Zero permission android applications - attacks and defenses

Google advertises the Android permission framework as one of the core security features present on its innovative and flexible mobile platform. The permissions are a means to control access to restricted AP/s and system resources. However, there are Android applications which do not request permissions at all.In this paper, we analyze the repercussions of installing an Android application that does not include any permission and the types of sensitive information that can be accessed by such an application. We found that even app/icaaons with no permissions are able to access sensitive information (such the device ID) and transmit it to third-parties

Fiziksel Programlama Platformları Kullanarak Elektrikli Araçların Anlık Hızının İnternet Ve Mobil Sistemler Üzerinden Takibi

Güneş enerjili araç yarışları ülkemizde TÜBİTAK tarafından 2005 yılından beri, dünyada ise 1980’li yıllardan bu yana düzenlenmektedir. Bütün güneş enerjili araç yarışlarının ortak amacı, takımlar arasında rekabet ortamı oluşturarak, alternatif enerji için teknoloji üretmektir. Yarış kurallarına göre sınırlandırılmış panel alanı, akü gücü ve ağırlığı ile herkes için eşit koşullarda yarışma olanağı sunulmaktadır. Bu kapsamda hazırlanan güneş enerjili araca yeni teknoloji olarak kendi tasarımımız olan “Fiziksel Programlama Platformları Kullanarak Elektrikli Araçların Anlık Hızının İnternet ve Mobil Sistemler Üzerinden Takip Sistemi” eklenmiştir. Fiziksel Programlama Platformları kullanılarak gerçekleştirilen sistem, elektrikli taşıtlar için anlık hız verisinin uzaktan gözlemlenmesini sağlamaktadır. Ayrıca bu sistem hareket enerjisini bataryadan alan tüm taşıtlara (güneş enerjili, elektrikli vb) kolaylıkla uygulanabilmektedir. Elde edilen veriler, geliştiriciler tarafından internet üzerinden paylaşılabildiğinden, sistemlerin takibi için mesafe problemi ortadan kalkmış bulunmaktadır. Projenin gerçekleştirilmesi ile güneş enerjili aracın gerçek zamanlı olarak uzaktan izlenmesi sağlanmıştır. Anlık hızın uzaktan izlenmesi, kalan enerji miktarına göre hız ve gidilebilecek yol gibi verileri sağlamaktadır. Bu proje farklı aşamalardan oluşmaktadır; ilk olarak hız ölçümlerinin yapılabilmesi için gerekli olan devre tasarımları yapılmıştır. Bu devreler fiziksel olarak gerçekleştirilmiş ve Fiziksel Programlama Platformları aracılığı ile programlanmıştır. Araç tarafından gönderilecek verilerin yorumlanması için gerekli internet sunucunun programlanması ve ayarlanması gerçekleştirilmiştir. Araçtan alınan anlık hız verisinin bu sunucuya yüklenmesi için gerekli yazılımlar üretilmiştir

Graphical Representations of Security Settings in Android

abstract: On Android, existing security procedures require apps to request permissions for access to sensitive resources. Only when the user approves the requested permissions will the app be installed. However, permissions are an incomplete security mechanism. In addition to a user's limited understanding of permissions, the mechanism does not account for the possibility that different permissions used together have the ability to be more dangerous than any single permission alone. Even if users did understand the nature of an app's requested permissions, this mechanism is still not enough to guarantee that a user's information is protected. Applications can potentially send or receive sensitive information from other applications without the required permissions by using intents. In other words, applications can potentially collaborate in ways unforeseen by the user, even if the user understands the permissions of each app independently. In this thesis, we present several graph-based approaches to address these issues. We determine the permissions of an app and generate scores based on our assigned value of certain resources. We analyze these scores overall, as well as in the context of the app's category as determined by Google Play. We show that these scores can be used to identify overzealous apps, as well as apps that do not properly fit within their category. We analyze potential interactions between different applications using intents, and identify several promiscuous apps with low permission scores, showing that permissions alone are not sufficient to evaluate the security risks of an app. Our analyses can form the basis of a system to assist users in identifying apps that can potentially compromise user privacy.Dissertation/ThesisPermission Scores and List of Apps considered for each category.Masters Thesis Computer Science 201

SPE: Security and Privacy Enhancement Framework for Mobile Devices

In this paper, we present a security and privacy enhancement (SPE) framework for unmodified mobile operating systems. SPE introduces a new layer between the application and the operating system and does not require a device be jailbroken or utilize a custom operating system. We utilize an existing ontology designed for enforcing security and privacy policies on mobile devices to build a policy that is customizable. Based on this policy, SPE provides enhancements to native controls that currently exist on the platform for privacy and security sensitive components. SPE allows access to these components in a way that allows the framework to ensure the application is truthful in its declared intent and ensure that the user’s policy is enforced. In our evaluation we verify the correctness of the framework and the computing impact on the device. Additionally, we discovered security and privacy issues in several open source applications by utilizing the SPE Framework. From our findings, if SPE is adopted by mobile operating systems producers, it would provide consumers and businesses the additional privacy and security controls they demand and allow users to be more aware of security and privacy issues with applications on their devices

SPE: Security and Privacy Enhancement Framework for Mobile Devices

In this paper, we present a security and privacy enhancement (SPE) framework for unmodified mobile operating systems. SPE introduces a new layer between the application and the operating system and does not require a device be jailbroken or utilize a custom operating system. We utilize an existing ontology designed for enforcing security and privacy policies on mobile devices to build a policy that is customizable. Based on this policy, SPE provides enhancements to native controls that currently exist on the platform for privacy and security sensitive components. SPE allows access to these components in a way that allows the framework to ensure the application is truthful in its declared intent and ensure that the user’s policy is enforced. In our evaluation we verify the correctness of the framework and the computing impact on the device. Additionally, we discovered security and privacy issues in several open source applications by utilizing the SPE Framework. From our findings, if SPE is adopted by mobile operating systems producers, it would provide consumers and businesses the additional privacy and security controls they demand and allow users to be more aware of security and privacy issues with applications on their devices

Adaptive Governance and sub-national Climate Change Policy: A comparative analysis of Khyber Pukhtunkhawa and Punjab Provinces in Pakistan

This study explores the adaptive governance and effective implementation of climate policies at the subnational level in a developing country context. We focused on Pakistan as our central case as it is considered one of the most vulnerable countries to climate change and has also gone through a recent governance devolution process. This study is conduced to investigate climate governance at subnational level in Pakistan by looking at the province of Punjab and Khyber Pukhtunkhawah (KPK). We employ the Ostrom’s Institutional Analysis and Development (IAD) Framework for this study. The framework as methodology is important to uncover the complexity of adaptive governance at subnational level after devolution and transformation of environmental institutions in Pakistan. Different aspects of governance such as engagement of local actors, activism of political leadership, awareness campaigns, and capacity building are the notable initiatives in the provinces. The study identifies the differences of initiatives in these provinces are manifest in subnational climate change policy differentiation, research capacity and institutional maturity. The study finds that the provincial government of the KPK follows more participatory and decentralized approach while Punjab is more centralized. The IAD framework provided an effective means of understanding these complex differences in outcome and scale

An Android runtime security policy enforcement framework

Abstract Today, smart phone's malwares are deceptive enough to spoof itself as a legal mobile application. The front-end service of Trojans is attractive enough to deceive mobile users. Mobile users download similar malwares without knowing their illegitimate background threat. Unlike other vendors, Android is an open-source mobile operating system, and hence, it lacks a dedicated team to analyze the application code and decide its trustworthiness. We propose an augmented framework for Android that monitors the dynamic behavior of application during its execution. Our proposed architecture called Security Enhanced Android Framework (SEAF) validates the behavior of an application through its permissions exercising patterns. Based on the exercised permissions' combination, the mobile user is intimated about the dangerous behavior of an application. We have implemented the proposed framework within Android software stack and ported it to device. Our initial investigation shows that our solution is practical enough to be used in the consumer market

Konzepte für Datensicherheit und Datenschutz in mobilen Anwendungen

Smart Devices und insbesondere Smartphones nehmen eine immer wichtigere Rolle in unserem Leben ein. Aufgrund einer kontinuierlich anwachsenden Akkulaufzeit können diese Geräte nahezu ununterbrochen mitgeführt und genutzt werden. Zusätzlich sorgen stetig günstiger werdende Mobilfunktarife und ansteigende Datenraten dafür, dass den Nutzern mit diesen Geräten eine immerwährende Verbindung zum Internet zur Verfügung steht. Smart Devices sind dadurch nicht mehr reine Kommunikationsmittel sondern ebenfalls Informationsquellen. Darüber hinaus gibt es eine Vielzahl an Anwendungen von Drittanbietern für diese Geräte. Dank der darin verbauten Sensoren, können darauf beispielsweise ortsbasierte Anwendungen, Gesundheitsanwendungen oder Anwendungen für die Industrie 4.0 ausgeführt werden, um nur einige zu nennen. Solche Anwendungen stellen allerdings nicht nur ein großes Nutzen-, sondern zu gleich ein immenses Gefahrenpotential dar. Über die Sensoren können die unterschiedlichsten Kontextdaten erfasst und relativ präzise Rückschlüsse auf den Nutzer gezogen werden. Daher sollte bei diesen Geräten ein besonderes Augenmerk auf die Datensicherheit und insbesondere auf den Datenschutz gelegt werden. Betrachtet man allerdings die bestehenden Datensicherheits- und Datenschutzkomponenten in den aktuell vorherrschenden mobilen Plattformen, so fällt auf, dass keine der Plattformen die speziellen Anforderungen an ein mobiles Datensicherheits- und Datenschutzsystem zufriedenstellend erfüllt. Aus diesem Grund steht im Zentrum der vorliegende Arbeit die Konzeption und Umsetzung neuartiger Datensicherheits- und Datenschutzkonzepte für mobile Anwendungen. Hierfür werden die folgenden fünf Forschungsbeiträge erbracht: [FB1] Bestehende Datensicherheits- und Datenschutzkonzepte werden analysiert, um deren Schwachstellen zu identifizieren. [FB2] Ein kontextsensitives Berechtigungsmodell wird erstellt. [FB3] Das Berechtigungsmodell wird in einem flexiblen Datenschutzsystem konzeptionell eingebettet und anschließend implementiert. [FB4] Das Datenschutzsystem wird zu einem holistischen Sicherheitssystem erweitert. [FB5] Das daraus entstandene holistische Sicherheitssystem wird evaluiert. Um die Forschungsziele zu erreichen, wird mit dem Privacy Policy Model (PPM) ein gänzlich neues Modell zur Formulierung von feingranularen Berechtigungsregeln eingeführt, die es dem Nutzer ermöglichen, je nach Bedarf, einzelne Funktionseinheiten einer Anwendung zu deaktivieren, um dadurch die Zugriffsrechte der Anwendung einzuschränken. Zusätzlich kann der Nutzer auch die Genauigkeit der Daten, die der Anwendung zur Verfügung gestellt werden, reduzieren. Das PPM wird in der Privacy Policy Platform (PMP) implementiert. Die PMP ist ein Berechtigungssystem, das nicht nur für die Einhaltung der Datenschutzrichtlinien sorgt, sondern auch einige der Schutzziele der Datensicherheit erfüllt. Für die PMP werden mehrere Implementierungsstrategien diskutiert und deren Vor- und Nachteile gegeneinander abgewogen. Um neben den Datenschutz auch die Datensicherheit gewährleisten zu können, wird die PMP um den Secure Data Container (SDC) erweitert. Mit dem SDC können sensible Daten sicher gespeichert und zwischen Anwendungen ausgetauscht werden. Die Anwendbarkeit der PMP und des SDCs wird an Praxisbeispielen aus vier unterschiedlichen Domänen (ortsbasierte Anwendungen, Gesundheitsanwendungen, Anwendungen in der Industrie 4.0 und Anwendungen für das Internet der Dinge) demonstriert. Bei dieser Analyse zeigt sich, dass die Kombination aus PMP und SDC nicht nur sämtliche Schutzziele, die im Rahmen der vorliegenden Arbeit relevant sind und sich am ISO-Standard ISO/IEC 27000:2009 orientieren, erfüllt, sondern darüber hinaus sehr performant ist. Durch die Verwendung der PMP und des SDCs kann der Akkuverbrauch von Anwendungen halbiert werden