File Download

There are no files associated with this item.

  Links for fulltext
     (May Require Subscription)
Supplementary

Conference Paper: On the origin of mobile apps: Network provenance for android applications

TitleOn the origin of mobile apps: Network provenance for android applications
Authors
Issue Date2016
Citation
CODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy, 2016, p. 160-171 How to Cite?
AbstractMany mobile services consist of two components: a server providing an API, and an application running on smart phones and communicating with the API. An unresolved problem in this design is that it is difficult for the server to authenticate which app is accessing the API. This causes many security problems. For example, the provider of a private network API has to embed secrets in its official app to ensure that only this app can access the API; however, attackers can uncover the secret by reverse-engineering. As another example, malicious apps may send automatic requests to ad servers to commit ad fraud. In this work, we propose a system that allows network API to authenticate the mobile app that sends each request so that the API can make an informed access control decision. Our system, the Mobile Trusted-Origin Policy, consists of two parts: 1) an app provenance mechanism that annotates outgoing HTTP(S) requests with information about which app generated the network traffic, and 2) a code isolation mechanism that separates code within an app that should have different app provenance signatures into mobile origin. As motivation for our work, we present two previously-unknown families of apps that perform click fraud, and examine how the lack of mobile origin information enables the attacks. Based on our observations, we propose Trusted Cross-Origin Requests to handle point (1), which automatically includes mobile origin information in outgoing HTTP requests. Servers may then decide, based on the mobile origin data, whether to process the request or not. We implement a prototype of our system for Android and evaluate its performance, security, and deployability. We find that our system can achieve our security and utility goals with negligible overhead.
Persistent Identifierhttp://hdl.handle.net/10722/346615

 

DC FieldValueLanguage
dc.contributor.authorStevens, Ryan-
dc.contributor.authorCrussell, Jonathan-
dc.contributor.authorChen, Hao-
dc.date.accessioned2024-09-17T04:12:04Z-
dc.date.available2024-09-17T04:12:04Z-
dc.date.issued2016-
dc.identifier.citationCODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy, 2016, p. 160-171-
dc.identifier.urihttp://hdl.handle.net/10722/346615-
dc.description.abstractMany mobile services consist of two components: a server providing an API, and an application running on smart phones and communicating with the API. An unresolved problem in this design is that it is difficult for the server to authenticate which app is accessing the API. This causes many security problems. For example, the provider of a private network API has to embed secrets in its official app to ensure that only this app can access the API; however, attackers can uncover the secret by reverse-engineering. As another example, malicious apps may send automatic requests to ad servers to commit ad fraud. In this work, we propose a system that allows network API to authenticate the mobile app that sends each request so that the API can make an informed access control decision. Our system, the Mobile Trusted-Origin Policy, consists of two parts: 1) an app provenance mechanism that annotates outgoing HTTP(S) requests with information about which app generated the network traffic, and 2) a code isolation mechanism that separates code within an app that should have different app provenance signatures into mobile origin. As motivation for our work, we present two previously-unknown families of apps that perform click fraud, and examine how the lack of mobile origin information enables the attacks. Based on our observations, we propose Trusted Cross-Origin Requests to handle point (1), which automatically includes mobile origin information in outgoing HTTP requests. Servers may then decide, based on the mobile origin data, whether to process the request or not. We implement a prototype of our system for Android and evaluate its performance, security, and deployability. We find that our system can achieve our security and utility goals with negligible overhead.-
dc.languageeng-
dc.relation.ispartofCODASPY 2016 - Proceedings of the 6th ACM Conference on Data and Application Security and Privacy-
dc.titleOn the origin of mobile apps: Network provenance for android applications-
dc.typeConference_Paper-
dc.description.naturelink_to_subscribed_fulltext-
dc.identifier.doi10.1145/2857705.2857712-
dc.identifier.scopuseid_2-s2.0-84964837076-
dc.identifier.spage160-
dc.identifier.epage171-

Export via OAI-PMH Interface in XML Formats


OR


Export to Other Non-XML Formats