TY - GEN
T1 - Context-specific access control
T2 - 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015
AU - Rahmati, Amir
AU - Madhyastha, Harsha V.
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Current mobile platforms take an all-or-nothing approach to assigning permissions to applications. Once a user grants an application permission to access a particular resource, the application can use that permission whenever it executes thereafter. This enables an application to access privacy sensitive resources even when they are not needed for it to perform its expected functions. In this paper, we introduce \Context-Specific Access Con- trol" (CSAC) as a design approach towards enforcing the principle of least privilege. CSAC's goal is to enable a user to ensure that, at any point in time, an application has access to those resources which she expects are needed by the ap- plication component with which she is currently interacting. We study 100 popular applications from Google Play store and find that existing applications are amenable to CSAC as most applications' use of privacy sensitive resources is limited to a small number of contexts. Furthermore, via dy- namic analysis of the 100 applications and a small-scale user study, we find that CSAC does not prohibitively increase the number of access control decisions that users need to make.
AB - Current mobile platforms take an all-or-nothing approach to assigning permissions to applications. Once a user grants an application permission to access a particular resource, the application can use that permission whenever it executes thereafter. This enables an application to access privacy sensitive resources even when they are not needed for it to perform its expected functions. In this paper, we introduce \Context-Specific Access Con- trol" (CSAC) as a design approach towards enforcing the principle of least privilege. CSAC's goal is to enable a user to ensure that, at any point in time, an application has access to those resources which she expects are needed by the ap- plication component with which she is currently interacting. We study 100 popular applications from Google Play store and find that existing applications are amenable to CSAC as most applications' use of privacy sensitive resources is limited to a small number of contexts. Furthermore, via dy- namic analysis of the 100 applications and a small-scale user study, we find that CSAC does not prohibitively increase the number of access control decisions that users need to make.
UR - https://www.scopus.com/pages/publications/84955511598
U2 - 10.1145/2808117.2808121
DO - 10.1145/2808117.2808121
M3 - Conference contribution
AN - SCOPUS:84955511598
T3 - SPSM 2015 - Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, co-located with: CCS 2015
SP - 75
EP - 80
BT - SPSM 2015 - Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, co-located with
PB - Association for Computing Machinery, Inc
Y2 - 12 October 2015
ER -