jump to navigation

The Protection of Information Today September 16, 2013

Posted by kristinamensch in Security.

The computing world has drastically evolved in the 38 years since “The Protection of Information in Computer Systems” was written. [4] We have seen the rise of business computing, personal computing with the PC and laptop, and are now entering the age of mobile and social computing. The sheer volume and variety of information that is now stored, accessed, and transmitted by computing devices is likely greater than the authors could have predicted in 1975 and it continues to grow. Despite the rapid evolution of computing technology many aspects of this paper are still valid and applicable to information protection today.  As I was reading I was struck by how many of the 8 design principles recommended for the development of protection mechanisms are integral parts of technology today. More specifically, as an Android device owner and developer I recognized the specific principles of fail-safe defaults and least privilege [4] in their relation to the granting and requesting of Permissions in Android applications. As an Android user and developer I wonder how successful the implementation of permissions is in the protection of information?

Saltzer and Schroeder define information protection as ‘those security techniques that control the access of executing programs to stored information’. [4] The authors describe three categories of ‘security violations’: unauthorized information release, unauthorized information modification, and unauthorized denial of use. [4] Developers and IT security specialists today are continuously working to protect all information, including information stored on mobile devices, from these general threats. As previously stated a portion of the protection built into the Android universe is the concept of permissions, which utilize the principles of fail-safe defaults and least privilege.

According to [4], the principle of fail-safe defaults states that initial access for an application to stored data should be based on a set of permissions and not exclusion. Information owners should give explicit access permission to those applications, programs, or users that need to access information in order to appropriately control access and ensure information protection. Android users may recognize this principle of fail-safe defaults in the permissions request page that appears during the installation of an Android app. Permissions requested can range from access to the camera, contact information, SD drive, or telephone system. These permissions must be allowed by the user in order for the application to successfully complete its installation. Android developers, on the other hand, are concerned with the principle of least privilege, which states that each application should operate with the least amount of access possible for it to function properly. [4] The Android developer guide [1] recommends ‘minimizing the number of permissions that your app requests’ in order to reduce ‘the risk of inadvertently misusing those permissions’, ‘improve user adoption’, and make the app less desirable for attackers. Android users and developers have permission based information protection mechanisms in place, but are they being used?

The Google Play store has over 1 million apps available for users to download and use and more are added each day [3]. A recent report by Bit9 classified nearly 25% of all apps in the Google Play store as questionable based on criteria such as requested permissions, ratings, downloads, and reputation of the publisher. [5] It is sobering to think that roughly 20 of the 80 apps I have on my Android device could be putting my information at risk. Further, 26% of the apps available in the app store request access to your contact information, 72% of apps request at least 1 high-risk permission, or a permission that would give a requesting application access to private user data or control over the device that can negatively impact the user’. [5] A study by McAfee shows that many mobile users do not fully understand permissions and are at high risk for accepting intrusive permissions if the app is free. These apps can secretly leak your personal information to ad networks, access and utilize your SMS capabilities costing you money, or even allow malicious users control of your device. [2]

So, what can the developers and the average user do to protect themselves from intrusions associated with excessive permissions? Users should pay close attention to the permissions that each app requests and determine why that permission is needed. Pass up any apps that appear to have excessive permissions, have poor ratings, or unproven developers. Pay special attention to any apps associated with other popular apps – make sure that you are getting the right app from the desired publisher and not a ‘knock-off’ app. Developers can also help to make personal information more secure in apps by determining the fewest permissions needed for the app to work correctly and not asking for any more. Reducing the excessive permissions in apps might help users to become more aware of what permissions are necessary. Developers can also inform the user why they need the permissions that are requesting to make the application function. I believe that more conscientious developers and more knowledgeable users can go a long way in mobile app information protection. Do you also see the 8 design principles interwoven in current technologies to improve information protection?

[1] Android. Security Tips | Android Developers. http://developer.android.com/training/articles/security-tips.html (accessed September 15, 2013).

[2] Hinchcliffe, Alex, Barbara Kay, Shah, Jimmy, and Abhishek Verma. “http://www.mcafee.com/us/resources/reports/rp-mobile-security-consumer-trends.pdf.” McAfee – Antivirus, Encryption, Firewall, Email Security, Web Security, Risk & Compliance. June 2013. http://www.mcafee.com/us/resources/reports/rp-mobile-security-consumer-trends.pdf (accessed September 15, 2013).

[3] Rowinski, Dan. “Google Play Hits One Million Android Apps – ReadWrite.” ReadWrite. July 24, 2013. http://readwrite.com/2013/07/24/google-play-hits-one-million-android-apps#awesm=~ohDaEjTTlzTXY9 (accessed September 16, 2013).

[4] Saltzer, Jerome H, and Michael D. Schroeder. “The Protection of Information in Computer Science.” Proceedings of the IEEE (IEEE) 63, no. 9 (September 1975): 1278-1308.

[5] Sverdlove, Harry, and Jon Cilley. “https://www.bit9.com/files/1/Pausing-Google-Play-October2012.pdf.” Bit9 – Endpoint and Server Security. October 2012. https://www.bit9.com/files/1/Pausing-Google-Play-October2012.pdf (accessed September 14, 2013).



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: