Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,

Published byBrenda Wood Modified over 6 years ago

Similar presentations

Presentation on theme: "AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,"— Presentation transcript:

1 AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management
Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3, Yan Chen1, Hao Chen4, Wangjun Hong1 1Northwestern University 2Zhejiang University 3University of Wisconsin, Madison 4University of California, Davis

2 Mobile OS Market Share, by dazeinfo.com
Android OS dominance Android is the most dominant smartphone OS, which should be attributed to the wide availability of mobile applications from application marketplaces such as Google Play1 . Mobile OS Market Share, by dazeinfo.com

3 Android malware/spyware

4 Birth of bring-your-own-device
Enterprise Mobility Management (EMM) Overall ecosystem: content analysis, social media integration Mobile Application Management (MAM) Application Delivery Security and Policy Mobile Device Management (MDM) OS Management and Control

5 Policies required in BYOD

6 Outline Introduction Motivation System Overview Evaluation Conclusion

7 Common deployment of MAM
Application rewriting Mocana, AirWatch Work on all devices, NOT on all applications SDK Good, Citrix, AirWatch Work on all applications, extra developer support OS Modification Android for work on Android 5.0 and above Dependencies on OS versions or customization Limitation of portability

8 Android segmentation Android OS distribution snapshot in March 2015 and September 2016

9 Desired system Generality
Convert any personal app to a business version Ability of enforcing arbitrary access control policies Multi-entity management, Role-based access control (RBAC), granularity… Portability No modifications (dependencies) on OS Completeness Stealthy channels: reflection, native code, dynamic load Cross-platform Extend to other platforms, e.g. iOS

10 Challenges Lack of OS support Diversity of data access behavior
Android storage mechanism supports either data sharing or data isolation alone Diversity of data access behavior Native code, Java reflection, Dynamic loading Performance penalty Popular resource virtualization-based solutions have the scalability issue Android KitKat 4.4 enables the private external sd card. Cannot assume the OS version. Sharing is difficult.

11 Contributions A proxy-based data access mechanism to enforce arbitrary access policies without OS dependency An application rewriting mechanism inject MAM features by hooking system calls to achieve complete mediation A prototype system with low latency and resource consumption

12 Outline Introduction Motivation System Overview Evaluation Conclusion

13 Security model

14 Application rewriting
Application decompilation Native Customized system calls, e.g., ioctl(), open() Override Global Offset Table (GOT) Bytecode Service: wrap the app, overwrite the GOT before app starts Activity: message popup, e.g., policy violation Manifest file Declaring the Service and Activity injected Request the permission to access mirror content provider Repack and sign

15 Proxy-based data access mechanism

16 Shield the privileged data
File-system open(), creat(), rename(), mkdir(), remove(): rewrite the file path to the internal storage of AppShield stat(), lstat(): pass the file descriptor to business file to fstat() Content provider Mirror content provider System call ioctl(): redirect data request

17 Security policies File isolation Multi-entity management & RBAC
Fine-grained file access control Content provider isolation

18 Outline Introduction Motivation System Overview Evaluation Conclusion

19 Effectiveness Select 50 popular apps from Google Play
35 file related apps, 15 contact provider related apps 1 app crashes; 2 apps file path “/./sdcard” 1 app cannot be rewritten; use “Intent” to directly start system contact manager app File isolation Multi-entity management & RBAC File-level granularity Content provider isolation Succeed 33/35 31/35 14/15

20 Reliability Select 1000 apps by popularity from Google Play in categories: Business, Finance, Medical, Productivity Execute by ADB Monkey Original version also crash: 29 in 35 Crash without code modification: 6 in 35 Total Succeed Rewriting failure Crash 1000 953 (95.3%) 12 (1.2%) 35 (3.5%)

21 Impact of application rewriting
Micro: overall latency in 1000 data access: Macro: overall time for human to open/close a window rendering the privileged data File system Content provider Original AppShield Micro (s) 0.180 0.382 7.303 9.014 Macro (s) 1.472 1.524 1.068 1.194 Average memory usage increment: KB Average code size increment: 33.7KB

22 Comparision AirWatch MOCANA GOOD Citrix Android L AppShield * Method
SDK & App rewriting App rewriting SDK OS modification Isolation Sandbox Encryption DAC Multi-entity management No Yes RBAC Granularity Static Coarse dynamic File-level dynamic Sharing Online Local Portability High Low

23 Conclusion AppShield enforces arbitrary access control policies in the scenario of MAM Application rewriting No dependency on OS, high portability System call hooking, complete mediation Low overhead and impact on the original app

24 Thank you! Questions?

25 System call hooking

Download ppt "AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management Zhengyang Qu1, Guanyu Guo2, Zhengyue Shao2, Vaibhav Rastogi3,"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang

Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.

Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Declassification Infrastructure Matan David Yuval Evron Project Advisor: Roei Schuster 1.

Android Declassification Infrastructure Matan David Yuval Evron Project Advisor: Roei Schuster 1.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
R ETRO S KELETON : R ETROFITTING A NDROID A PPS Benjamin Davis, Hao Chen University of California, Davis MobiSys 2013.

R ETRO S KELETON : R ETROFITTING A NDROID A PPS Benjamin Davis, Hao Chen University of California, Davis MobiSys 2013.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Android in the Cloud Chromebooks, BYOD and Wearables Joel Isaacson Copyright 2014 Joel Isaacson

Android in the Cloud Chromebooks, BYOD and Wearables Joel Isaacson Copyright 2014 Joel Isaacson
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Adobe Presentation Brijesh Patel | Working with AIR Native Extensions.

© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Adobe Presentation Brijesh Patel | Working with AIR Native Extensions.
Permission Evolution in the Android Ecosystem Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos Department of Computer Science and Engineering.

Permission Evolution in the Android Ecosystem Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos Department of Computer Science and Engineering.

Similar presentations

Ads by Google