Securing IoT Apps with Fine-grained Control of Information Flows
Resumo
Internet of Things is growing rapidly, with many connected devices now available to consumers. With this growth, the IoT apps that manage the devices from smartphones raise significant security concerns. Typically, these apps are secured via sensitive credentials such as email and password that need to be validated through specific servers, thus requiring permissions to access the Internet. Unfortunately, even when developers of these apps are well-intentioned, such apps can be non-trivial to secure so as to guarantee that user's credentials do not leak to unauthorized servers on the Internet. For example, if the app relies on third-party libraries, as many do, those libraries can potentially capture and leak sensitive credentials. Bugs in the applications can also result in exploitable vulnerabilities that leak credentials. This paper presents our work in-progress on a prototype that enables developers to control how information flows within the app from sensitive UI data to specific servers. We extend FlowFence to enforce fine-grained information flow policies on sensitive UI data.
Referências
Backes, M., Bugiel, S., and Derr, E. (2016). Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 356–367, New York, NY, USA. ACM.
Bell, J. and Kaiser, G. (2014). Phosphor: Illuminating dynamic data flow in commodity jvms. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA ’14, pages 83–101, New York, NY, USA. ACM.
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., and Vigna, G. (2015). What the app is that? deception and countermeasures in the android user interface. 2015:931–948.
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2014). Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst., 32(2):5:1–5:29.
Fang, Z., Han, W., and Li, Y. (2014). Permission based android security: Issues and countermeasures. Computers and Security, 43:205 – 218.
Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. (2011). Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pages 627–638, New York, NY, USA. ACM.
Fernandes, E., Chen, Q. A., Paupore, J., Essl, G., Halderman, J. A., Mao, Z. M., and Prakash, A. (2016a). Android UI deception revisited: Attacks and defenses. In Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22-26, 2016, Revised Selected Papers, pages 41–59.
Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., and Prakash, A. (2016b). Flowfence: Practical data protection for emerging iot application frameworks. In 25th USENIX Security Symposium (USENIX Security 16), pages 531–548, Austin, TX. USENIX Association.
Gartner (2017). Gartner says 8.4 billion connected "things" will be in use in 2017, up 31 percent from 2016.
Gordon, M. I., Kim, D., Perkins, J. H., Gilham, L., Nguyen, N., and Rinard, M. C. (2015). Information flow analysis of android applications in droidsafe.
Guardian, T. (2016). [link].
Sun, M. and Tan, G. (2014). Nativeguard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless &38; Mobile Networks, WiSec ’14, pages 165–176, New York, NY, USA. ACM.
Viet, V., Tong, T., Clark, A., and Mé, L. (2010). Specifying and enforcing a fine-grained information flow policy: Model and experiments. 1.