More and more private data is stored on mobile devices, and protection of this information against unauthorized access becomes more and more important. This concerns protection against outside attackers, but also protection against unintended information flows between apps and devices, and to the Internet. In this project we focus on the second aspect while also considering an external attacker. We develop a new approach that integrates formally verified information flow control (IFC) properties and language based IFC with a software engineering approach based on model-driven development. The approach starts with a UML model enhanced with application-specific specifications of information flow properties (e.g. credit card information is sent only after confirming a booking) that may be configured by the user. Model-to-model transformations generate platform-specific Java code as well as a formal specification. To verify information flow properties of programs, we use automatic techniques based on language-based IFC and abstract interpretation. The results of this analysis can be used as key theorems to establish application-specific security properties. The focus is on Android apps and Java web services.

DFG Programme Priority Programmes

Subproject of SPP 1496:  Reliably Secure Software Systems