ESARA: A Framework for Enterprise Smartphone Apps Risk Assessment

Hatamian, M.; Pape, S. and Rannenberg, K.

In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 165-179, 2019, Acceptance rate: 26 / 142 = 18.3%.


Protecting enterprise's confidential data and infrastructure against adversaries and unauthorized accesses has been always challenging. This gets even more critical when it comes to smartphones due to their mobile nature which enables them to have access to a wide range of sensitive information that can be misused. The crucial questions here are: How the employees can make sure the smartphone apps that they use are trustworthy? How can the enterprises check and validate the trustworthiness of apps being used within the enterprise network? What about the security and privacy aspects? Are the confidential information such as passwords, important documents, etc. are treated safely? Are the employees' installed apps monitoring/spying the enterprise environment? To answer these questions, we propose Enterprise Smartphone Apps Risk Assessment (ESARA) as a novel framework to support and enable enterprises to analyze and quantify the potential privacy and security risks associated with their employees' installed apps. Given an app, ESARA first conducts various analyses to characterize its vulnerabilities. Afterwards, it examines the app's behavior and overall privacy and security perceptions associated with it by applying natural language processing and machine learning techniques. The experimental results using app behavior and perception analyses indicate that: (1) ESARA is able to examine apps' behavior for potential invasive activities; and (2) the analyzed privacy and security perceptions by ESARA usually reveal interesting information corresponding to apps' behavior achieved with high accuracy.



  author    = {Majid Hatamian and Sebastian Pape and Kai Rannenberg},
  title     = {{ESARA}: A Framework for Enterprise Smartphone Apps Risk Assessment},
  booktitle = {{ICT} Systems Security and Privacy Protection - 34th {IFIP} {TC} 11 International Conference, {SEC} 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings},
  year      = {2019},
  pages     = {165--179},
  month     = {06},
  doi       = {10.1007/978-3-030-22312-0\_12},
  keywords  = {security, Privacy'n'us, security management},
  url       = {\_12},