Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Published byChris Rudge Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones."— Presentation transcript:

1 Policy Weaving for Mobile Devices Drew Davidson

2 Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones by October [Wired, June 2012] – 70% of companies have a bring your own device policy [431 Group, August 2012] Unique security measures Why Mobile?

3 App sandboxing – Java or C# App manifests – Permissions listed at install time Markets serve as gatekeepers App Store Developer Bytecode Manifest Policy Weaving for Mobile Devices App Binary Resources

4 Tasker How Effective are These Measures? Add or Modify Calendar Events and Send Email to Guests Without Owners' Knowledge: Malicious apps may send spam emails that appear to come from calendar owners, modify events without the owners' knowledge, or add fake events Send SMS Messages: Malicious apps may cost you money by sending messages Intercept Outgoing Calls: Malicious apps may monitor, redirect, or prevent outgoing calls App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized

5 How Effective are These Measures? In-lab and online survey of Android Users: -Only 8 users out of 302 (2.6%) correctly answered all 3 questions about permissions -On average respondents answers 21% of questions correctly -Only 29% of respondents have ever not installed an app because of permissions [Felt et al., February 2012] App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized

6 App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 How Effective are These Measures? AppWeaver App Sandboxing – Sandboxed apps can still do damage App Manifests – Users demonstrate poor comprehension and lack of concern Markets Analysis – Not individualized We leverage the app store gatekeeper by installing a mobile code weaver there Each client can upload a policy Weaver builds custom app for each client

7 We leverage the app store gatekeeper by installing a mobile code weaver there Each client can upload a policy Weaver builds custom app for each client App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 Policy Weaving for Mobile Devices Weaver

8 We leverage the app store gatekeeper by installing a mobile code weaver there Enterprises can each upload a policy Weaver builds custom app for each client App Store Enterp. 1 Developer Bytecode Manifest Binary Resources Enterp. 2 Enterp. 3 Policy Weaving for Mobile Devices AppWeaver Policy Woven App Is mobile weaving feasible?

9 Kernel App Code Bytecode Aurasium Policy Simple, stateless policies – IP filtering – Outgoing SMS blocking Implemented at system call boundary – Standalone policy is added to package – System calls are re-routed through a native library Classic reference monitor – Instrumentation is interesting Native Lib

10 Android App (.apk zip file) bytecode XML Manifest Native Resources Aurasium: Implementation Apktool Unzip the apk file Add.so to package (trivial) Disassemble the bytecode using open source tools Add policy bytecode Rewrite manifest to enter Aurasium component Aurasium Component Declaration Aurasium Component Declaration Aurasium Native Library Aurasium Policy Class Aurasium Policy Class App High level details are the same for Android and Windows Phone

11 Mobile Weaver Architecture App Developer uploads a single app Enterprise uploads a single policy Weaver generator instantiates the correct weaver – C# Weaver for Windows Phone based on Cecil Instrumentation framework – Java Weaver for Android based on apktool Insert bytecode into the app to conform to policy automaton Weaver Generator C# Cecil Weaver Java apktool Weaver Enterprise Policy

12 Example Policies Apps can write to storage, but they must clear storage upon being placed in the background – Instrumentation of Android callbacks such as when the application is removed from the foreground – Use Cases: credit card reader apps, barcode scanners Location data may be read, but it must not reach the network – Use cases: navigation, location-based advertising – Leverage the remarkably similar permissions models of Windows Phone and Android to break connections from location-reading sources and network facing sinks

13 Need rich, tailored policies to protect users at install time Allow bytecode weaving instead of system call interposition High-level, cross- platform policies Key Insights

14 Status Analysis framework that can statically check simple policies – Uses Cecil for Windows Phone – Uses apktool for Android Stay tuned for more developments

15 Thanks! Questions?

16 Backup Slides

17 Runtime Framework Native Libraries Kernel Application Code libc Bytecode Runtime API (Java) … libm Manifest Mobile Architecture Java Native Interface (JNI) Entry Native Lib Runtime API (C++) Application code relies on runtime framework Framework calls reach kernel via small set of native libraries

18 Android Application Framework Runtime API (C++) Native Libraries Linux Kernel Application Code libc Bytecode Runtime API (Java) … libm Manifest Aurasium Interposition In Depth Global Offset Table Java Native Interface (JNI) Entry Native Lib Policy Application code relies on runtime framework Framework calls reach kernel via small set of native libraries Overwrite the GOT with entries in a native library

19 ~ 41% of US adults own a smartphone, 71% of adults 21 - 34[Pew, February 2012] Smartphones are personal – 91% of users are within 3 feet of their smartphone 24 hours a day [Morgan Stanley, 2011] – Average time on smartphone using apps: 57 minutes [O2, June 2012] Personal Use Statisitics

Download ppt "Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones."

Similar presentations

Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas

Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas
Aurasium: Practical Policy Enforcement for Android Applications

Aurasium: Practical Policy Enforcement for Android Applications
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Android architecture overview

Android architecture overview
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
DeVry University Donelle Vance. GRAB - The Cross Platform iPhone, iPad & Android Phone Sharing Application August 2011.

DeVry University Donelle Vance. GRAB - The Cross Platform iPhone, iPad & Android Phone Sharing Application August 2011.
Mobile Application Development

Mobile Application Development
Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren 2014-2015 SPRING Computer Engineering Department.

Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department Asst.Prof.Dr.Ahmet Ünveren SPRING Computer Engineering Department.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Introduction to AppInventor Dr. José M. Reyes Álamo.

Introduction to AppInventor Dr. José M. Reyes Álamo.
Introduction to Android Platform Overview 19.3.2013.

Introduction to Android Platform Overview
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
Presentation By Deepak Katta

Presentation By Deepak Katta
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Introduction to Mobile Malware

Introduction to Mobile Malware

Similar presentations

Ads by Google