Towards Securing ¡°Bring Your Own Device¡± Policy
Alessandro Armando1, Gabriele Costa2*, Alessio Merlo3*, and Luca Verderame1
1Fondazione Bruno
Kessler
Trento, Italy
armando@fbk.eu
2Università degli Studi di Genova
Genova, Italy
gabriele.costa@unige.it, luca.verderame87@gmail.com
3Università e-Campus
alessio.merlo@uniecampus.it
Abstract
The number of devices (phones, tablets, smart TVs, ...)
using Android OS is continuously and rapidly growing.
Together with the devices, also the amount of
applications and on-line application marketplaces is increasing.
Unfortunately, security guarantees are not evolving
concurrently and security flaws have been reported.
Far from discouraging them, more and more users and
organisations rely on Android even for security critical activities.
The bring your own device (BYOD) paradigm confirms this
trend. Indeed, it allows mobile devices to join
a virtual organisation (consisting of a set of federated devices) in order to
access to services and functionalities.
Needless to say, the basic security support offered by
Android and application markets is totally inappropriate
for dealing with the security requirements involved in BYOD-like scenarios.
In this work we describe a technique for guaranteeing that devices comply
with a security policy.
To do that, we use a type and effect system to infer behavioural models from
applications implementation
and we validate them against policy specification. Moreover, we define a novel
approach, based on partial model checking,
for partially evaluating the security policy depending on devices
configurations.
Finally, we present a prototype under implementation, called BYODroid, which
concretely applies these techniques
to secure the devices joining a virtual organisations in the BYOD style.
Keywords: Android security, BYOD paradigm, online marketplaces,
static Analysis, partial model checking
*Corresponding author
Journal of Internet
Services and Information Security (JISIS), 2(3/4):
3-17, November 2012 [pdf]