Gesellschaft für Informatik e.V.

Lecture Notes in Informatics

Software Engineering 2013 - Workshopband P-215, 107-122 (2013).

Gesellschaft für Informatik, Bonn

Copyright © Gesellschaft für Informatik, Bonn


How useful are existing monitoring languages for securing android apps?

Steven Arzt , Kevin Falzon , Andreas Follner , Siegfried Rasthofer , Eric Bodden and Volker Stolz


The Android operating system is currently dominating the mobile device market in terms of penetration and growth rate. An important contributor to its success are a wealth of cheap and easy-to-install mobile applications, known as apps. Today, installing untrusted apps is the norm, though this comes with risks: malware is ubiquitous and can easily leak confidential and sensitive data. In this work, we investigate the extent to which we can specify complex information flow properties using existing specification languages for runtime monitoring, with the goal to encapsulate potentially harmful apps and prevent private data from leaking. By modelling a set of representative, Android-specific security policies with Tracematches, JavaMOP, Dataflow Pointcuts and PQL, we are able to identify policylanguage features that are crucial for effectively defining runtime-enforceable Android security properties. Our evaluation demonstrates that while certain property languages suit our purposes better than others, they all lack essential features that would, if present, allow users to provide effective security guarantees about apps. We discuss those shortcomings and propose several possible mechanisms to overcome them.

Full Text: PDF

Gesellschaft für Informatik, Bonn
ISBN 978-3-88579-609-1

Last changed 04.10.2013 18:39:01