1 / 7

A commentary by In-Hwan Kim

CRePE: Context-Related Policy Enforcement for Android Mauro Conti, Vu Thien Nga Nguyen and Bruno Crispo P roceedings of the 13 th International Conference on Information Security. A commentary by In-Hwan Kim. Summary.

clem
Télécharger la présentation

A commentary by In-Hwan Kim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CRePE: Context-Related Policy Enforcement for AndroidMauro Conti, Vu Thien Nga Nguyen and Bruno CrispoProceedings of the 13th International Conference on Information Security A commentary by In-Hwan Kim

  2. Summary • CRePE: A system to enforce fine-grained security policies dependent on the context of the smart phone.

  3. Appreciative Comment • Addresses a limitation in the current Android security model where policies cannot be enforced or modified at application runtime. “We observe that the current Android security modelcannot serve our purpose of enforcing fine-grained context-related security policies. In fact, there are no mechanisms either to enforce or to change policies at application run-time.”

  4. Critical Comment • The authors do not take into full consideration the real world usability of CRePE. “This section presents how CRePE works in a scenario cited in Section 1. We consider the example of a company that wants to restrict the set of applications that can run, during work activities, on the smartphones that the company has given to its employees.”

  5. Does it really work? • Government and “trusted” third party control over your phone. • Most people won’t bother. “Meanwhile, to protect users’ privacy, the current security models restrict trusted third parties’ control on mobile phones. Typically, only the device manufacturer and the telephone company have a small control on the smartphone. There are no mechanisms to allow other authorized parties(e.g. a government agency or a company that bought a smartphone for its employee) to have any direct control on the phone.”

  6. More limitations… • Significant reduction in battery life. • Location context polling creates a window of opportunity for attackers. • Some applications may not run. “The energy overhead induced by CRePEis some 50% of the Android consumption when 10 rules are set, while it becomes more than 100% of the Android’s one when the rules are 50.”

  7. Question • If CRePE came standard with all new mobile phones sold today and in the future, how would you respond?

More Related