Certified Lightweight Contextual Policies for Android

Mohamed Nassim Seghir, David Aspinall, Lenka Marekova

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Security in Android applications is enforced with access control policies implemented via permissions giving access to different resources on the phone. These permissions are often too coarse and on most Android platforms, based on an all-or-nothing decision. How can we grant permissions and be sure they will not be misused? We propose a policy-based lightweight approach for the verification and certification of Android applications with respect to a given policy. It consists of a verifier running on a conventional computer and a checker residing on an Android mobile device. The verifier applies static analysis to show the conformance between an application and a given policy. It also generates a certificate asserting the validity of the analysis result. The checker, on a mobile device, can then check the validity of the certificate to confirm or refute the fulfilment of the policy by the application before installing it. This scheme represents a potential future model for app stores where apps are equipped with policies and checkable evidence. We have implemented our approach and report on preliminary results obtained for a set of popular real-world applications.

Original languageEnglish
Title of host publicationProceedings - 2016 IEEE Cybersecurity Development, SecDev 2016
Place of PublicationBoston, MA, USA
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages7
ISBN (Electronic)978-1-5090-5589-0
ISBN (Print)978-1-5090-5590-6
Publication statusPublished - 6 Feb 2017
Event2016 IEEE Cybersecurity Development, SecDev 2016 - Boston, United States
Duration: 3 Nov 20164 Nov 2016


Conference2016 IEEE Cybersecurity Development, SecDev 2016
Country/TerritoryUnited States


  • Android
  • Certification
  • Security policies
  • Static analysis


Dive into the research topics of 'Certified Lightweight Contextual Policies for Android'. Together they form a unique fingerprint.

Cite this