1 / 19

An Example of an Android Security Extension

YAASE (Yet Another Android Security Extension) provides a robust policy-based system aimed at controlling information flow in Android applications. With fine-grained data filtering capabilities, YAASE ensures no modifications to the Android API are necessary, allowing for secure enforcement of access control decisions. By prioritizing data safety, it offers control over inter-process communication (IPC) and system-level calls. YAASE introduces a tunable architecture that integrates seamlessly with existing components, ensuring thorough policy evaluation and enforcement without relying on app trustworthiness.

brie
Download Presentation

An Example of an Android Security Extension

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Example of an Android Security Extension YAASE - Yet Another Android Security Extension

  2. YAASE Main Features • A Policy-based System for • Controlling Information Flow • Fine-grained Data Filtering • No modifications to Android API • No trust on apps • Control over IPC and system-level calls (internet) • Data filtering capabilities • Tuneable

  3. YAASE Architecture • Grey = New components added • Dashed = Modified Android components

  4. Policy-based AC Terms • A policy is a rule that governs the behaviour of a system • PEP stands for Policy Enforcement Point • It is responsible for intercepting the requests and enforcing the access control decisions • PDP stands for Policy Decision Point • It is responsible for evaluating policies and coming up with a decision • Policy Provider is the repository where policies are stored

  5. YAASE Policy Language PolicyName: Requester can do operation on Resource [have to perform action] handle dataLabelExpression By default, if no policy is specified no action is granted!

  6. Example of a Privilege Escalation • FeedMe: A news feed app requiring access to internet • NavApp: A navigation app requiring access to GPS

  7. Policies for Apps PolFeedMe: FeedMEcan do send on Internet handle “NoLabels” PolNavApp: NavAppcan do access on GPS handle “FineLocation”

  8. Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A Accessto NavApp PEP Policy Provider YAASE PDP

  9. Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP

  10. Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP

  11. Restrict Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A NOACCESS PEP Policy Provider YAASE PDP

  12. Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A PEP PEP Policy Provider YAASE PDP

  13. Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe D:FL NavApp Android Apps C P1 GPS P2 NET S S A A PEP Policy Provider YAASE PDP

  14. Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A INTERNET D:FL PEP Policy Provider YAASE PDP

  15. Enforced Policy PolFeedMe: FeedMEcan do send on Internet handle “NoLabels”

  16. Relaxed Approach Sandbox Sandbox SystemSandbox P2 P1 FeedMe NavApp Android Apps C P1 GPS P2 NET S S A A INTERNET D:FL PEP Policy Provider YAASE PDP

  17. Final Thoughts • Standard Android Security framework is insufficient • Plethora of security extensions have been presented • Now it is time that Google starts to take some actions

  18. Readings • Russello, Giovanni, et al. "Yaase: Yet another android security extension." Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom). IEEE, 2011.

  19. Questions?

More Related