The notion of Context-Awareness of mobile applications is drawing more attention, where many applications need to adapt to physical environments of users and devices, such as location, time, connectivity, resources, etc. While these adaptive features can facilitate better communication and help users to access their information anywhere at any time, this however bring risks caused by the potential loss, misuse, or leak of users’ confidential information. Therefore, a flexible policy-based access control system is needed to monitor critical functions executed by Android applications, especially, those requiring access to user’s sensitive and crucial information. This paper introduces CAPEF, which is a policy specification framework that enforces context-aware inter-app security policies to mitigate privacy leakage across different Android applications. It also, provides an instrumentation framework to effectively enforce different behaviors based on automated context-aware policies to each Android application individually without modifying the underlying platform. Accordingly, the modified applications will be forced to communicate with our centralized policy engine to avoid any malware collusion that occur without the users’ awareness. Experiments conducted on CAPEF shows an effective performance on the size of the enforced application after the instrumentation. The average size added was 705 bytes, which is about 0.063% of the size of the original applications, which is significantly small compared to other existing enforcement approaches. Also, we have denoted that the size and the execution time of the policy increases whenever the policies become more complex.

1. J. Maring, “Android central”, Online[Access 12/07/2022] urlhttps://www.androidcentral.com/google-removed-over- 700000-malicious-apps-play-store-2017, 2018.
2. I. Rathore, “Google gets rid of these 16 apps hav- ing millions of downloads”, Online[Access 15/09/2022] https://dazeinfo.com/2022/10/25/ google-removes-apps-that-have- affected-20-million-android-users-worldwide/, 2022.
3. “Android developers”, Online[Access 02/01/2022]url- https://developer.android.com /guide/topics/manifest/ manifest- intro.
4. V. Arena, V. Catania, G. La Torre, S. Monteleone, F. Ricciato, “Se- curedroid: An android security framework extension for context- aware policy enforcement”, “Privacy and Security in Mobile Systems (PRISMS), 2013 International Conference on”, pp. 1–8, IEEE, 2013, doi:10.1109/PRISMS.2013.6927185.
5. M. Nauman, S. Khan, X. Zhang, “Apex: extending android per- mission model and enforcement with user-defined runtime con- straints”, “Proceedings of the 5th ACM symposium on information, computer and communications security”, pp. 328–332, 2010, doi: 10.1145/1755688.1755732.
6. Y. Zhou, X. Zhang, X. Jiang, V. W. Freeh, “Taming information-stealing smartphone applications (on android)”, “International conference on Trust and trustworthy computing”, pp. 93–107, Springer, 2011, doi:10.1007/978-3-642-21599-5_7.
7. P. Hornyack, S. Han, J. Jung, S. Schechter, D. Wetherall, “These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications”, “Proceedings of the 18th ACM Conference on Computer and Communications Security”, CCS ’11, p. 639–652, Association for Computing Machinery, New York, NY, USA, 2011, doi:10.1145/2046707.2046780.
8. D. Feth, A. Pretschner, “Flexible data-driven security for android”, “Software Security and Reliability (SERE), 2012 IEEE Sixth Interna- nal Conference on”, pp. 41–50, IEEE, 2012, doi:10.1109/SERE.2012.
9. R. Xu, H. Saidi, R. Anderson, “Aurasium: Practical policy enforce- ment for android applications”, “21st USENIX Security Symposium (USENIX Security 12)”, pp. 539–552, USENIX Association, 2012, 21st USENIX Security Symposium ; Conference date: 08-08-2012 Through 10-08-2012.
10. J. Jeon, K. K. Micinski, J. A. Vaughan, A. Fogel, N. Reddy, J. S. Foster,
    T. Millstein, “Dr. android and mr. hide: Fine-grained permissions in android applications”, “Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices”, SPSM ’12, p. 3–14, Association for Computing Machinery, New York, NY, USA, 2012, doi:10.1145/2381934.2381938.
11. B. Davis, B. Sanders, A. Khodaverdian, H. Chen, “I-arm-droid: A rewriting framework for in-app reference monitors for android appli- cations”, Mobile Security Technologies, vol. 2012, no. 2, p. 17, 2012.
12. B. Davis, H. Chen, “Retroskeleton: Retrofitting android apps”, “Pro- ceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services”, MobiSys ’13, p. 181–192, As- sociation for Computing Machinery, New York, NY, USA, 2013, doi: 10.1145/2462456.2464462.
13. P. von Styp-Rekowsky, S. Gerling, M. Backes, C. Hammer, “Idea: Callee-site rewriting of sealed system libraries”, J. Jürjens, B. Livshits,
    R. Scandariato, eds., “Engineering Secure Software and Systems”, pp. 33–41, Springer Berlin Heidelberg, Berlin, Heidelberg, 2013.
14. X. Zhang, A. Ahlawat, W. Du, “Aframe: Isolating advertisements from mobile applications in android”, “Proceedings of the 29th Annual Computer Security Applications Conference”, ACSAC ’13, p. 9–18, Association for Computing Machinery, New York, NY, USA, 2013, doi:10.1145/2523649.2523652.
15. P. Pearce, A. P. Felt, G. Nunez, D. Wagner, “Addroid: Privilege separation for applications and advertisers in android”, “Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security”, ASIACCS ’12, p. 71–72, Association for Computing Machinery, New York, NY, USA, 2012, doi:10.1145/2414456.2414498.
16. S. Shekhar, M. Dietz, D. S. Wallach, “Adsplit: Separating smart- phone advertising from applications”, “Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)”, pp. 553–567, 2012, doi:10.48550/arXiv.1202.4030.
17. M. Zhang, H. Yin, “Efficient, context-aware privacy leakage confine- ment for android applications without firmware modding”, “Pro- ceedings of the 9th ACM Symposium on Information, Computer and Communications Security”, ASIA CCS ’14, p. 259–270, Asso- ciation for Computing Machinery, New York, NY, USA, 2014, doi: 10.1145/2590296.2590312.
18. Y. Falcone, S. Currea, “Weave droid: aspect-oriented programming on android devices: fully embedded or in the cloud”, “Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering”, pp. 350–353, 2012, doi:10.1145/2351676.2351744.
19. O. Riganelli, D. Micucci, L. Mariani, “Controlling interactions with libraries in android apps through runtime enforcement”, ACM Trans. Auton. Adapt. Syst., vol. 14, no. 2, 2019, doi:10.1145/3368087.
20. M. Alhanahnah, Q. Yan, H. Bagheri, H. Zhou, Y. Tsutano, W. Srisa-An,
    X. Luo, “Dina: Detecting hidden android inter-app communication in dynamic loaded code”, IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2782–2797, 2020, doi:10.1109/TIFS.2020.2976556.
21. M. Grace, M. Sughasiny, “Behaviour analysis of inter-app commu- nication using a lightweight monitoring app for malware detec- tion”, Expert Systems with Applications, vol. 210, p. 118404, 2022, doi:https://doi.org/10.1016/j.eswa.2022.118404.
22. A. Developers, “Preparing for the android privacy sand- box beta”, Online[Access 15/12/2022]urlhttps://android- developers.googleblog.com/2022/11/preparing-for-android- privacy-sandbox-beta.html , 2022.
23. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, C. E. Youman, “Role-based rol models”, Computer, vol. 29, no. 2, pp. 38–47, 1996,
    :10.1109/2.485845.
24. OASIS, “Oasis extensible access control markup language (xacml)”, Online[Access 02/05/2017]urlhtttp://www.oasis- open.org/committees/xacml, 2011.
25. W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung,P. McDaniel, A. N. Sheth, “Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones”, ACM Trans. Comput. Syst., vol. 32, no. 2, 2014, doi:10.1145/2619091.
26. W. Zhou, X. Zhang, X. Jiang, “Appink: Watermarking android apps for repackaging deterrence”, ASIA CCS ’13, p. 1–12, Asso- omputing Machinery, New York, NY, USA, 2013, doi:
    145/2484313.2484315.

Citations by Dimensions

Citations by PlumX

Crossref Citations

This paper is currently not cited.

No. of Downloads per Month

No. of Downloads per Country