Show simple item record

dc.contributor.author
Marforio, Claudio
dc.contributor.author
Francillon, Aurélien
dc.contributor.author
Capkun, Srdjan
dc.date.accessioned
2017-08-10T12:37:57Z
dc.date.available
2017-06-10T19:30:24Z
dc.date.available
2017-08-10T12:37:57Z
dc.date.issued
2011
dc.identifier.uri
http://hdl.handle.net/20.500.11850/69761
dc.identifier.doi
10.3929/ethz-a-006720730
dc.description.abstract
We show that the way in which permissionbased mechanisms are used on today’s mobile platforms enables attacks by colluding applications that communicate over overt and covert communication channels. These attacks allow applications to indirectly execute operations that those applications, based on their declared permissions, should not be able to execute. Example operations include disclosure of users private data (e.g., phone book and calendar entries) to remote parties by applications that do not have direct access to such data or cannot directly establish remote connections. We further show that on today’s mobile platforms users are not made aware of possible implications of application collusion– quite the contrary–users are implicitly lead to believe that by approving the installation of each application independently, based on its declared permissions, they can limit the damage that an application can cause. In this work, we show that this is not correct and that application permissions should be displayed to the users differently (e.g., in their aggregated form), reflecting their actual implications. We demonstrate the practicality of application collusion attacks by implementing several applications and example covert channels on an Android platform and an example channel on a Windows Phone 7 platform. We study free applications from the Android market and show that the potential for application collusion is significant. Finally, we discuss countermeasures that can be used to mitigate these attacks.
en_US
dc.language.iso
en
en_US
dc.publisher
Department of Computer Science, ETH Zurich
en_US
dc.rights.uri
http://rightsstatements.org/page/InC-NC/1.0/
dc.subject
MOBILTELEFONE + HANDY (MOBILKOMMUNIKATION)
en_US
dc.subject
DATA SECURITY + DATA PROTECTION (OPERATING SYSTEMS)
en_US
dc.subject
MOBILE TELEPHONES + CELLULAR TELEPHONES (MOBILE COMMUNICATIONS)
en_US
dc.subject
PROCESS MANAGEMENT (OPERATING SYSTEMS)
en_US
dc.subject
PROZESSVERWALTUNG + PROZESSMANAGEMENT (BETRIEBSSYSTEME)
en_US
dc.subject
DATENSICHERHEIT + DATENSCHUTZ (BETRIEBSSYSTEME)
en_US
dc.title
Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems
en_US
dc.type
Report
dc.rights.license
In Copyright - Non-Commercial Use Permitted
ethz.size
16 p.
en_US
ethz.code.ddc
0 - Computer science, information & general works::004 - Data processing, computer science
en_US
ethz.code.ddc
6 - Technology, medicine and applied sciences::621.3 - Electric engineering
en_US
ethz.notes
Technical Reports D-INFK.
en_US
ethz.identifier.nebis
006720730
ethz.publication.place
Zürich
en_US
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit::03755 - Capkun, Srdan / Capkun, Srdan
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit::03755 - Capkun, Srdan / Capkun, Srdan
ethz.date.deposited
2017-06-10T19:34:36Z
ethz.source
ECOL
ethz.source
ECIT
ethz.identifier.importid
imp593650d31558985390
ethz.identifier.importid
imp59366b1343b9719675
ethz.ecolpid
eth:4731
ethz.ecitpid
pub:110467
ethz.eth
yes
en_US
ethz.availability
Open access
en_US
ethz.rosetta.installDate
2017-07-13T05:17:02Z
ethz.rosetta.lastUpdated
2017-08-10T12:37:59Z
ethz.rosetta.exportRequired
true
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=Application%20Collusion%20Attack%20on%20the%20Permission-Based%20Security%20Model%20and%20its%20Implications%20for%20Modern%20Smartphone%20Systems&rft.date=2011&rft.au=Marforio,%20Claudio&Francillon,%20Aur%C3%A9lien&Capkun,%20Srdjan&rft.genre=report&rft.btitle=Application%20Collusion%20Attack%20on%20the%20Permission-Based%20Security%20Model%20and%20its%20Implications%20for%20Modern%20Smartphone%20Systems
 Search via SFX

Files in this item

Thumbnail

Publication type

Show simple item record