AuDroid: preventing attacks on audio channel sin mobile devices
AuDroid: preventing attacks on audio channel sin mobile devices
Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.
181–190
Association for Computing Machinery
Petracca, Giuseppe
3175fb3e-c6fc-43ba-b33c-89976210590c
Sun, Yuqiong
9795b349-1441-4f7f-a858-a965862cb089
Jaegar, Trent
541d5f39-e184-401a-9c6b-b14f00e7225b
Atamli, Ahmad
dacf7d9e-9898-4385-bf88-5aec14d76872
1 December 2015
Petracca, Giuseppe
3175fb3e-c6fc-43ba-b33c-89976210590c
Sun, Yuqiong
9795b349-1441-4f7f-a858-a965862cb089
Jaegar, Trent
541d5f39-e184-401a-9c6b-b14f00e7225b
Atamli, Ahmad
dacf7d9e-9898-4385-bf88-5aec14d76872
Petracca, Giuseppe, Sun, Yuqiong, Jaegar, Trent and Atamli, Ahmad
(2015)
AuDroid: preventing attacks on audio channel sin mobile devices.
In ACSAC 2015: Proceedings of the 31st Annual Computer Security Applications Conference.
Association for Computing Machinery.
.
(doi:10.1145/2818000.2818005).
Record type:
Conference or Workshop Item
(Paper)
Abstract
Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.
This record has no associated files available for download.
More information
Accepted/In Press date: 30 July 2015
e-pub ahead of print date: 1 December 2015
Published date: 1 December 2015
Venue - Dates:
ACSAC 2015: 2015 Annual Computer Security Applications Conference, , Los Angeles, United States, 2015-12-07 - 2015-12-11
Identifiers
Local EPrints ID: 445357
URI: http://eprints.soton.ac.uk/id/eprint/445357
PURE UUID: 08d6429c-f066-42a7-8b8a-d0514de02b4e
Catalogue record
Date deposited: 03 Dec 2020 17:34
Last modified: 16 Mar 2024 10:06
Export record
Altmetrics
Contributors
Author:
Giuseppe Petracca
Author:
Yuqiong Sun
Author:
Trent Jaegar
Author:
Ahmad Atamli
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics