Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Porscha: policy oriented secure content handling in Android
Ongtang M., Butler K., McDaniel P.  ACSAC 2010 (Proceedings of the 26th Annual Computer Security Applications Conference, Austin, TX, Dec 6-10, 2010)221-230.2010.Type:Proceedings
Date Reviewed: Apr 1 2011

There is little protection for the content downloaded to cell phones. In Android, it is up to the programmers to define what their applications can access--malicious applications can exploit this in order to access unauthorized data. The Open Mobile Alliance (OMA), a consortium of phone manufacturers, defined digital rights management (DRM) requirements to enforce control of access to content. However, its granularity is too coarse: it does not protect content that is already on a phone because the rights are assigned to the whole phone, not to specific applications. To improve this situation, this paper proposes a policy-based access control system (Porscha) that protects the content when it is delivered to the phone and once it is on the phone.

This clear and well-written paper provides a concise survey of the main system and application features of Android architectures, with particular emphasis on security. It starts with a description of a phone’s uses, trying to understand its threats and define security requirements for the system; a set of DRM policies is defined from this analysis. The authors then analyze how content is delivered and used by applications, as well as any threats. They define a trusted computing base (TCB) and consider the network to be untrusted because of the deficiencies of current encryption approaches.

In order to protect content in transit, they define a type of public key infrastructure (PKI) that uses identity-based public keys. They also propose a mediator to enforce policies for the content on the phone. The paper evaluates the cost (overhead) of policy enforcement and finds it to be reasonable. The authors’ security evaluation includes protecting the private key, dealing with recipients without Porscha, and their assumptions about the level of trust on the platform, including Android and the Linux kernel. They also discuss Porscha as an access control system for content. The paper includes a good set of references.

This excellent paper will be very useful to readers who work in this field or who are concerned with the security of wireless applications.
Reviewer:  E. B. Fernandez Review #: CR138951 (1111-1167)
Bookmark and Share
  Reviewer Selected
Featured Reviewer 		 
 
General (C.2.0 )
 
 
Authentication (D.4.6 ... )
 
 
Portable Devices (C.5.3 ... )
 
 
Security and Protection (C.2.0 ... )
 
 
General (D.4.0 )
 
Would you recommend this review?
yes
no
Other reviews under "General": Date
Broadband access
Gillespie A., Artech House, Inc., Norwood, MA, 2001. Type: Book (9780890064733)		 Jun 26 2002
Data communications & teleprocessing systems (2nd ed.)
Housley T. (ed), Prentice-Hall, Inc., Upper Saddle River, NJ, 1987. Type: Book (9789780131973930)		 Dec 1 1987
Open systems
Nutt G., Prentice-Hall, Inc., Upper Saddle River, NJ, 1992. Type: Book (9780136362340)		 Sep 1 1992
more...
E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use | Privacy Policy