Securing Enterprise Data on Smartphones Using Run Time Information Flow Control

There is an increasing penetration of smart phones within enterprises. Most smart phone users now run both enterprise as well as personal applications simultaneously on their phones. However, most of the personal apps that are downloaded from public market places are hardly tested for enterprise grade security, and there have been instances of malware appearing in public markets that steal sensitive user information. Smart phone platforms such as Android require users to explicitly provide permissions to applications at install time, yet lack run time monitoring of permission usage by applications. In this paper, we present a framework for the run time enforcement of privacy policies on smart phones, in particular, protecting the privacy of enterprise data on smart phones. Our privacy policies are defined in terms of permissible information flows on the phone during different contexts. This arms users with finer grained control over information access by different applications. In our policy framework, an information flow is defined based on the entities involved in the corresponding inter-process communication(IPC) viz, the caller, callee and the associated IPC data. The information flow policy specifies the conditions under which an IPC flow may be permitted (or denied). Our system tracks information flows at run time and enforces that only flows satisfying all the current policies are permitted on the phone. We describe the design and implementation of our policy based framework in Android, and present performance evaluation results measuring the overhead imposed by our framework.