This project investigates a new approach for describing and reasoning about security properties of smartphone applications. Smartphones are becoming pervasive, and smartphone applications are increasingly used for a variety of social, health, scientific, and military purposes. However, the capabilities these phones provide, such as access to GPS, camera, Internet, calendar, contacts, and other sensitive information can lead to major security risks. Today's smartphone development methodologies do little to help developers construct applications that safely access sensitive resources.
The goal of this project is to develop new program analysis techniques that can help developers express, reason about, and enforce security policies in smartphones. The proposed technical approach will allow developers to define rich security policies in an intuitive and flexible manner: as program code that interacts with a mobile application and checks desired properties. To ensure that application code conforms to such policies, the project is pursuing several techniques that leverage recent advances in static and dynamic program analysis. The project is also investigating approaches to automatically synthesize a code-based policy for a given application. The project is instantiating these ideas in the context of Google's Android operating system, and is evaluating the ideas in terms of effectiveness and performance on a broad range of Android-based smartphone applications.
