Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Slides:

Advertisements

Similar presentations

Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas

Advertisements

Aurasium: Practical Policy Enforcement for Android Applications

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Android architecture overview

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

DeVry University Donelle Vance. GRAB - The Cross Platform iPhone, iPad & Android Phone Sharing Application August 2011.

Mobile Application Development

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

Introduction to AppInventor Dr. José M. Reyes Álamo.

Introduction to Android Platform Overview

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Presentation By Deepak Katta

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Introduction to Mobile Malware

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.

Android Introduction Based on slides made by

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Copyright© Jeffrey Jongko, Ateneo de Manila University Android.

Rajab Davudov. Agenda Eclipse, ADT and Android SDK APK file Fundamentals – Activity – Service – Content Provider – Broadcast Receiver – Intent Hello World.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite

Android for Java Developers Denver Java Users Group Jan 11, Mike

GEOREMINDERS ANDROID APPLICATION BY: ADRIENNE KECK.

AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,

Android Security Auditing Slides and projects at samsclass.info.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.

Created By. Jainik B Patel Prashant A Goswami Gujarat Vidyapith Computer Department Ahmedabad.

Virtual Classes Provides an Innovative App for Education that Stimulates Engagement and Sharing Content and Experiences in Office 365 MICROSOFT OFFICE.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Android Permissions Remystified: A Field Study on Contextual Integrity Presenter: Hongyang Zhao Primal Wijesekera (UBC) Arjun Baokar (UC Berkeley) Ashkan.

VMM Based Rootkit Detection on Android

By, Rutika R. Channawar. Content Introduction Open Handset Alliance Minimum Hardware Requirements Versions Feature Architecture Advantages Disadvantages.

1 Android Workshop Platform Overview. 2 What is Android?  Android is a software stack for mobile devices that includes an operating system, middleware.

The VERSO Product Returns Portal Incorporates Office 365 Outlook and Excel Add-Ins to Create Seamless Workflow for All Participating Users OFFICE 365 APP.

Analysis And Research Of System Security Based On.

By: Collin Molnar. Overview  Intro to Android  Security basics  Android architecture  Application isolation  Application permissions  Physical access.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

Websms Offers Professional Messaging Solutions via Web, , Gateway or Directly Out of Excel (Online) on the Microsoft Office 365 Platform OFFICE 365.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

Presented by: Saurabh Kumar Sinha (MRT07UGBIT 186) IT VII Semester, Shobhit University Meerut.

Introduction to Android Programming

Lecture 2: Android Concepts

Security and Programming Language Work on SmartPhones

Android System Security

Android Runtime – Dalvik VM

SmartHOTEL Planner Add-In for Outlook: Office 365 Integration Enhances Room Planning, Booking, and Guest Management for Small Hotels and B&Bs OFFICE 365.

Uniting Office 365 and PRINCE2, UPrince and Project Online Make Managing Structured Projects More Efficient Without Increased Overhead Costs OFFICE 365.

AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,

CMPE419 Mobile Application Development

+Vonus: An Intuitive, Cloud-Based Point-of-Sale Solution That’s Powered by Microsoft Office 365 with Tools to Increase Sales Using Social Media OFFICE.

Suwen Zhu, Long Lu, Kapil Singh

BluVault Provides Secure and Cost-Effective Cloud Endpoint Backup and Recovery Using Power of Microsoft OneDrive Business and Microsoft Azure OFFICE 365.

Android Developer Fundamentals V2

Yooba File Sync: A Microsoft Office 365 Add-In That Syncs Sales Content in SharePoint Online to Yooba’s Sales Performance Management Solution OFFICE 365.

Android Platform, Android App Basic Components

Emerging Platform#3 Android & Programming an App

CMPE419 Mobile Application Development

Presentation transcript:

Policy Weaving for Mobile Devices Drew Davidson

Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones by October [Wired, June 2012] – 70% of companies have a bring your own device policy [431 Group, August 2012] Unique security measures Why Mobile?

App sandboxing – Java or C# App manifests – Permissions listed at install time Markets serve as gatekeepers App Store Developer Bytecode Manifest Policy Weaving for Mobile Devices App Binary Resources

Tasker How Effective are These Measures? Add or Modify Calendar Events and Send to Guests Without Owners' Knowledge: Malicious apps may send spam s that appear to come from calendar owners, modify events without the owners' knowledge, or add fake events Send SMS Messages: Malicious apps may cost you money by sending messages Intercept Outgoing Calls: Malicious apps may monitor, redirect, or prevent outgoing calls App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized

How Effective are These Measures? In-lab and online survey of Android Users: -Only 8 users out of 302 (2.6%) correctly answered all 3 questions about permissions -On average respondents answers 21% of questions correctly -Only 29% of respondents have ever not installed an app because of permissions [Felt et al., February 2012] App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized

App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 How Effective are These Measures? AppWeaver App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized We leverage the app store gatekeeper by installing a mobile code weaver there Each client can upload a policy Weaver builds custom app for each client

We leverage the app store gatekeeper by installing a mobile code weaver there Each client can upload a policy Weaver builds custom app for each client App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 Policy Weaving for Mobile Devices Weaver

We leverage the app store gatekeeper by installing a mobile code weaver there Enterprises can each upload a policy Weaver builds custom app for each client App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 Policy Weaving for Mobile Devices AppWeaver Policy Woven App Is mobile weaving feasible?

Kernel App Code Bytecode Aurasium Policy Simple, stateless policies – IP filtering – Outgoing SMS blocking Implemented at system call boundary – Standalone policy is added to package – System calls are re-routed through a native library Classic reference monitor – Instrumentation is interesting Native Lib

Android App (.apk zip file) bytecode XML Manifest Native Resources Aurasium: Implementation Apktool Unzip the apk file Add.so to package (trivial) Disassemble the bytecode using open source tools Add policy bytecode Rewrite manifest to enter Aurasium component Aurasium Component Declaration Aurasium Component Declaration Aurasium Native Library Aurasium Policy Class Aurasium Policy Class App High level details are the same for Android and Windows Phone

Mobile Weaver Architecture App Developer uploads a single app Enterprise uploads a single policy Weaver generator instantiates the correct weaver – C# Weaver for Windows Phone based on Cecil Instrumentation framework – Java Weaver for Android based on apktool Insert bytecode into the app to conform to policy automaton Weaver Generator C# Cecil Weaver Java apktool Weaver Enterprise Policy

Example Policies Apps can write to storage, but they must clear storage upon being placed in the background – Instrumentation of Android callbacks such as when the application is removed from the foreground – Use Cases: credit card reader apps, barcode scanners Location data may be read, but it must not reach the network – Use cases: navigation, location-based advertising – Leverage the remarkably similar permissions models of Windows Phone and Android to break connections from location-reading sources and network facing sinks

Need rich, tailored policies to protect users at install time Allow bytecode weaving instead of system call interposition High-level, cross- platform policies Key Insights

Status Analysis framework that can statically check simple policies – Uses Cecil for Windows Phone – Uses apktool for Android Stay tuned for more developments

Thanks! Questions?

Backup Slides

Runtime Framework Native Libraries Kernel Application Code libc Bytecode Runtime API (Java) … libm Manifest Mobile Architecture Java Native Interface (JNI) Entry Native Lib Runtime API (C++) Application code relies on runtime framework Framework calls reach kernel via small set of native libraries

Android Application Framework Runtime API (C++) Native Libraries Linux Kernel Application Code libc Bytecode Runtime API (Java) … libm Manifest Aurasium Interposition In Depth Global Offset Table Java Native Interface (JNI) Entry Native Lib Policy Application code relies on runtime framework Framework calls reach kernel via small set of native libraries Overwrite the GOT with entries in a native library

~ 41% of US adults own a smartphone, 71% of adults [Pew, February 2012] Smartphones are personal – 91% of users are within 3 feet of their smartphone 24 hours a day [Morgan Stanley, 2011] – Average time on smartphone using apps: 57 minutes [O2, June 2012] Personal Use Statisitics