Compac: enforce component-level access control in android

Authors:
Yifei Wang;Srinivas Hariharan;Chenxi Zhao;Jiaming Liu;Wenliang Du
Affiliations:
Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA;Syracuse University, Syracuse, NY, USA
Venue:
Proceedings of the 4th ACM conference on Data and application security and privacy
Year:
2014

Citing 26
Cited 0

Efficient software-based fault isolation

SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
Native Client: A Sandbox for Portable, Untrusted x86 Native Code

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Apex: extending Android permission model and enforcement with user-defined runtime constraints

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Robusta: taming the native beast of the JVM

Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
CRePE: context-related policy enforcement for android

ISC'10 Proceedings of the 13th international conference on Information security
A study of android application security

SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses

SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems

SEC'11 Proceedings of the 20th USENIX conference on Security
Practical and lightweight domain isolation on Android

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
These aren't the droids you're looking for: retrofitting android to protect data from imperious applications

Proceedings of the 18th ACM conference on Computer and communications security
Attacks on WebView in the Android system

Proceedings of the 27th Annual Computer Security Applications Conference
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Dissecting Android Malware: Characterization and Evolution

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Aurasium: practical policy enforcement for Android applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium
AdSplit: separating smartphone advertising from applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium
DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Dr. Android and Mr. Hide: fine-grained permissions in android applications

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
AdDroid: privilege separation for applications and advertisers in Android

Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
AppGuard: enforcing user requirements on android apps

TACAS'13 Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems
On the effectiveness of API-level access control using bytecode rewriting in Android

Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
AFrame: isolating advertisements from mobile applications in Android

Proceedings of the 29th Annual Computer Security Applications Conference
Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In Android applications, third-party components may bring potential security problems, because they have the same privilege as the applications but cannot be fully trusted. It is desirable if their privileges can be restricted. To minimize the privilege of the third-party components, we develop Compac to achieve a fine-grained access control at application's component level. Compac allows developers and users to assign a subset of an application's permissions to some of the application's components. By leveraging the runtime Java package information, the system can acquire the component information that is running in the application. After that, the system makes decisions on privileged access requests according to the policy defined by the developer and user. We have implemented the prototype in Android 4.0.4, and have conducted a comprehensive evaluation. Our case studies show that Compac can effectively restrict the third-party components' permissions. Antutu benchmark shows that the overall score of our work achieves 97.4%, compared with the score of the original Android. In conclusion, Compac can mitigate the damage caused by third-party components with ignorable overhead.