Security Architecture for a Secure Database on Android

Jin Hyung Park, Seok Man Yoo, In-Seok Kim, Dong Hoon Lee

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

As mobile devices are increasingly used in various daily activities, they have become a movable storage that stores various personal/business information of users. Most mobile OSes, including Android, store personal data in databases and provide APIs for apps, which can be used to access a database managed by the system or to manage its own database. However, Android, which is our main focus here, stores data as plaintext in its database; as a result, the database content can be leaked unintentionally through several vulnerabilities. Additionally, the responsibility for the security of the database content created by an app lies with the developer of the app, while the mobile OS only provides minimal security features, such as isolation and access control. In this paper, we propose a security architecture to construct a secure database environment on Android. To this end, we entirely separate the database system from the app domain - to the best of our knowledge, this is the first such design for localized mobile databases. The separated database system manages a database with encryption; hence, data are no longer stored as plaintext. By delivering the responsibility over the system, this separation enables app developers to be free from the difficult task of managing the security of the database. The proposed system also provides tight access control over a database by using a runtime information of an app. Note that the current access control of Android is based on the Linux uid of an app. Thus, access is granted to a database if the app has the correct uid, regardless of the identity of the app. That is, our method creates a one-to-one pairing between the app and its database, and ensures that database access is granted only to the owner app. Additionally, we propose a similarity comparison method that helps to determine whether a new app is an updated of a previous version; this improves upon the current method, which relies only on a signature check and the package name of the app. To evaluate the feasibility of the proposed architecture, we conduct a series of experiments on our prototype implementation. The results show that the proposed secure database architecture is feasible with acceptable overhead.

Original languageEnglish
Pages (from-to)11482-11501
Number of pages20
JournalIEEE Access
Volume6
DOIs
Publication statusPublished - 2018 Jan 26

Fingerprint

Application programs
Access control
Android (operating system)
Data privacy
Application programming interfaces (API)
Mobile devices
Cryptography

Keywords

  • Android
  • mobile database
  • secure database

ASJC Scopus subject areas

  • Computer Science(all)
  • Materials Science(all)
  • Engineering(all)

Cite this

Security Architecture for a Secure Database on Android. / Park, Jin Hyung; Yoo, Seok Man; Kim, In-Seok; Lee, Dong Hoon.

In: IEEE Access, Vol. 6, 26.01.2018, p. 11482-11501.

Research output: Contribution to journalArticle

Park, Jin Hyung ; Yoo, Seok Man ; Kim, In-Seok ; Lee, Dong Hoon. / Security Architecture for a Secure Database on Android. In: IEEE Access. 2018 ; Vol. 6. pp. 11482-11501.
@article{5e2f0935edbe4255907ff83db346dde5,
title = "Security Architecture for a Secure Database on Android",
abstract = "As mobile devices are increasingly used in various daily activities, they have become a movable storage that stores various personal/business information of users. Most mobile OSes, including Android, store personal data in databases and provide APIs for apps, which can be used to access a database managed by the system or to manage its own database. However, Android, which is our main focus here, stores data as plaintext in its database; as a result, the database content can be leaked unintentionally through several vulnerabilities. Additionally, the responsibility for the security of the database content created by an app lies with the developer of the app, while the mobile OS only provides minimal security features, such as isolation and access control. In this paper, we propose a security architecture to construct a secure database environment on Android. To this end, we entirely separate the database system from the app domain - to the best of our knowledge, this is the first such design for localized mobile databases. The separated database system manages a database with encryption; hence, data are no longer stored as plaintext. By delivering the responsibility over the system, this separation enables app developers to be free from the difficult task of managing the security of the database. The proposed system also provides tight access control over a database by using a runtime information of an app. Note that the current access control of Android is based on the Linux uid of an app. Thus, access is granted to a database if the app has the correct uid, regardless of the identity of the app. That is, our method creates a one-to-one pairing between the app and its database, and ensures that database access is granted only to the owner app. Additionally, we propose a similarity comparison method that helps to determine whether a new app is an updated of a previous version; this improves upon the current method, which relies only on a signature check and the package name of the app. To evaluate the feasibility of the proposed architecture, we conduct a series of experiments on our prototype implementation. The results show that the proposed secure database architecture is feasible with acceptable overhead.",
keywords = "Android, mobile database, secure database",
author = "Park, {Jin Hyung} and Yoo, {Seok Man} and In-Seok Kim and Lee, {Dong Hoon}",
year = "2018",
month = "1",
day = "26",
doi = "10.1109/ACCESS.2018.2799384",
language = "English",
volume = "6",
pages = "11482--11501",
journal = "IEEE Access",
issn = "2169-3536",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Security Architecture for a Secure Database on Android

AU - Park, Jin Hyung

AU - Yoo, Seok Man

AU - Kim, In-Seok

AU - Lee, Dong Hoon

PY - 2018/1/26

Y1 - 2018/1/26

N2 - As mobile devices are increasingly used in various daily activities, they have become a movable storage that stores various personal/business information of users. Most mobile OSes, including Android, store personal data in databases and provide APIs for apps, which can be used to access a database managed by the system or to manage its own database. However, Android, which is our main focus here, stores data as plaintext in its database; as a result, the database content can be leaked unintentionally through several vulnerabilities. Additionally, the responsibility for the security of the database content created by an app lies with the developer of the app, while the mobile OS only provides minimal security features, such as isolation and access control. In this paper, we propose a security architecture to construct a secure database environment on Android. To this end, we entirely separate the database system from the app domain - to the best of our knowledge, this is the first such design for localized mobile databases. The separated database system manages a database with encryption; hence, data are no longer stored as plaintext. By delivering the responsibility over the system, this separation enables app developers to be free from the difficult task of managing the security of the database. The proposed system also provides tight access control over a database by using a runtime information of an app. Note that the current access control of Android is based on the Linux uid of an app. Thus, access is granted to a database if the app has the correct uid, regardless of the identity of the app. That is, our method creates a one-to-one pairing between the app and its database, and ensures that database access is granted only to the owner app. Additionally, we propose a similarity comparison method that helps to determine whether a new app is an updated of a previous version; this improves upon the current method, which relies only on a signature check and the package name of the app. To evaluate the feasibility of the proposed architecture, we conduct a series of experiments on our prototype implementation. The results show that the proposed secure database architecture is feasible with acceptable overhead.

AB - As mobile devices are increasingly used in various daily activities, they have become a movable storage that stores various personal/business information of users. Most mobile OSes, including Android, store personal data in databases and provide APIs for apps, which can be used to access a database managed by the system or to manage its own database. However, Android, which is our main focus here, stores data as plaintext in its database; as a result, the database content can be leaked unintentionally through several vulnerabilities. Additionally, the responsibility for the security of the database content created by an app lies with the developer of the app, while the mobile OS only provides minimal security features, such as isolation and access control. In this paper, we propose a security architecture to construct a secure database environment on Android. To this end, we entirely separate the database system from the app domain - to the best of our knowledge, this is the first such design for localized mobile databases. The separated database system manages a database with encryption; hence, data are no longer stored as plaintext. By delivering the responsibility over the system, this separation enables app developers to be free from the difficult task of managing the security of the database. The proposed system also provides tight access control over a database by using a runtime information of an app. Note that the current access control of Android is based on the Linux uid of an app. Thus, access is granted to a database if the app has the correct uid, regardless of the identity of the app. That is, our method creates a one-to-one pairing between the app and its database, and ensures that database access is granted only to the owner app. Additionally, we propose a similarity comparison method that helps to determine whether a new app is an updated of a previous version; this improves upon the current method, which relies only on a signature check and the package name of the app. To evaluate the feasibility of the proposed architecture, we conduct a series of experiments on our prototype implementation. The results show that the proposed secure database architecture is feasible with acceptable overhead.

KW - Android

KW - mobile database

KW - secure database

UR - http://www.scopus.com/inward/record.url?scp=85041368035&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85041368035&partnerID=8YFLogxK

U2 - 10.1109/ACCESS.2018.2799384

DO - 10.1109/ACCESS.2018.2799384

M3 - Article

AN - SCOPUS:85041368035

VL - 6

SP - 11482

EP - 11501

JO - IEEE Access

JF - IEEE Access

SN - 2169-3536

ER -