APE: Intrusion Protection System for Android Devices

Unlike common laptop and desktop security products, current Android defenses are unable to proactively prevent network-based attacks. To bridge this gap, MITRE developed a patented application, the Intrusion Prevention System for Android devices (known as APE), which prevents attacks before they occur. APE exists in the form of an ordinary user space application on a device and performs deep packet inspection and filtering of internet protocol version 4 (IPv4) traffic entering and leaving the device. This capability allows APE to block malicious traffic and lower the attack profile of Android devices. APE is a standard application that runs on an Android device and examines all IPv4 network traffic entering and leaving the device. This includes traffic using either cellular or Wi-Fi connections. The traffic is compared to a local rule set stored within the app and defines malicious behaviors. If a matching rule is found, the packet is blocked. A rule can be as simple as blacklisting a certain IP address or disallowing a given protocol over a given port. By evaluating the network traffic and blocking malicious traffic before it reaches the local apps on the device, APE prevents compromises before they occur. APE also evaluates and prevents malicious behavior in outbound network traffic, such as preventing data from being siphoned to known malware domains. Updates to the app and the associated ruleset could be pushed out from the Google Play Store, similar to any other app. APE is a first-of-its-kind Android security app that provides these major benefits:

  1. Blocks known network attacks, completely negating the effect they would have had.
  2. Mitigates newly discovered attacks by simply updating the ruleset, rather than updating the operating system (waiting for a vendor patch can takes months, if a patch is even issued at all).
  3. Lowers the device's attack profile by blocking unneeded ports and protocols, which makes it harder for attackers to search for vulnerabilities.

To discuss licensing or collaboration activities, please contact MITRE's TTO.