A privacy enforcing framework for Android applications

The widespread adoption of the Android operating system in a variety type of devices ranging from smart phones to smart TVs, makes it an interesting target for developers of malicious applications. One of the main flaws exploited by these developers is the permissions granting mechanism, which does not allow users to easily understand the privacy implications of the granted permissions. In this paper, we propose an approach to enforce fine-grained usage control privacy policies that enable users to control the access of applications to sensitive resources through application instrumentation. The purpose of this work is to enhance user control on privacy, confidentiality and security of their mobile devices, with regards to application intrusive behaviours. Our approach relies on instrumentation techniques and includes a refinement step where high-level resource-centric abstract policies defined by users are automatically refined to enforceable concrete policies. The abstract policies consider the resources being used and not the specific multiple concrete API methods that may allow an app to access the specific sensitive resources. For example, access to the user location may be done using multiple API methods that should be instrumented and controlled according to the user selected privacy policies. We show how our approach can be applied in Android applications and discuss performance implications under different scenarios.