ABSTRACT
Android is the first mass-produced consumer-market open source mobile platform that allows developers to easily create applications and users to readily install them. However, giving users the ability to install third-party applications poses serious security concerns. While the existing security mechanism in Android allows a mobile phone user to see which resources an application requires, she has no choice but to allow access to all the requested permissions if she wishes to use the applications. There is no way of granting some permissions and denying others. Moreover, there is no way of restricting the usage of resources based on runtime constraints such as the location of the device or the number of times a resource has been previously used. In this paper, we present Apex -- a policy enforcement framework for Android that allows a user to selectively grant permissions to applications as well as impose constraints on the usage of resources. We also describe an extended package installer that allows the user to set these constraints through an easy-to-use interface. Our enforcement framework is implemented through a minimal change to the existing Android code base and is backward compatible with the current security mechanism.
- William Enck, Machigar Ongtang, and Patrick McDaniel. On lightweight mobile phone application certification. In CCS '09: Proceedings of the 16th ACM conference on Computer and communications security, pages 235--245, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Adam P. Fuchs, Avik Chaudhuri, and Jeffrey S. Foster. SCanDroid: Automated Security Certification of Android Applications. In Submitted to IEEE S&P'10: Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010.Google Scholar
- Google. Android Home Page, 2009. Available at: http://www.android.com.Google Scholar
- Google. Android Reference: Intent, 2009. Available at: http://developer.android.com/reference/android/content/Intent.html.Google Scholar
- Google. Android Reference: Manifest File - Permissions, 2009. Available at: http://developer.android.com/guide/topics/manifest/manifest-intro.html\#perms.Google Scholar
- Google. Android Reference: Security and Permissions, 2009. Available at: http://developer.android.com/guide/topics/security/security.html.Google Scholar
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of the Annual Computer Security Applications Conference, 2009. Google ScholarDigital Library
Index Terms
- Apex: extending Android permission model and enforcement with user-defined runtime constraints
Recommendations
Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityAndroid provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
POAuth: privacy-aware open authorization for native apps on smartphone platforms
ICUIMC '12: Proceedings of the 6th International Conference on Ubiquitous Information Management and CommunicationSmartphones are increasing in popularity and it is widely believed that their market share will continue to rise in the future. Due to the limited capabilities of smartphones compared to the PC, web-based services accessed through native applications are ...
Transforming high-level requirements to executable policies for Android
ICUIMC '14: Proceedings of the 8th International Conference on Ubiquitous Information Management and CommunicationAndroid is a massively popular platform in the fast-growing smartphone industry. The core Android security model follows an all-or-nothing policy which either allows an application access to all requested permissions or doesn't install it at all. ...
Comments