Journal of KIISE (정보과학회 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

Mandatory Access Control for Android Application Security

안드로이드 애플리케이션 보안 강화를 위한 강제적 접근 제어 기법

  • 나준승 (LG전자 연구원) ;
  • 김도윤 (아주대학교 컴퓨터공학과) ;
  • 박우길 (계명대학교 컴퓨터공학과) ;
  • 최영준 (아주대학교 정보컴퓨터공학과)
  • Received : 2015.03.02
  • Accepted : 2015.11.09
  • Published : 2016.03.15
⟨ Previous Next ⟩

Abstract

In this paper, we investigate the security issues of the Android platform which dominates the global market of smart mobile devices. The current permission model for Android security is not powerful and has two problems. One is the coarse-grained relationship between permissions and methods which require them. The other is that mobile users do not have rights to control the permissions of the application. To solve these problems, we propose MacDroid which can control the platform's resources for accessing installed applications. Users can control the application's behavior via MacDroid's policy. We have divided the permission set into method units. The results of the performance test using a pure Android platform show that our proposed scheme can improve security within a short time.

본 논문에서는 현재 스마트 모바일 장치의 운영체제 중 가장 많이 사용되고 있는 안드로이드의 보안에 대하여 연구하였다. 안드로이드의 보안 장치들 중 플랫폼 자원을 보호하기 위하여 제공되는 권한은 기능에 따라 세밀하게 권한을 조정할 수 없으며 사용자가 애플리케이션의 권한을 제한하지 못한다는 문제점을 가지고 있다. 이러한 문제점을 보완하고자 프레임워크 레벨에서 애플리케이션의 플랫폼 자원에 대한 접근 제어할 수 있도록 하는 MacDroid를 제안한다. MacDroid는 기존의 권한을 세분화하여 기능 단위로 정책을 설정하여 강제하며, 설정된 정책을 바로 애플리케이션의 행위에 적용이 가능하다. 기존의 플랫폼과 MacDroid를 적용한 플랫폼을 비교하여 적은 오버헤드로 애플리케이션의 플랫폼 자원 접근에 대하여 정책을 강제가 가능함을 확인하였다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Google Android [Online]. Available: http://www.android.com
  2. International Data Corporation (IDC) http://www.idc.com/prodserv/smartphone-os-market-share.jsp.
  3. Y. Zhou and X. Jiang, Dissecting Android Malware: Characte rization and Evolution, Dissecting Android Malware: Charact erization and Evolution, Proc. of IEEE Symposium on Security and Privacy, 2012.
  4. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, Hey, "You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets," Proc. of the 19th Annual Symposium on Network and Distributed System Security, 2012.
  5. Ahnlab blog, "Explosive increase in Android malicious code," [Online]. Available: http://blog.ahnlab.com/asec/i/entry/547?TSSESSIONblogahnlabcom=1e4d4dde4b62504416d640071c0d1367, 2011.
  6. Di Cerbo, F. Girardello, A, Michahelles, F, and Voronkova, S. Detection of malicious applications on android os. Computational Forensics, pp. 138-149, 2010.
  7. Xu, R, Saidi, H, and Anderson, R., "Aurasium: Practical Policy Enforcement for Android Applications," USENIX Security Symposium, pp. 539-552, Aug. 2012.
  8. Android Malware Repository [Online]. Available: https://sites.google.com/site/androidmalrepo/home
  9. K. Harsha, Bharath M. Palavalli, Shrisha Rao, Ashwin Ashwin, "Lothlorien: Mandatory Access Control using Linux Security Modules," Proc. of the 3rd IEEE international conference on Internet multimedia services architecture and applications, pp. 211-216, 2009.
  10. Song Hyeongju, Kim Taeyeon, Park Jihun, Lee Baek, Lim Giyeong, "Inside Android," Wikibooks, pp. 411-424, 2011.
  11. Bartel, A, Klein, J, Le Traon, Y, and Monperrus, M., "Automatically securing permission-based software by reducing the attack surface: An application to android," Proc. of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 274-277, Sep. 2012.
  12. Bousquet, A, Briffaut, J, Clevy, L, Toinard, C, and Venelle, B., "Mandatory Access Control for the Android Dalvik Virtual Machine," 2013-USENIX Federated Conferences, ESOS: Workshop on Embedded Self-Organizing Systems, Jun. 2013.
  13. Smalley, Stephen, and Robert Craig, "Security Enhanced (SE) Android: Bringing Flexible MAC to Android," NDSS, Vol. 310, Feb. 2013.
  14. Bugiel, S., Heuser, S. and Sadeghi, A. R., "Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies," Usenix security, pp. 131-146, Aug. 2014.
  15. Backes, M., Bugiel, S, Gerling, S, and von Styp-Rekowsky, P., "Android security framework: Enabling generic and extensible access control on android," arXiv preprint arXiv, pp. 1404.1395, 2014.
  16. Zhauniarovich, Y, Russello, G, Conti, M., Crispo, B. and Fernandes, E., "MOSES: supporting and enforcing security profiles on smartphones," Dependable and Secure Computing, IEEE Transactions on, Vol. 11, No. 3, pp. 211-223, 2014. https://doi.org/10.1109/TDSC.2014.2300482
  17. Enck, W, Gilbert, P, Han, S, Tendulkar, V, Chun, B. G, Cox, L. P. and Sheth, A. N., "TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones," ACM Transactions on Computer Systems (TOCS), Vol. 32, No. 2, 2014.
  18. Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D., "Android permissions demystified," Proc. of the 18th ACM conference on Computer and communications security, pp. 627-638, Oct. 2011.
  19. Chin, E, Felt, A. P, Greenwood, K, and Wagner, D, "Analyzing Inter-Application Communication in Android," Proc. of the 9th international conference on Mobile systems, applications, and services, pp. 239-252. 2011.
  20. James Steele, Neison To, "The Android Developer's Cookbook," Pearson Education, Inc. pp. 243, 2010.
  21. Bartel, A, Klein, J, Le Traon, Y, and Monperrus, M, "Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android," Proc. of the 27th IEEE/ACM International Conference On Automated Software Engineering, 2012.
  22. Vidas, T, Christin, N, and Cranor, L, "Curbing Android Permission Creep," Proc. of the 2011 Web 2.0 Security and Privacy Workshop (W2SP 2011), Oakland, CA. 2011.
  23. Android snippets. Encript/Decrypt Strings [Online]. Available: http://www.androidsnippets.com/encryptdecrypt-strings