research-article

Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem

Authors:

Waqar Ahmad,

Joshua Sunshine,

Christian Kaestner,

Adam WynneAuthors Info & Claims

MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development Lifecycle

Pages 28 - 34

https://doi.org/10.1145/2846661.2846664

Published: 26 October 2015 Publication History

Get Access

Abstract

Smart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is taking may have serious security and privacy consequences for home users and potential legal implications for providers of home automation and IoT platforms. We envision that a new ecosystem within an existing smartphone ecosystem will be a suitable platform for distribution of apps for smart home and IoT devices. Android is increasingly becoming a popular platform for smart home and IoT devices and applications. Built-in security mechanisms in ecosystems such as Android have limitations that can be exploited by malicious apps to leak users' sensitive data to unintended recipients. For instance, Android enforces that an app requires the Internet permission in order to access a web server but it does not control which servers the app talks to or what data it shares with other apps. Therefore, sub-ecosystems that enforce additional fine-grained custom policies on top of existing policies of the smartphone ecosystems are necessary for smart home or IoT platforms. To this end, we have built a tool that enforces additional policies on inter-app interactions and permissions of Android apps. We have done preliminary testing of our tool on three proprietary apps developed by a future provider of a home automation platform. Our initial evaluation demonstrates that it is possible to develop mechanisms that allow definition and enforcement of custom security policies appropriate for ecosystems of the like smart home automation and IoT.

References

[1]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 14, New York, NY, USA, pages 259– 269, 2014.

Digital Library

Google Scholar

[2]

A. Einarsson and J. D. Nielsen. A survivor’s guide to java program analysis with soot. page http://www.brics.dk/ SootGuide/sootsurvivorsguide.pdf, 2008.

Google Scholar

[3]

E. Fragkaki, L. Bauer, L. Jia, and D. Swasey. Modeling and enhancing android’s permission system. Computer Security, ESORICS 2012: 17th European Symposium on Research in Computer Security, 7459 of Lecture Notes in Computer Science:1–18, 2012.

Google Scholar

[4]

GoogleAndroid. System permissions. Android Developer Guide, page http://developer.android.com/ guide/topics/security/permissions.html, 2015.

Google Scholar

[5]

M. Gordon, D. Kim, J. Perkinsa, L. Gilhamy, N. Nguyen, and M. Rinard. Information-flow analysis of android applications in droidsafe. Proc. of the Network and Distributed System Security Symposium (NDSS), The Internet Society, 2015.

Crossref

Google Scholar

[6]

L. Jia, J. Aljuraidan, E. Fragkaki, L. Bauer, M. Stroucken, K. Fukushima, S. Kiyomoto, and Y. Miyake. Run-time enforcement of information-flow properties on android. Computer Security, ESORICS 2013: 18th European Symposium on Research in Computer Security, pages 775–792, 2013.

Crossref

Google Scholar

[7]

L. Li, A. Bartel, T. F. Bissyandé, J. Klein, Y. L. Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. Mcdaniel. Iccta: Detecting inter-component privacy leaks in android apps. Proceedings of the 37th International Conference on Software Engineering (ICSE 2015), 2015.

Digital Library

Google Scholar

[8]

D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. Proceedings of the 22Nd USENIX Conference on Security, SEC’13, Berkeley, CA, USA, pages 543–558, 2013.

Digital Library

Google Scholar

[9]

D. Octeau, D. Luchaup, M. Dering, S. Jha, and P. McDaniel. Composite constant propagation: Application to android intercomponent communication analysis. Proceedings of the 37th International Conference on Software Engineering (ICSE), 2015.

Digital Library

Google Scholar

[10]

Wikipedia. Android (operating system). page https://en. wikipedia.org/wiki/Android_(operating_system), 2015.

Google Scholar

[11]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. IEEE Symposium on Security and Privacy, 2009.

Digital Library

Google Scholar

[12]

Introduction Problem Statement Proposed Solution Current Work Related Work Conclusion and Future Work

Google Scholar

Cited By

View all

Liao BAli YNazir SHe LKhan H(2020)Security Analysis of IoT Devices by Using Mobile Computing: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2020.30063588(120331-120350)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3006358
Chhetri CMotti V(2020)Identifying Vulnerabilities in Security and Privacy of Smart Home DevicesNational Cyber Summit (NCS) Research Track 202010.1007/978-3-030-58703-1_13(211-231)Online publication date: 9-Sep-2020
https://doi.org/10.1007/978-3-030-58703-1_13
Ali AAhmed MImran MKhattak H(2020)Security and Privacy Issues in Fog ComputingFog Computing10.1002/9781119551713.ch5(105-137)Online publication date: 25-Apr-2020
https://doi.org/10.1002/9781119551713.ch5
Show More Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Although there are over 1,900,000 third-party Android apps in the Google Play Store, little is understood about how their security and privacy characteristics, such as dangerous permission usage and the vulnerabilities they contain, have evolved over ...
Why are Android apps removed from Google Play?: a large-scale empirical study
MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

To ensure the quality and trustworthiness of the apps within its app market (i.e., Google Play), Google has released a series of policies to regulate app developers. As a result, policy-violating apps (e.g., malware, low-quality apps, etc.) have been ...

Comments

Information & Contributors

Information

Published In

MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development Lifecycle

October 2015

57 pages

ISBN:9781450339063

DOI:10.1145/2846661

Program Chairs:
Aharon Abadi,
Lori Flynn,
Jeff Gray

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGAda: ACM Special Interest Group on Ada Programming Language

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Stevens
Bosch Research and Technology Center North America

Conference

SPLASH '15

Sponsor:

SIGPLAN

SPLASH '15: Conference on Systems, Programming, Languages, and Applications: Software for Humanity

October 26, 2015

PA, Pittsburgh, USA

Acceptance Rates

Overall Acceptance Rate 6 of 8 submissions, 75%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
181
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)6

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liao BAli YNazir SHe LKhan H(2020)Security Analysis of IoT Devices by Using Mobile Computing: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2020.30063588(120331-120350)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3006358
Chhetri CMotti V(2020)Identifying Vulnerabilities in Security and Privacy of Smart Home DevicesNational Cyber Summit (NCS) Research Track 202010.1007/978-3-030-58703-1_13(211-231)Online publication date: 9-Sep-2020
https://doi.org/10.1007/978-3-030-58703-1_13
Ali AAhmed MImran MKhattak H(2020)Security and Privacy Issues in Fog ComputingFog Computing10.1002/9781119551713.ch5(105-137)Online publication date: 25-Apr-2020
https://doi.org/10.1002/9781119551713.ch5
Song JGao KShen XQi XLiu RChoo K(2018)QRFence: A flexible and scalable QR link security detection framework for Android devicesFuture Generation Computer Systems10.1016/j.future.2018.05.08288(663-674)Online publication date: Nov-2018
https://doi.org/10.1016/j.future.2018.05.082
Yamakami T(2017)Horizontal Requirement Engineering in Integration of Multiple IoT Use Cases of City Platform as a Service2017 IEEE International Conference on Computer and Information Technology (CIT)10.1109/CIT.2017.54(292-296)Online publication date: Aug-2017
https://doi.org/10.1109/CIT.2017.54
Mbelli TDwolatzky B(2016)Cyber Security, a Threat to Cyber Banking in South Africa: An Approach to Network and Application Security2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2016.18(1-6)Online publication date: Jun-2016
https://doi.org/10.1109/CSCloud.2016.18

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution

Why are Android apps removed from Google Play?: a large-scale empirical study

Comments

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

To Update or Not to Update: Insights From a Two-Year Study of Android App Evolution

Why are Android apps removed from Google Play?: a large-scale empirical study

Comments

Information

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations