ABSTRACT
The penetration of cellular networks worldwide and emergence of smart phones has led to a revolution in mobile content. Users consume diverse content when, for example, exchanging photos, playing games, browsing websites, and viewing multimedia. Current phone platforms provide protections for user privacy, the cellular radio, and the integrity of the OS itself. However, few offer protections to protect the content once it enters the phone. For example, MP3-based MMS or photo content placed on Android smart phones can be extracted and shared with impunity. In this paper, we explore the requirements and enforcement of digital rights management (DRM) policy on smart phones. An analysis of the Android market shows that DRM services should ensure: a) protected content is accessible only by authorized phones b) content is only accessible by provider-endorsed applications, and c) access is regulated by contextual constraints, e.g., used for a limited time, a maximum number of viewings, etc. The Porscha system developed in this work places content proxies and reference monitors within the Android middleware to enforce DRM policies embedded in received content. A pilot study controlling content obtained over SMS, MMS, and email illustrates the expressibility and enforcement of Porscha policies. Our experiments demonstrate that Porscha is expressive enough to articulate needed DRM policies and that their enforcement has limited impact on performance.
- Android Community ROM. http://www.cyanogenmod.com/, March 2010.Google Scholar
- I hate DRM: A site dedicated to reclaiming consumer digital rights. http://ihatedrm.com, June 2010.Google Scholar
- Mobile Watchdog. http://www.mymobilewatchdog.com/, January 2010.Google Scholar
- SMS Trap. http://www.smstrap.com/, January 2010.Google Scholar
- Stealth SMS. http://stealthsms.trusters.com/s_features.htm, January 2010.Google Scholar
- A5/1 Security Project. Creating A5/1 Rainbow Tables. http://reflextor.com/trac/a51, 2009.Google Scholar
- Apache Software Foundation. Apache James Mime4j. http://james.apache.org/mime4j/, March 2010.Google Scholar
- G. Appenzeller, L. Martin, and M. Schertler. Identity-Based Encryption Architecture and Supporting Data Structures, Jan. 2009. IETF RFC 5408.Google Scholar
- L. Bauer, S. Garriss, J. M. Mccune, M. K. Reiter, J. Rouse, and P. Rutenbar. Device-enabled authorization in the grey system. In Proceedings of the 8th Information Security Conference (ISC'05), pages 431--445, 2005. Google ScholarDigital Library
- E. Becker, W. Buhse, D. Günnewig, and N. Rump, editors. Digital Rights Management Technological, Economic, Legal and Political Aspects. Springer, 1 edition, 2003. Google ScholarDigital Library
- D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In Proceedings of CRYPTO, 2001. Google ScholarDigital Library
- J. Clause, W. Li, and A. Orso. Dytan: A Generic Dynamic Taint Analysis Framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (ISSTA), pages 196--206, 2007. Google ScholarDigital Library
- D. E. Denning. A Lattice Model of Secure Information Flow. Commun. ACM, 19(5):236--243, May 1976. Google ScholarDigital Library
- O. Dunkelman, N. Keller, and A. Shamir. A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony. In Proceedings of the 30th Annual Cryptology Conference (CRYPTO 2010), 2010. Google ScholarDigital Library
- J.-E. Ekberg and M. Kyläanpää. Mobile Trusted Module (MTM) - An Introduction. Technical Report NRC-TR-2007-015, Nokia Research Center, Helsinki, Finland, Nov. 2007.Google Scholar
- W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of ACM CCS, November 2009. Google ScholarDigital Library
- Free Software Foundation, Inc. The Campaign to Eliminate DRM. http://www.defectivebydesign.org/, June 2010.Google Scholar
- Gartner. Gartner Says Worldwide Mobile Phone Sales to End Users Grew 8 Per Cent in Fourth Quarter 2009; Market Remained Flat in 2009. http://www.gartner.com/it/page.jsp?id=1306513, Feb. 2010.Google Scholar
- C. Gentry. Certificate-Based Encryption and the Certificate-Revocation Problem. Advances in Cryptology, 2656, January 2003. Google ScholarDigital Library
- M. Gholami, S. M. Hashemi, and M. Teshnelab. A Framework for Secure Message Transmission Using SMS-Based VPN. Research and Practical Issues of Enterprise Information Systems II, 1:503--511, 2008.Google Scholar
- GigaOm. The Apple App Store Economy. http://gigaom.com/2010/01/12/the-apple-app-store-economy, Jan. 2010.Google Scholar
- J. Horwitz and B. Lynn. Toward Hierarchical Identity-Based Encryption. In Proceedings of EUROCRYPT '02, pages 466--481, London, UK, 2002. Springer-Verlag. Google ScholarDigital Library
- J.-S. Hwu, R.-J. Chen, and Y.-B. Lin. An Efficient Identity-Based Cryptosystem for End-to-End Mobile Security. IEEE Trans. Wireless Comm., 5(9):2586--2593, September 2006. Google ScholarDigital Library
- R. Iannella. Digital Rights Management (DRM) Architectures. D-Lib Magazine, 7(6), 2001.Google ScholarCross Ref
- IETF Network Working Group. Post Office Protocol - Version 3. http://www.ietf.org/rfc/rfc1939.txt, May 1996.Google Scholar
- IETF Network Working Group. Internet Message Access Protocol - Version 4, rev1. http://www.ietf.org/rfc/rfc1939.txt, March 2003.Google Scholar
- IETF Network Working Group. DNS Security Introduction and Requirements. http://www.ietf.org/rfc/rfc4033.txt, March 2005.Google Scholar
- ITU. Measuring the Information Society. http://www.itu.int/ITU-D/ict/publications/idi/2010/index.html, 2010.Google Scholar
- S. Jobs. Thoughts on Music. http://www.apple.com/hotnews/thoughtsonmusic/, February 2007.Google Scholar
- M. Kirkpatrick and E. Bertino. Enforcing Spatial Constraints for Mobile RBAC Systems. In Proceedings of the 15th ACM symposium on Access control models and technologies, 2010. Google ScholarDigital Library
- B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang, and S. Yoo. Secure Key Issuing in ID-based Cryptography. In Proceedings of the ACSW Frontiers Workshop, 2004. Google ScholarDigital Library
- P. A. Loscocco, P. W. Wilson, J. A. Pendergrass, and C. D. McDonell. Linux Kernel Integrity Measurement Using Contextual Inspection. In Proceedings of ACM STC, 2007. Google ScholarDigital Library
- Microsoft Corporation. ActiveSync HTTP Protocol Specification, version 6.0. http://msdn.microsoft.com/en-us/library/dd299446(EXCHG. 80).aspx, May 2010.Google Scholar
- Microsoft Corporation. Microsoft PlayReady. http://www.microsoft.com/playready/default.mspx, June 2010.Google Scholar
- D. Muthukumaran, A. Sawani, J. Schiffman, B. M. Jung, and T. Jaeger. Measuring Integrity on Mobile Phone Systems. In Proceedings of ACM SACMAT, June 2008. Google ScholarDigital Library
- M. Ongtang, S. McLaughlin, W. Enck, and P. McDaniel. Semantically Rich Application-Centric Security in Android. In Proceedings of Annual Computer Security Applications Conference (ACSAC), December 2009. Google ScholarDigital Library
- Open Mobile Alliance Ltd. Rights Expression Language Version 1.0. Technical Report OMA-Download-DRMREL-V1_0-20040615-A, Open Mobile Alliance, June 2004.Google Scholar
- Open Mobile Alliance Ltd. DRM Architecture 2.0.1. Technical Report OMA-AD-DRM-V2_0_1-20080226-A, Open Mobile Alliance, February 2008.Google Scholar
- Open Mobile Alliance Ltd. DRM Rights Expression Language Version 2.0.2. Technical Report OMA-TS-DRM_REL-V2_0_2-20080723-A, Open Mobile Alliance, July 2008.Google Scholar
- PacketVideo Corporation. Content Policy Manager Developer's Guide OHA 1.0 r.1. November 2008.Google Scholar
- PacketVideo Corporation. PV Android DivX Premium Package. July 2009.Google Scholar
- PacketVideo Corporation. PV Android Windows Media Package. November 2009.Google Scholar
- Portio Research. Mobile Messaging Futures 2010--2014: Analysis and Growth Forecsts for Mobile Messaging Markets Worldwide, 2010.Google Scholar
- V. Rao and T. Jaeger. Dynamic Mandatory Access Control for Multiple Stakeholders. In Proceedings of ACM SACMAT, June 2009. Google ScholarDigital Library
- R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In Proceedings of the 13th USENIX Security Symposium, Aug. 2004. Google ScholarDigital Library
- A. Shabtai, Y. Fledel, and Y. Elovici. Securing Android-Powered Mobile Devices Using SELinux. IEEE Security and Privacy, 8:36--44, 2010. Google ScholarDigital Library
- S. Smalley, C. Vance, and W. Salamon. Implementing SELinux as a Linux Security Module. Technical Report 01--043, NAI Labs, 2001.Google Scholar
- M. Smith, C. Schridde, B. Agel, and B. Freisleben. Securing Mobile Phone Calls with Identity-Based Cryptography. LNCS: Advances in Information Security and Assurance, 5576:210--222, June 2009. Google ScholarDigital Library
- TCG. TPM Main: Part 1 - Design Principles. Specification Version 1.2, Level 2 Revision 103. 2007.Google Scholar
- P. Traynor, P. McDaniel, and T. La Porta. Security for Telecommunications Networks. Advances in Information Security. Springer, July 2008. Google ScholarDigital Library
- Z. Wan, K. Ren, and B. Preneel. A Secure Privacy-Preserving Roaming Protocol Based on Hierarchical Identity-Based Encryption for Mobile Networks. In Proceedings of ACM WiSec, 2008. Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis. In Proceedings of ACM CCS, 2007. Google ScholarDigital Library
Index Terms
- Porscha: policy oriented secure content handling in Android
Recommendations
Analyzing inter-application communication in Android
MobiSys '11: Proceedings of the 9th international conference on Mobile systems, applications, and servicesModern smartphone operating systems support the development of third-party applications with open system APIs. In addition to an open API, the Android operating system also provides a rich inter-application message passing system. This encourages inter-...
An automated testing approach for inter-application security in Android
AST 2014: Proceedings of the 9th International Workshop on Automation of Software TestRecently, Google Android has occupied a major market share of mobile phone systems as a result of its openness for developers and richness for users. By the distribution channels of the Android market, both development and use of Android applications ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Comments