Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.

Published byDebra Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented."— Presentation transcript:

1 What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented by Emma Hu Literature by S. Demetriou et al. Presented by Emma Hu

2 Motivation  Increase use in smartphone accessories such as Bluetooth earpieces, health devices, fitness bands etc.  Increase in malicious attacks  Previous studies show that external devices connected to Android are vulnerable  Increase use in smartphone accessories such as Bluetooth earpieces, health devices, fitness bands etc.  Increase in malicious attacks  Previous studies show that external devices connected to Android are vulnerable

3 Background  Android security model  Discretionary access control (DAC) system  SEAndroid (Security Enhanced Android)  Mandatory access control (MAC) system built on top of android  Security context  user: role: domain or type [:level] and a SID  Android security model  Discretionary access control (DAC) system  SEAndroid (Security Enhanced Android)  Mandatory access control (MAC) system built on top of android  Security context  user: role: domain or type [:level] and a SID

4 Problem  SEAndroid does not have the granularity for controlling external resources  Bluetooth, NFC, SMS ID, Audio port  SEAndroid does not have the granularity for controlling external resources  Bluetooth, NFC, SMS ID, Audio port

5 Results  SMS  SMSDispatcher broadcasts to all apps that register with the event have the RECEIVE_SMS permission  SMS and MMS fully exposed to those with READ_SMS or RECEIVE_SMS permissions  Audio  Completely unprotected when connected to the phone’s Audio jack  NFC  5/17 popular NDC apps include storage of sensitive information  No authentication and encryption protection  SMS  SMSDispatcher broadcasts to all apps that register with the event have the RECEIVE_SMS permission  SMS and MMS fully exposed to those with READ_SMS or RECEIVE_SMS permissions  Audio  Completely unprotected when connected to the phone’s Audio jack  NFC  5/17 popular NDC apps include storage of sensitive information  No authentication and encryption protection

6 Table 1: 13500 top apps from Google play Figure 1: example of a Bluetooth app

7 SEACAT  Employs a hybrid MAC & DAC approach  Extends SEAndroid’s MAC to protect resources with distinct identifier e.g. SMS, NFC  Adds in a DAC module to allow user and app developer to specify interaction rules  Focuses on protecting Bluetooth, Audio, NFC, Internet, and SMS channels  Employs a hybrid MAC & DAC approach  Extends SEAndroid’s MAC to protect resources with distinct identifier e.g. SMS, NFC  Adds in a DAC module to allow user and app developer to specify interaction rules  Focuses on protecting Bluetooth, Audio, NFC, Internet, and SMS channels

8 Details  Challenges  SEAndroid does not model external resources  Integration with current Android DAC and SEAndroid Mac  Design Implementation  Policy specification – new categories of types e.g. BT_type, NFC_type  App labelling – grant trusted apps permissions  External resource labelling  Challenges  SEAndroid does not model external resources  Integration with current Android DAC and SEAndroid Mac  Design Implementation  Policy specification – new categories of types e.g. BT_type, NFC_type  App labelling – grant trusted apps permissions  External resource labelling

9 Fig 2. Screenshot of SEACAT App labelling and Device labelling

10 Fig 3. SEACAT Architecture

11 Fig 4. SEACAT Security hook

12 SEACAT Results  Effectiveness  Successfully prevents unauthorised resource access  Performance  Overhead is mostly negligible  Largest overhead is 279.9ms (total time 1434.4) for Bluetooth pairing  Effectiveness  Successfully prevents unauthorised resource access  Performance  Overhead is mostly negligible  Largest overhead is 279.9ms (total time 1434.4) for Bluetooth pairing

13 Paper Summary  Android is not designed to handle external resources  SEACAT is introduced as a new security system to extend Android’s security model  MAC and DAC across different Android layers  Android is not designed to handle external resources  SEACAT is introduced as a new security system to extend Android’s security model  MAC and DAC across different Android layers

14 Issues and Improvements  The paper only looks at Bluetooth, NFC, Audio, SMS, and Internet  Doesn’t account for other channels like Wireless and Infrared  Doesn’t offer MAC protection for audio devices as it can’t distinguish between types of audio devices.  Only analysed one “Audio” device (Jawbone UP)  User / developer has to manually construct security rules / policies which decreases usability  Doesn’t protect against spoofing attacks  SEACAT assumes kernel is not compromised  The paper only looks at Bluetooth, NFC, Audio, SMS, and Internet  Doesn’t account for other channels like Wireless and Infrared  Doesn’t offer MAC protection for audio devices as it can’t distinguish between types of audio devices.  Only analysed one “Audio” device (Jawbone UP)  User / developer has to manually construct security rules / policies which decreases usability  Doesn’t protect against spoofing attacks  SEACAT assumes kernel is not compromised

15 References  [1] Demetriou, S., Zhou, X. Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., & Gunter, C. A. (2015). What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources. In NDSS.  [2] Demetriou, S. (2014). Android at risk: current threats stemming from unprotected local and external resources.  [1] Demetriou, S., Zhou, X. Y., Naveed, M., Lee, Y., Yuan, K., Wang, X., & Gunter, C. A. (2015). What's in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources. In NDSS.  [2] Demetriou, S. (2014). Android at risk: current threats stemming from unprotected local and external resources.

Download ppt "What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Operating System Security

Operating System Security
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center 2014 www.know-center.at Security.

Gefördert durch das Kompetenzzentrenprogramm DI Alfred Wertner 19. September 2014 Ubiquitous Personal Computing © Know-Center Security.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.

SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.

Security-Enhanced Linux & Linux Security Module The George Washington University CS297 Programming Language & Security YU-HAO HU.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.

Enhancing User Privacy on Android Devices Bachelor of Computer Science (Honours) Name: Quang Do Supervisor: Raymond Choo Associate Supervisor: Ben Martini.
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Similar presentations

Ads by Google