An Efficient Cryptographic Protocol Verifier Based on Prolog Rules
CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Language-based security on Android
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Apex: extending Android permission model and enforcement with user-defined runtime constraints
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
CRePE: context-related policy enforcement for android
ISC'10 Proceedings of the 13th international conference on Information security
Privilege escalation attacks on android
ISC'10 Proceedings of the 13th international conference on Information security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 18th ACM conference on Computer and communications security
DroidChecker: analyzing android applications for capability leak
Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Is this app safe?: a large scale study on application permissions and risk signals
Proceedings of the 21st international conference on World Wide Web
WISTP'12 Proceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems
Aurasium: practical policy enforcement for Android applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
AdSplit: separating smartphone advertising from applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Web-based attacks on host-proof encrypted storage
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Hi-index | 0.00 |
Android applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf.