Show simple item record

dc.contributor.author
Marforio, Claudio
dc.contributor.author
Francillon, Aurelien
dc.contributor.author
Capkun, Srdjan
dc.date.accessioned
2017-07-07T12:28:07Z
dc.date.available
2017-06-09T17:44:51Z
dc.date.available
2017-07-07T12:28:07Z
dc.date.issued
2010-04
dc.identifier.uri
http://hdl.handle.net/20.500.11850/42375
dc.identifier.doi
10.3929/ethz-a-006936208
dc.description.abstract
We show that the way in which permission-based mechanisms are used on today's mobile platforms enables attacks by colluding applications that communicate over overt and covert communication channels. These attacks allow applications to indirectly execute operations that those applications, based on their declared permissions, should not be able to execute. Example operations include disclosure of users private data (e.g., phone book and calendar entries) to remote parties by applications that do not have direct access to such data or cannot directly establish remote connections. We further show that on today’s mobile platforms users are not made aware of possible implications of application collusion--quite the contrary--users are implicitly lead to believe that by approving the installation of each application independently, based on its declared permissions, they can limit the damage that an application can cause. In this work, we show that this is not correct and that application permissions should be displayed to the users differently (e.g., in their aggregated form), reflecting their actual implications. We demonstrate the practicality of application collusion attacks by implementing several applications and example covert channels on an Android platform and an example channel on a Windows Phone 7 platform. We study free applications from the Android market and show that the potential for application collusion is significant. Finally, we discuss countermeasures that can be used to mitigate these attacks.
en_US
dc.format
application/pdf
dc.language.iso
en
en_US
dc.publisher
ETH Zürich, Department of Computer Science
en_US
dc.rights.uri
http://rightsstatements.org/page/InC-NC/1.0/
dc.subject
MOBILTELEFONE + HANDY (MOBILKOMMUNIKATION)
en_US
dc.subject
DATA SECURITY + DATA PROTECTION (OPERATING SYSTEMS)
en_US
dc.subject
Smartphone security
en_US
dc.subject
MOBILE TELEPHONES + CELLULAR TELEPHONES (MOBILE COMMUNICATIONS)
en_US
dc.subject
SYSTEMPROGRAMMIERUNG (BETRIEBSSYSTEME)
en_US
dc.subject
SYSTEMS PROGRAMMING (OPERATING SYSTEMS)
en_US
dc.subject
Android security
en_US
dc.subject
Covert channels
en_US
dc.subject
Application collusion
en_US
dc.subject
DATENSICHERHEIT + DATENSCHUTZ (BETRIEBSSYSTEME)
en_US
dc.title
Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems
en_US
dc.type
Report
dc.rights.license
In Copyright - Non-Commercial Use Permitted
dc.date.published
2011
ethz.journal.title
Technical report
ethz.journal.volume
724
en_US
ethz.size
16 p.
en_US
ethz.code.ddc
DDC - DDC::0 - Computer science, information & general works::004 - Data processing, computer science
en_US
ethz.code.ddc
DDC - DDC::6 - Technology, medicine and applied sciences::621.3 - Electric engineering
en_US
ethz.notes
Technical Reports D-INFK.
en_US
ethz.identifier.nebis
006936208
ethz.publication.place
Zürich
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03755 - Capkun, Srdan / Capkun, Srdan
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03634 - Basin, David / Basin, David
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03634 - Basin, David / Basin, David
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03755 - Capkun, Srdan / Capkun, Srdan
ethz.date.deposited
2017-06-09T17:44:54Z
ethz.source
ECOL
ethz.source
ECIT
ethz.identifier.importid
imp59364eb8a7df969019
ethz.identifier.importid
imp59366b1d5653188379
ethz.ecolpid
eth:5186
ethz.ecitpid
pub:70550
ethz.eth
yes
en_US
ethz.availability
Open access
en_US
ethz.rosetta.installDate
2017-07-07T12:29:05Z
ethz.rosetta.lastUpdated
2021-02-14T17:54:56Z
ethz.rosetta.exportRequired
true
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=Application%20Collusion%20Attack%20on%20the%20Permission-Based%20Security%20Model%20and%20its%20Implications%20for%20Modern%20Smartphone%20Systems&rft.jtitle=Technical%20report&rft.date=2010-04&rft.volume=724&rft.au=Marforio,%20Claudio&Francillon,%20Aurelien&Capkun,%20Srdjan&rft.genre=report&
 Search print copy at ETH Library

Files in this item

Thumbnail

Publication type

Show simple item record