5. IMPLEMENTATIONDR BACA was develo

5. IMPLEMENTATION
DR BACA was developed on Android version 4.0.4 (Ice
Cream Sandwich). We used a Galaxy Nexus and a Nexus S
for testing purposes. The experiments in section 7 were conducted
on the Nexus S. DR BACA consists of about 15,000
lines of code, the majority of it written in Java. One of our
goals in developing DR BACA was to minimize the changes
to the existing Android code. Therefore, only 139 lines of
actual Android framework code had to be modified. This
simplifies the porting of DR BACA to newer versions of
Android. A complete discussion of DR BACA’s implementation
is outside of the scope of this paper. More details can
be found in [24].
DR BACA modifies and extends the existing Android
framework. This provides unrestricted access to any kind
of permission and execution request. As briefly mentioned
before, these requests are intercepted by DR BACA through
hooks in the framework code. For example, the ActivityManager
service checks application permission requests in
its checkComponentPermission() method. If that method
grants the permission request, the DR BACA system will
get notified and consults its security policy before making
the ultimate decision of granting or rejecting the request.
The disadvantage of directly modifying the Android operating
system is that in order to use DR BACA, the Android
device needs to be rooted and flashed with the modified
operating system. Fortunately, rooting and flashing an Android
device is well documented and does not require a lot
of time.
Another important goal of DR BACA was to identify all
execution paths that deal with permission and execution
checks. The Android code base is very extensive and depending
on the actual request, different services will deal
with it. Through code inspection, experimentation and testing,
we are confident to have identified the majority of paths
where such checks occur. All identified execution paths were
then hooked up with DR BACA in order to provide a comprehensive
security solution for Android.
6. SCENARIOS
This section provides a scenario that illustrate how DR
BACA can be used in a real world environment. This scenario
takes place in a hospital environment. In order to
support the hospital staff in their daily work, the IT department
acquired dozens of Android devices. Most employees
are given their own personal Android device. In addition,
the hospital acquired Android tablets. These tablets are
assigned to the current patients. The tablets serve both
as an entertainment platform for the patients as well as a
source for sensitive patient information for the hospital staff.
Since dealing with sensitive medical information, these devices
need to be appropriately secured. For this reason, the
IT department installed DR BACA on all acquired devices.
The security policy applied to the mobile devices consists
(among others) of the following rules:
1. The patient role allows the execution of certain games
(Scrabble, Chess, etc.) and video conferencing applications.
.
2. Patients (users assigned the patient role) are never allowed
to execute the hospital application ”MedInfo”.
.
3. The doctor and nurse role contains a rule which allows
the retrieval of medical information through the
hospital application ”MedInfo”.
Access To Sensitive Application: This setup allows
patients to pass their time playing games, listening to music
and chatting with friends and family using the Android
tablet. On the other hand, nurses can make use of the same
tablet by retrieving or updating the patient’s information.
If a patient attempted to start the MedInfo application,
an error message such as the one shown in Figure 4 would
pop up and reject the execution request.
Figure 4: Execution request denied
However, patients are allowed to inspect their own medical
record under HIPAA [20]. Using DR BACA’s dynamic approach,
a doctor can grant a patient temporary access to
their own medical records. This can be achieved by sharing
304
the appropriate rule from their own mobile device to the
patients tablet. To minimize the risk of information leakage,
this rule will only be granted for a short amount of
time, just enough for the patient to review his/her medical
records. Listing 3 shows, how this rule would have to be
defined as part of the security policy. Note that the rule is
shareable in order for the doctor to temporarily grant it to
the patient.
{ "apps": ["MEDINFO"],
"roles": ["DOCTOR", "NURSE"],
"rulename": "MEDINFO_ACCESS",
"allowed": true,
"shareable": true,
"contexts": ["HOSPITAL_LOC"] }
Listing 3: Shareable rule Example
Minimizing Risk of Malware: In recent months, there
have been many malicious applications with the primary
goal of periodically sending messages to premium numbers.
Many of these applications are based on the very widespread
Android.FakeInstaller malware family, according to a report
from McAfee [25]. The report states that this malware family
consists of several variants that all spoof popular applications
such as Skype and Flash Player and upload them to
third-party App-Markets. The IT department of the hospital
is worried, that the mobile devices provided to the
employees will get infected with the Android.FakeInstaller
malware. It assigns the rule shown in Listing 4 to the employee
role. This prevents anyone from ever sending SMS.
{ "roles": ["EMPLOYEE"],
"rulename": "NO_SMS",
"permissions": ["SEND_SMS"],
"allowed": false,
"shareable": false }
Listing 4: Denied SEND SMS rule
Not allowing to send SMS might be too restrictive for the
hospital’s employees. One way to solve this and still adhere
to the principle of least privilege is to provide each
employee with an NFC tag which temporarily permits dangerous
permissions such as SEND SMS. While this approach
is less convenient for employees, it effectively reduces the
potential cost incurred by malicious software such as the
Android.FakeInstaller malware family.
7. EVALUATION
7.1 Effectiveness
The effectiveness of DR BACA depends on the security
policy used. However, a stringent security policy can severely
limit the harm caused by malicious and vulnerable nonmalicious,
applications.
While Table 5 is not exhaustive, it shows that the majority
of current Android malware contains similar functionality.
Because of this, adding only a few restrictive rules to DR
BACA is enough to improve the security on Android mobile
device. For example: most malware has the ability to impose
costs for the mobile device user by sending SMS to premium
numbers. By defining rules similar to the ones created in section
6, these types of malware suddenly become much less
powerful. Also, a lot of malware attempts to steal contact information.
A rule that only grants the READ CONTACTS
to trusted applications will mitigate the risks posed by these
particular malicious applications.
7.2 Efficiency
Added security always comes with a price, be it through
performance degradation, slowed down user experience, higher
battery life consumption or a combination of all. With the
current mobile devices on the market, one of the most important
performance factors is the battery life time. This is
illustrated by the fact that the Galaxy Nexus battery takes
up about 1
3 of the entire internal hardware. All tests in this
chapter were performed with the same user who has the following
restrictions:
• Internet denied (all applications) during work days,
office hours and at office location;
• Send SMS denied (all applications) during work days;
• Execute music application denied during work days
and office hours;
• Execute performance application denied;
• Execute settings application denied during work days;
• Execute camera application denied during work days,
office hours and at office location;
• Internet allowed for email application;
• Internet allowed for performance application;
• Execute performance application allowed.
While the here chosen security policy is rather small, the
provided results are also representative for larger environments
(with dozens of roles and rules) for the following reasons:
• Once a user is logged in, only the roles, rules and contexts
of that particular user are loaded into memory
and used by DR BACA to make access decisions. This
means that the number of roles, rules and contexts DR
BACA needs to check to make access decisions does
not increase when more users are involved.
• Roles, rules and contexts are stored in Array-Lists. In
Java, Array-Lists have a random access time complexity
of O(n), where n is the number of elements in the
Array-List. This means that only for a very large n will
the results shown in this chapter be distorted. Based
on the fact that the Android operating system currently
contains 130 permissions [12], we expect that
normal DR BACA users will have limited amounts
of roles, rules and contexts, unlikely to exceed a few
dozens.
7.3 Permission Checking Overhead
This first test evaluates individual permission requests and
the time overhead introduced for checking them with DR
BACA. Figure 5 shows the performance test results for the
READ SMS permission.
The timing was performed by comparing two nanoTime()
timestamps. Since Java’s nanoTime() method can vary depending
on the current system load, we performed a total of
305
Name Malicious activity Discovered date
Bill Shocker [26] Send costly SMS January 2013
Android.DDoS.1.origin [22] Botnet (DDoS) & Send costly SMS December 2012
Android.Enesoluty [32] Steal personal info September 2012
Android.Jifake [4] Send costly SMS July 2012
Android.Ackposts [31] Steal contact info July 2012
Android.Mobiletx [1] Steal personal info & Send costly SMS May 2012
Table 5: Recent Android malware
0 200 400 600 800
0 10 20 30 40 50 60 70 80 90 100
Number of tests [#]
Duration [us]
Android
DR BACA
Mean:
307.83
585.30
Std. deviation:
103.43
74.27
Figure 5: READ SMS request time overhead
110 READ SMS requests and removed the top and bottom 5
results, leaving 100 time values for comparison between Android’s
referen