Jif-Based Verification of Information Flow Policies for Android Apps
نویسندگان
چکیده
Android stores and users need mechanisms to evaluate whether their applications are secure or not. Although various previous works use data and control flow techniques to evaluate security features of Android applications, this paper extends those works by using Jif to verify compliance of information flow policies. To do so, the authors addressed some challenges that emerge in Android environments, like automatizing generation of Jif labels for Android applications, and defining translations for Java instructions that are not currently supported by the Jif compiler. Results show that a Jif-based analysis is faster and has a better recall than other available mechanisms, but it also has a slightly lower precision. Jif also provides an open source compiler, generates executable code for an application only if such application meets a defined policy, and checks implicit flows which may be relevant for highly sensitive applications. KEywoRdS Android, Information Flow Security Policies, Jif, Security-Typed Languages
منابع مشابه
Language-Based Enforcement of Privacy Policies
We develop a language-based approach for modeling and verifying aspects of privacy policies. Our approach relies on information-flow control. Concretely, we use the programming language Jif, an extension of Java with information-flow types. We address basic leaks of private information and also consider other aspects of privacy policies supported by the Platform for Privacy Preferences (P3P) an...
متن کاملTowards Verifying Android Apps for the Absence of No-Sleep Energy Bugs
The Android OS conserves battery life by aggressively turning off components, such as screen and GPS, while allowing application developers to explicitly prevent part of this behavior using the WakeLock API. Unfortunately, the inherent complexity of the Android programming model and developer errors often lead to improper use of WakeLocks that manifests as no-sleep bugs. To mitigate this proble...
متن کاملToward a Framework for Detecting Privacy Policy Violation in Android Application Code
Mobile applications frequently access sensitive personal information to meet user or business requirements. Because this information is sensitive, regulators increasingly require mobile app developers to publish privacy policies that describe what information is collected, for what purpose is the information used and with whom it is shared. Furthermore, regulators have fined companies when thes...
متن کاملHow Useful Are Existing Monitoring Languages for Securing Android Apps?
The Android operating system is currently dominating the mobile device market in terms of penetration and growth rate. An important contributor to its success are a wealth of cheap and easy-to-install mobile applications, known as apps. Today, installing untrusted apps is the norm, though this comes with risks: malware is ubiquitous and can easily leak confidential and sensitive data. In this w...
متن کاملEnhancing Android Security through App Splitting
The Android operating system provides a rich security model that specifies over 100 distinct permissions. Before performing a sensitive operation, an app must obtain the corresponding permission through a request to the user. Unfortunately, an app is treated as an opaque, monolithic security principal, which is granted or denied permission as a whole. This blunts the effectiveness of the permis...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IJSSE
دوره 8 شماره
صفحات -
تاریخ انتشار 2017