| With the rapid development of Mobile Internet and the expansion of the smart phone market, mobile applications have become the new leading direction in the post-PC age. More and more users are accustomed to using mobile phones for storaging and handling personal or business information, for mobile payment and for obtaining physical informations with the aid of new hardware features. But these mobile applications are being entitled to use the users’ private information while providing the users with dazzling features. Compared to platform security exploits, more and more malicious applications steal users’ private data by the use of the blind spot of the weak privacy mechanism on mobile platforms. The privacy disclosure brought by malicious mobile applications becomes a problem which is urgent for the field of mobile security to focus and solve. Though the current mobile security technology which is ported from the traditional PC antivirus technology plays an import role in the security field, it does not effectively prevent the malware form stealing a user’s private data in the rational framework. As a result, a platform-level privacy access control model must be realized to enforce the mobile security.Current researches on the mobile privacy protection mainly lie in two aspects:static analysis and dynamic control. In the static analysis field which is represented by Stowaway and Kirin on Android, they compare the permissions which are extracted by analyzing the code path and modules staticly with the predefined permission policy. Likewise in the dynamic control field which is represented by TaintDroid project on Android, they taint and track the private data in the system and give the alarm while the tainted data leaves the system through network. Though the static analysis mechanism can detect the malware in advance, it still has a high rate of false positive and does nothing to the recent privilege-escalation attack. Meanwhile the dynamic control mechanism focuses a lot on the private data protection inside an application and overlooks the data communications between applications.In this paper, we design and implement a privacy access control model CrossDroid which is based on the fine-grained permissions and data tainting control on the Android platform. CrossDroid provides a more fine-grained permissions mechanism compared with the default permission framework Android affords, and also forbids the privacy disclosure in communications between applications by use of tainting the private data. The system architecture consists of four main modules. The fine-grained permissions setting module affords the user with permissions configuration to the applications, which is similar to the TISSA project. The privacy access control module executes the permission policy on each private data source which Android provides. The private data tainting module is based on the TaintDroid project and is responsbile for tainting the private data the application requests. The ICC monitoring module deals with the private data transmition between applications by control of the base four communication modes.The experiments showed that the applications which are configured by the permission setting module can effectively protect the private data inside an application. Meanwhile, CrossDroid detects all the private escalation attacks in the four communication modes by use of the ICC monitoring module, which proves that CrossDroid modules can effectively forbid the privacy disclosure in the privilege escalation attacks assembled by malicious applications. |
PDF Full Text Request