Preventing Information Leakage in Mobile Applications with Object-Oriented Access Control Lists and Security Monitor Encapsulation Abstract

We propose a model and associated algorithms for information flow control to prevent information leakage in mobile computing environments. The model employs access control lists and encapsulated security monitoring techniques under a fully object-oriented framework. We show that our model prevents unauthorized direct access to sensitive information from a mobile user to the server, as well as any attempt on indirect access through intermediate entities. To understand the feasibility of our model, we suggest an event-driven implementation structure and efficient approach for the realization of the model. A Java-based prototype implementation and performance evaluation results demonstrate that our model can successfully prevent information leakage with very low overhead. Key words: mobile data access, information flow control, access control lists, encapsulated security monitor