AppShield: A Proxy-Based Data Access Mechanism in Enterprise Mobility Management

NU 2015-078

Inventors

Yan Chen*

Valibhav Rastogi

Zhengyang Qu

Guanyu Guo

Zhengyue Shao

Short Description

An OS-independent data access mechanism for more secure enterprise mobility management

Abstract

Employees tend to utilize personal devices to access corporation's resource given the popularity of Bring your own device (BYOD). While the convenience for BYOD is great, device utilization for both business and personal purposes creates new security threats. It is critical that privileged data be isolated from personal applications, which is the fundamental requirement of Enterprise Mobility Management (EMM). Android, as the mobile OS with most dominant market share, lacks trustworthiness in EMM, due to the numerous malwares and the absence of centralized application regulation. Existing solutions have a series of limitations, such as dependencies/modifications on OS, and heavy developer support. Northwestern researchers have developed an OS-independent solution called AppShield which can serve as an enterprise mobile application management (MAM) vendor. It can grant a selective set of applications permission to access privileged data via file systems and content providers. This solution consists of two essential components: (1) the application rewriting framework that builds EMM features into general Android application and completely captures the high-level stealthy data operations by hooking the low-level Linux system calls; and (2) the proxy-based data access mechanism for the policy enforcement with cross-platform property. AppShield effectively enforced security policies in over 90% applications in their small-scale evaluation and exhibited high reliability with crash rates of less than 5% in their large-scale evaluation. Moreover, the rewriting method introduces little performance penalty and exhibits small increments on memory consumption and code size.

Applications

• Enterprise Mobility Management

Advantages

• Flexible and dynamic enterprise data access control. AppShield grants a selective set of business applications with access permission to a set of enterprise data, which could be configured dynamically and in real-time.
• Portability. AppShield is unlinked to OS modification-based MAM solutions and does not require modifications or dependencies on the operating system. It can be deployed across all versions of Android OS and all types of devices.
• Low performance penalty. The virtualization-based method is not suitable to the mobile platform with limited computing resource. AppShield rewrites methods using low resource consumption where only one OS instance is running.
• Complete mediation. AppShield interposes security policies on the low-level Linux system calls, allowing all high-level stealth channels to be accessed, monitored and controlled (e.g., Java reflection, dynamic loading, and native code).
• No developer support. Unlike the SDK-based method, developers are not required to produce the business version of an application. AppShield can automatically generate and deploy the hardened version.

Publications

Qu Z, Guo G, Shao Z, Rastogi V, Chen Y, Chen H and Hong W (2016) AppShield: Enabling Multi-entity Access Control Cross Platforms for Mobile App Management, 12th EAI International Conference on Security and Privacy in Communication Networks.

IP Status

Non-provisional patent application was filed.