Towards Unified Authorization for Android (bibtex)
by Michael J. May, Karthikeyan Bhargavan
Abstract:
Android applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf.
Reference:
Towards Unified Authorization for Android (Michael J. May, Karthikeyan Bhargavan), In 5th International Symposium on Engineering Secure Software and Systems (ESSoS 2013), Springer Verlag, volume 7781, 2013.
Bibtex Entry:
@string{spv="Springer Verlag"}
@inproceedings{MayBhargavan2013,
  author    = {Michael J. May and Karthikeyan Bhargavan},
  title     = {Towards Unified Authorization for Android},
  booktitle = {5th International
               Symposium on Engineering Secure Software and Systems (ESSoS 2013)},
  year      = {2013},
	abstract = {Android applications that manage sensitive data such as email and files downloaded from cloud storage services need to protect their data from malware installed on the phone. While prior security analyses have focused on protecting system data such as GPS locations from malware, not much attention has been given to the protection of application data. We show that many popular commercial applications incorrectly use Android authorization mechanisms leading to attacks that steal sensitive data. We argue that formal verification of application behaviors can reveal such errors and we present a formal model in ProVerif that accounts for a variety of Android authorization mechanisms and system services. We write models for four popular applications and analyze them with ProVerif to point out attacks. As a countermeasure, we propose Authzoid, a sample standalone application that lets applications define authorization policies and enforces them on their behalf.},
	publisher = spv,
	series = llncs,
	volume = {7781},
	pages = {42-57}
}
Powered by bibtexbrowser