Plugin in the Middle - Minimising Security Risks in Mobile Middleware Implementations

P. Aufner, G. Merzdovnik, M. Huber, E. Weippl:
"Plugin in the Middle - Minimising Security Risks in Mobile Middleware Implementations";
Vortrag: 7th International Conference on Security of Information and Networks (SIN 2014), Glasgow, Scotland Uk; 09.09.2014 - 11.09.2014; in:"Proceedings of the 7th International Conference on Security of Information and Networks", ACM Digital Library, (2014), S. 434 - 440.

[ Publication Database ]

Abstract:


Mobile computing platforms, like smartphones and tablet computers, are becoming a commodity nowadays. The diversity and fast changing nature of these systems often makes it hard for developers to adapt their applications to the user's context. To simplify development a number of approaches have been suggested, which offer a context-middleware solution such that common functionality can be pooled into plugins and provided to applications. These extensions are then automatically installed if needed, thus enabling easier and faster development of complex applications. Furthermore, if the device changes, it often suffices to exchange the plugins for the applications to function correctly. However, mobile platforms like Android never expected integration in the sense that one application would dynamically host pieces of code from different vendors and allow access to other applications, since doing so basically circumvents many built-in security measures of the operating system. In this paper we analyze Ambient Dynamix, an advanced context-middleware solution, in detail. Hereby, we propose and evaluate security mechanisms to increase the security of Ambient Dynamix. We outline a system to verify the permissions an application requests against the actual Ambient Dynamix plugins it uses. In the following, we evaluate the use of static code analysis to ensure requested and used permissions by a novel method for lightweight on-device analysis. Finally, we propose a secure infrastructure to host, download and install third-party plugins. Our proposed security extensions significantly improve the user's security regarding third-party applications and considerably advance the area of secure mobile middleware.