless.ign.com/articles/116/1167824p1.html
Microsoft HealthVault, http://www.microsoft.com/en-us/healthvault/
Mint, https://www.mint.com/
Norton Safe Web, http://safeweb.norton.com/
PhoneGap, http://www.phonegap.com
Sencha, http://www.sencha.com
Bergstein, B.: IBM Faces the Perils of “Bring Your Own Device” (May 2012), http://www.technologyreview.com/news/427790/ibm-faces-the-perils-of-bring-your-own-device/
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: NDSS, San Diego, CA (February 2012)
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related Policy Enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)
Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege Escalation Attacks on Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS, San Diego, CA (February 2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: OSDI, Vancouver, Canada (October 2010)
Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: CCS, Chicago, IL (November 2009)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium, San Fransisco, CA (August 2011)
Finifter, M., Mettler, A., Sastry, N., Wagner, D.: Verifiable Functional Purity in Java. In: CCS, Alexandria, VA (October 2008)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: “These Aren’t the Droids You’re Looking For”: Retrofitting Android to Protect Data from Imperious Applications. In: CCS, Chicago, IL (October 2011)
Jeon, J., Micinski, K.K., Vaughan, J.A., Fogel, A., Reddy, N., Foster, J.S., Millstein, T.: Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications. In: SPSM Workshop, Raleigh, NC (October 2012)
McDougall, P.: IBM Acquires Mobile Specialist Worklight, http://www.informationweek.com/news/development/mobility/232500829
Myers, A.C., Liskov, B.: A Decentralized Model for Information Flow Control. In: SOSP, Saint Malo, France (October 1997)
Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In: ASIACCS, Beijing, China (April 2010)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically Rich Application-Centric Security in Android. In: ACSAC, Honolulu, HI (December 2009)
Singh, K., Bhola, S., Lee, W.: xBook: Redesigning Privacy Control in Social Networking Platforms. In: USENIX Security Symposium, Montreal, Canada (August 2009)
Verma, M.: XML Security: Control information access with XACML, http://www.ibm.com/developerworks/xml/library/x-xacml/
Xu, R., Sadi, H., Anderson, R.: Aurasium: Practical Policy Enforcement for Android Applications. In: USENIX Security Symposium, Bellevue, WA (August 2012)
Zeldovich, N., Boyd-Wickizer, S., Kohler, E., Mazières, D.: Making Information Flow Explicit in HiStar. In: OSDI, Seattle, WA (November 2006)
Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: IEEE S&P, San Fransisco, CA (May 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Singh, K. (2013). Practical Context-Aware Permission Control for Hybrid Mobile Applications. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)