Towards Unified Authorization for Android
نویسندگان
چکیده
Android applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf.
منابع مشابه
ASM: A Programmable Interface for Extending Android Security
Android, iOS, and Windows 8 are changing the application architecture of consumer operating systems. These new architectures required OS designers to rethink security and access control. While the new security architectures improve on traditional desktop and server OS designs, they lack sufficient protection semantics for different classes of OS customers (e.g., consumer, enterprise, and govern...
متن کاملBusiness-Driven Enterprise Authorization - Moving Towards a Unified Authorization Architecture
Information systems of large enterprises experience a shift from an application-centric architecture towards a focus on process orientation and web services. The information system is opened to business partners to allow for self-management and seamless cross-enterprise process integration. Aiming at higher flexibility and lower costs, this strategy also produces great new challenges the securi...
متن کاملPluggable Authorization and Distributed Enforcement with pam_xacml
Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the diff...
متن کاملDetection of Illegal Control Flow in Android System: Protecting Private Data Used by Smartphone Apps
Today, security is a requirement for smartphone operating systems that are used to store and handle sensitive information. However, smartphone users usually download third-party applications that can leak personal data without user authorization. For this reason, the dynamic taint analysis mechanism is used to control the manipulation of private data by third-party apps [9]. But this technique ...
متن کاملUser Interactions and Permission Use on Android
Android and other mobile operating systems ask users for au thorization before allowing apps to access sensitive resources such as contacts and location. We hypothesize that such au thorization systems could be improved by becoming more integrated with the app’s user interface. In this paper, we conduct two studies to test our hypothesis. First, we use AppTracer, a dynamic analysis tool we de...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2013