TY - GEN
T1 - Stay in your Cage! a sound sandbox for third-party libraries on android
AU - Wang, Fabo
AU - Zhang, Yuqing
AU - Wang, Kai
AU - Liu, Peng
AU - Wang, Wenjie
N1 - Publisher Copyright:
© Springer International Publishing Switzerland 2016.
PY - 2016
Y1 - 2016
N2 - Third-party libraries are widely used in Android application development. While they extend functionality, third-party libraries are likely to pose a threat to users. Firstly, third-party libraries enjoy the same permissions as the applications; therefore libraries are overprivileged. Secondly, third-party libraries and applications share the same internal file space, so that applications’ files are exposed to thirdparty libraries. To solve these problems, a considerable amount of effort has been made. Unfortunately, the requirement for a modified Android framework makes their methods impractical. In this paper, a developer-friendly tool called LibCage is proposed, to prohibit permission abuse of third-party libraries and protect user privacy without modifying the Android framework or libraries’ bytecode. At its core, LibCage builds a sandbox for each third-party library in order to ensure that each library is subject to a separate permission set assigned by developers. Moreover, each library is allocated an isolated file space and has no access to other space. Importantly, LibCage works on Java reflection as well as dynamic code execution, and can defeat several possible attacks. We test on real-world third-party libraries, and the results show that LibCage is capable of enforcing a flexible policy on third-party libraries at run time with a modest performance overhead.
AB - Third-party libraries are widely used in Android application development. While they extend functionality, third-party libraries are likely to pose a threat to users. Firstly, third-party libraries enjoy the same permissions as the applications; therefore libraries are overprivileged. Secondly, third-party libraries and applications share the same internal file space, so that applications’ files are exposed to thirdparty libraries. To solve these problems, a considerable amount of effort has been made. Unfortunately, the requirement for a modified Android framework makes their methods impractical. In this paper, a developer-friendly tool called LibCage is proposed, to prohibit permission abuse of third-party libraries and protect user privacy without modifying the Android framework or libraries’ bytecode. At its core, LibCage builds a sandbox for each third-party library in order to ensure that each library is subject to a separate permission set assigned by developers. Moreover, each library is allocated an isolated file space and has no access to other space. Importantly, LibCage works on Java reflection as well as dynamic code execution, and can defeat several possible attacks. We test on real-world third-party libraries, and the results show that LibCage is capable of enforcing a flexible policy on third-party libraries at run time with a modest performance overhead.
UR - http://www.scopus.com/inward/record.url?scp=84990059348&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84990059348&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-45744-4_23
DO - 10.1007/978-3-319-45744-4_23
M3 - Conference contribution
AN - SCOPUS:84990059348
SN - 9783319457437
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 458
EP - 476
BT - Computer Security - 21st European Symposium on Research in Computer Security, ESORICS 2016, Proceedings
A2 - Katsikas, Sokratis
A2 - Meadows, Catherine
A2 - Askoxylakis, Ioannis
A2 - Ioannidis, Sotiris
PB - Springer Verlag
T2 - 21st European Symposium on Research in Computer Security, ESORICS 2016
Y2 - 26 September 2016 through 30 September 2016
ER -