BorderPatrol: Securing BYOD using Fine-Grained Contextual Information

Companies adopt Bring Your Own Device (BYOD) policies extensively, for both convenience and cost management. The compelling way of putting private and business related applications (apps) on the same device leads to the widespread usage of employee owned devices to access sensitive company data and services. Such practices create a security risk as a legitimate app may send business-sensitive data to third party servers through detrimental app functions or packaged libraries. In this paper, we propose BorderPatrol, a system for extracting contextual data that businesses can leverage to enforce access control in BYOD-enabled corporate networks through fine-grained policies. BorderPatrol extracts contextual information, which is the stack trace of the app function that generated the network traffic, on provisioned user devices and transfers this data in IP headers to enforce desired policies at network routers. BorderPatrol provides a way to selectively prevent undesired functionalities, such as analytics activities or advertisements, and help enforce information dissemination policies of the company while leaving other functions of the app intact. Using 2,000 apps, we demonstrate that BorderPatrol is effective in preventing packets which originate from previously identified analytics and advertisement libraries from leaving the network premises. In addition, we show BorderPatrol's capability in selectively preventing undesirable app functions using case studies.