Survey on Access Control Mechanism in Android - IRD India

7 downloads 90608 Views 259KB Size Report
applications. Each Android application executes in a ... In addition to Android defined permissions, application ... system resources, including calling system API.
International Journal of Electrical, Electronics and Computer Systems (IJEECS) ________________________________________________________________________________________________

Survey on Access Control Mechanism in Android 1

Shekhar K. Shende, 2Kailas R. Patil

1,2

1,2

Department of Computer Engineering Vishwakarma Institute of Information Technology Pune, Maharashtra, India Email: [email protected], [email protected]

Abstract -Now a day’s smart phones became very popular and ubiquitous in our daily lives. Statistics shows more than 1.08 billion smart phone users in the world .Due to the more advancement in mobile technology, we can use Internet easily and we can access the websites as we do access using computer. Despite positive scenario sometimes, especially teen agers are wasting their time on Internet to just surfing the websites which are not more useful for them and that might affect to their academic growth. According to a survey lot of work have been focused to restrict application permissions based on user profile. However there is lack of mechanism that can restrict Internet access on site basis similar to application layer firewall. This paper present comprehensive coverage of different techniques and apps available in google play store used to provide access control mechanism. Keywords: Android, sensitive data, access control, android permission

I. INTRODUCTION Android continues to dominate the global Smartphone market. Statistics shows over 255 million units shipped and nearly 85% of the market share in the second quarter of 2014.Study also shows people spend more time on Smartphone‟s than PCs .It seems like nowadays people can‟t go anywhere without their Smartphone‟s. Along with the basic functionality, student can text, surf social websites, check emails, and watch videos. This is one of the sources of distraction. Survey shows [17]34% of teens have used their Smartphone during mealtimes, 47% of teens admitted using or answering their Smartphone while in the bathroom, 65% of teens say they have used their Smartphone while socializing with others. Negative impact of Smartphone: A. Education: Use of Smartphone‟s to access information online to cheat in exams. The misuse of Smartphone could be through the use of text message exchange with. classmates, get answers on the Internet, use of advanced calculator and educational application.

B. Health: Disconnect kids from the true essence of social communication. For instance, games and other popular applications designed for kids may discourage them from interacting people around them. Excessive exposure of these devices in early age can cause poor eye sight for kids. Online and video games are addicting and kids may easily get addicted and spend hours playing games and this may be awful when they have Smartphone with them everywhere they go. C. Psychological: If we want to do any simple multiplication, instead of calculating by ourselves we used to calculate using calculator. It is like waiting for elevator to take you to first floor of building instead of stairs. We can say Smartphone‟s are the mental elevators which takes useful function off the brain. platform are not sufficient to protect the users from such attacks. D. Social Addiction to Smartphone is major impact on social life. Smartphone addiction is interfering with our night„s sleep. Now it is become habitual to tuck their Smartphone‟s under their pillows. Smartphone‟s enables student to access irrelevant. The paper is organized in following sections. section I gives brief introduction about the consequence of excessive use of Smartphone, section II contains background about android security, section III and V contains online survey and the results.

II. ANDROID SECURITY Android is a open source operating system. It consists of an operating system, an application framework, and core applications. Each Android application executes in a separate Dalvik virtual machine. Each application assigned unique UID. Thus applications are essentially isolated. Android restricts accesses to critical resources using permissions. A permission is simply a unique text

________________________________________________________________________________________________ ISSN (Online): 2347-2820, Volume -3, Issue-4 2015 22

International Journal of Electrical, Electronics and Computer Systems (IJEECS) ________________________________________________________________________________________________ string which can be defined by Android or third party developers. According to the documentation for Android developers, there are currently 130 permissions (Android, 2013b), which are defined in Android operating system, ranging from access to camera (CAMERA), dialing a phone number (CALL_PHONE) full access to the gallery (READ_EXTERNAL_STORAGE). According to the study of Wei et al. (2012), the number of Android defined permissions keeps increasing since the first widely-used release (API level 3).The expansion of the permission set aims at not only providing finer-grained permissions but also controlling accesses to new hardware features [15].

applications access components by evaluating whether the applications are granted with necessary permissions

III. ONLINE SURVEY To understand a need of access control system for child safety, we conducted online survey. The aim of survey was to get overview parent's concern about their child safety over Internet. We used google docs to create the form and collect the responses from he parents. The survey questions included: Does your kid use a Smartphone? Would you like to know what he do on internet? Would you like to control game usage of your kid? Would you like to control app usage as well as control on installing app? Would you like to set time limit on app usage?

IV.RESULTS 1.Does your kid use a Smartphone?

Fig: Android architecture In addition to Android defined permissions, application developers can also declare customized permissions so as to protect their own critical resources. Permissions may be required when an application is interacting with system resources, including calling system API functions, and reading from and writing to file system. Granted permissions are assigned to an application‟s sandbox and inherited by all of the application‟s components, while required permissions are assigned to application components [16]. In the manifest file of an application, which is included in the application package, the application declares the permissions which it requires to achieve its functionality, as well as defines the permissions for protecting its own components and resources. At install-time, a user is shown with a list of permissions which an application requests. The user must either grant or deny all of these permissions together. After the user approves the permission request and installs the application. Once the permission granted cannot be revoked and it does not need to check the permission every time . Android manages InterComponent Communication (ICC) through a reference monitor. The reference monitor provides a Mandatory Access Control (MAC) enforcement on how

2. Would you like to know what he/she do on internet?

3. Would you like to keep control on apps which he uses as well as control on installing app?

Based on the collected responses we can analyze that parents are concerns about child safety,they need a access control mechnism for childs.Morover parents

________________________________________________________________________________________________ ISSN (Online): 2347-2820, Volume -3, Issue-4 2015 23

International Journal of Electrical, Electronics and Computer Systems (IJEECS) ________________________________________________________________________________________________ want to limit the applicatin usage as well as website usage.

V. RELATED WORK Some access control system are discussed below. some[1][2]control access based on context, some[4][5][11] modifies permission mechanisms MOSES [1] is a policy-based framework that enforces software isolation of applications and data on the Android platform. It first detects the context based on longitude, latitude and time. After context is detected, corresponding security profile is attached with the active context. Security profile contains list of application corresponding to it. Drawback is if any application with root access can bypass the MOSES security as well as application can have same shared UID, if some policy is applied to one application then it will be applied to other application which has same UID. TaintDroid [12] tracks the flow of privacy sensitive data through third-party applications. It detect when sensitive data leaves the system via un trusted applications and to facilitate analysis of applications by phone users or external security. It tracks only the data flow of data and it does not track control flow of data i.e. how third party application takes control of permission provided to the legitimate application. Apex[11] provides fine-grained framework for user to selectively grant permission to applications as well as it imposes restriction on resource usage .However user should be aware of applications policy to grant or revoke permission. If user is unaware of policy of application and if he restrict applications permission then the performance might be degraded MockDroid [8]is a modified version of the Android OS which allows a user to „mock‟ an application‟s access to a particular resource. This approach allows user to revoke access to specific resources at run-time. However Mockdroid doesn't consider all permission requested by application and in-cures YASSE[9] provides finegrained access control over apps using a policy based framework. It gives control to user to set the policies to different applications. For example it gives control over what kind of images app can access, which sites app can access over the internet. Drawback is Every time when you run the application, the permission needs to be checked. This degrades the performance of the device. TISSA[16]Provides users a flexibility controls the what kind of personal information will be provided to the application at a runtime. When application needed a some information user can give a bogus information if he thinks requested application is not legitimate. However by providing bogus information to application, the performance of the application will be degraded.

Bugie et. al.[10] provides isolations at different layers of The android software stack:1)at the middleware layer to prevent inter-domain application communication & data access 2)at kernel layer to enforce mandatory access control on file system & on inter-process communication channels and 3)at the h/w layer to mediate n/w traffic, for instance allows n/w to be only read by a particular domain, or enables basic, contextbased policies such as preventing internet access by un trusted application while an employee is connected to the company‟s n/w. However it adds runtime overhead, affect battery life-time. App summary: 1) Kids Place Kids Place is an app launcher that opens a fully customized interface, with only granted apps are available and options to filter out other apps. It also blocks the installation of app, in app purchases, and access to the Android marketplace. It is protected with four digit secure pin Summary: Adding Apps Controlled by Parent – Yes Ability to Turn Off In-App Purchasing – Yes Ability to Control Access to Marketplace – Yes Browser Built-In to Filter Content – Yes Time Restrictions Available – No Prevents Texting While Driving – No Ideal for Kids or Teens – Kids 2) MMGuardian The MMGuardian app allows parents to set restrictions on text/sms, app usage, prevents while driving. It is ideal for teen who uses android phone. Summary: Adding Apps Controlled by Parent – Yes Ability to Turn Off In-App Purchasing – No Ability to Control Access to Marketplace – Yes Browser Built-In to Filter Content – No Time Restrictions Available – Yes Prevents Texting While Driving – Yes Ideal for Kids or Teens – Teens

________________________________________________________________________________________________ ISSN (Online): 2347-2820, Volume -3, Issue-4 2015 24

International Journal of Electrical, Electronics and Computer Systems (IJEECS) ________________________________________________________________________________________________ 3)Famigo

Ideal for Kids or Teens – Teens

Famigo lets the user create a separate environment of specific apps and restricts access to the Android store. The app also includes Famigo browser which provides in-built content filtering facility.

6)Safe Browser

Summary: Adding Apps Controlled by Parent – Yes

Safe Browser is a browser app designated to filtering out adult web content and enabling parents to set their own custom lists of restricted websites Summary: Adding Apps Controlled by Parent – No

Ability to Turn Off In-App Purchasing – Yes Ability to Turn Off In-App Purchasing – No Ability to Control Access to Marketplace – Yes Ability to Control Access to Marketplace – No Browser Built-In to Filter Content – Yes Browser Built-In to Filter Content – Yes Time Restrictions Available – No Time Restrictions Available – No Prevents Texting While Driving – No Prevents Texting While Driving – No Ideal for Kids or Teens – Kids Ideal for Kids or Teens – Teens 4) NetNanny

VI. CONCLUSION Net Nanny allows browser to filter content via remote machine. Summary: Adding Apps Controlled by Parent – Yes Ability to Turn Off In-App Purchasing – No Ability to Control Access to Marketplace – Yes Browser Built-In to Filter Content – Yes

In this paper we have presented comprehensive coverage on different access control techniques in android. Some researcher does the research on flexible and fine-grained access control by providing a permission granting and revoking facility to user at runtime. Another technique which separates sensitive and private data from un trusted applications based on context. We have seen apps which does the content filtering, limits app usage, time limit.

REFERENCES

Time Restrictions Available – Yes Prevents Texting While Driving – No

[1].

Yury Zhauniarovich, Giovanni Russello, Mauro Conti,Bruno Crispo, and Earlence Fernandes,“MOSES: Supporting and Enforcing Security Profiles on Smartphones”, IEEE transactions on dependable and secure computing,vol. 11, no. 3, may-june 2014

[2].

Shebaro, Bilal Oluwatimi, Oyindamola Bertino, Elisa,”Context-based Access Control Systems for Mobile Devices”,IEEE Transactions on Dependableand Secure Computing,2014

[3].

S. Smalley and R. Craig, “Security Enhanced (SE) Android: Bringing flexible MAC to Android,” Proc. 20th Ann. Network and Distributed System Security Symp. , 2013

[4].

Franziska Roesner, Tadayoshi Kohno,Alexander Moshchuk, Bryan Parno, Helen J.Wang,”UserDriven Access Control: Rethinking Permission Granting in Modern Operating Systems”,2012 IEEE Symposium on Security and Privacy,2012

Ideal for Kids or Teens – Kids 5)Screen Time The function of screen time is to limit app usage and set the time limit on apps. Summary: Adding Apps Controlled by Parent – Yes Ability to Turn Off In-App Purchasing – No Ability to Control Access to Marketplace – Yes Browser Built-In to Filter Content – Yes Time Restrictions Available – Yes Prevents Texting While Driving – No

________________________________________________________________________________________________ ISSN (Online): 2347-2820, Volume -3, Issue-4 2015 25

International Journal of Electrical, Electronics and Computer Systems (IJEECS) ________________________________________________________________________________________________ [5].

Melo, Leonardo Leite De,”PUPDroid Personalized User Privacy Mechanism for Android .”,2012 IEEE International Conference on Systems,Man, and Cybernetics October 1417, 2012, COEX,2012

[6].

Gibler, J. Crussell, J. Erickson, and H. Chen, “AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications 11

[7].

[8].

[9].

Enck, William,”Defending Users Against Smartphone Apps: Techniques and Future Directions”,ICISS‟11 Proceedings of the 7th international conference on Information Systems Security, 2011 A.R. Beresford, A. Rice, and N. Skehin, “MockDroid: Trading Privacy for Application Functionality on Smartphones”, Proc. 12Th Workshop Mobile Computing Systems and Applications 2011 G. Russello, B. Crispo, E. Fernandes, and Y. Zhauniarovich, “YAASE: Yet Another Android Security Extension”, Proc. IEEE Third Int‟l Conf. Social Computing and Privacy, Security, Risk and Trust 2011

[10]. Bugiel, Sven avi, Lucas Dmitrienko, Alexandra Heuser, Stephan Sadeghi,Ahmad-RezaShastry, Bhargava,”Practical and lightweight domain isolation on Android”,Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM ‟11, 2011

[11]. M. Nauman, S. Khan, and X. Zhang, “Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints”, Proc. Fifth ACM Symp. Information, Computer And Comm.Security 2010 [12]. W. Enck, P. Gilbert, B.-G. Chun, L.P. Cox, J. Jung, P. McDaniel, And A.N. Sheth,“Taintdroid: An Information-Flow Tracking System forRealtime Privacy Monitoring on smartphones”, Proc.Ninth USENIX Conf. Operating Systems Design and Implementation 2010 [13]. Asaf Shabtai , y fedlel “Google Android: A Stateof-the-Art Review of Security Mechanisms“2009 [14]. Wei X, Gomez L, Neamtiu I, Faloutsos M. Permission evolution in the android ecosystem. In: Proc. of ACSAC. ACM; 2012. [15]. Bugiel S, Davi L, Dmitrienko A, Fischer T, Sadeghi A. XManDroid: a new Android evolution to mitigate privilege Escalation attacks. Technische Universita¨t Darmstadt; 2011a [Technical Report; Technical Report TR2011-04] [16]. Zhou, Yajin Zhang, Xinwen Jiang, Xuxian Freeh, Vincent W “Taming Information-Stealing Smartphone Applications (on Android )” , TRUST'11 Proceedings of the 4th international conference on Trust and trustworthy computing, 2011 [17]

www.play.google.com



________________________________________________________________________________________________ ISSN (Online): 2347-2820, Volume -3, Issue-4 2015 26