An Application Restriction System for Bring-Your-Own-Device Scenarios

Different containerization techniques have been developed to ensure the separation of enterprise content and personal data on an end-user's device. Although the enterprise manages the environment in which work-related activities are conducted, referred to as a work persona, third-party applications installed on the mobile devices may make the enterprise content vulnerable to misuse or exfiltration. It is thus critical that enterprises be given the ability to restrict the capabilities of third-party applications that reside in the work persona. In mobile systems, applications typically request to use a list of capabilities on the device prior to being installed on the device, and all l capabilities must be granted in order for the applications to be installed. Our approach, that we refer to as DroidARM, focuses on post-installation application restriction policies. Such policies dynamically restrict the capabilities of mobile applications at run-time. An application restriction policy is configured through our Application Restriction Manager (ARM) Policy Manager that allows one to set different restrictions for each installed application. Adhering to the policy, our ARM system limits the capabilities of an application by restricting access to data and system resources contained within the work persona. Data shadowing is a data and system resource protection technique we have chosen to leverage. We have implemented DroidARM and integrated it into the Android operating system. Our experimental results show that our approach is efficient and effective.