A Privacy Enforcing Framework for Android Applications

The widespread adoption of the Android operating system in a variety type of devices ranging from smart phones to smart TVs, makes it an interesting target for developers of malevolent applications. In the current security model of Android, applications are granted several permissions during their installation. Users do not have means to easily understand the implications of these permissions. In this paper, we propose an approach to enforce fine-grained usage control privacy policies that enable users to control the access of applications to sensitive resources through application instrumentation. The purpose of this work is enhancing the control users have on privacy, confidentiality and security of their mobile devices, with regards to software intrusive behaviours. Our approach on a side foresees the use of instrumentation techniques, and on the other includes a refinement step where high-level resource-centric abstract policies defined by users are automatically refined to enforceable concrete policies considering the resource being used and not the specific multiple concrete API methods that may allow an app to access the specific sensitive resources. For example, access to the user location may be done using multiple API methods that should be instrumented and controlled according to the user selected privacy policies. We enforce our approach on well known Android applications, while we demonstrate evaluation performance implications under different scenarios.

NEISSE Ricardo;  STERI Gary;  GENEIATAKIS Dimitrios;  NAI FOVINO Igor; 

2016-12-01

ELSEVIER ADVANCED TECHNOLOGY

JRC102624

0167-4048,   

http://www.sciencedirect.com/science/article/pii/S0167404816300840,    https://publications.jrc.ec.europa.eu/repository/handle/JRC102624,   

10.1016/j.cose.2016.07.005,