Multi-Layer Access Control on Android

Multi-Layer Access Control on Android

Smartphones and tablets have become an integral part of our daily life. They increasingly store and process security and privacy sensitive data which makes them attractive targets for attackers. Today the most popular and widespread smartphone operating system is Google’s Android.

Android has been shown to be vulnerable to a number of different attacks such as malicious apps and libraries that misuse their privileges to extract security and privacy sensitive information or even exhibit botnet-like behavior utilizing root-exploits, taking advantage of unprotected interfaces and files, confused deputy attacks, and collusion attacks.

Almost all existing proposals for security extensions to Android constitute mandatory access control (MAC) mechanisms that are tailored to the specific semantics of the addressed problem, for instance, establishing a fine-grained access control to user’s private data or protecting the platform integrity. However, all existing solutions fall short on one important aspect: They consider protection only at a specific system abstraction layer such as either at middleware and/or application layer, or at the kernel-level. Thus, they omit the peculiarity of the Android OS design that each of its two software layers (middleware and kernel) is important within its respective semantics for the overall security and privacy that can be achieved. Any middleware security extension can be circumvented by a successful privilege escalation at the kernel-level. On the other hand, kernel-level extensions lack the required high-level semantics to provide a sufficient and fine-grained protection against security flaws in the middleware.

In this project, we tackle the challenge of providing a consolidated multi-layer security architecture for Android that can serve as a flexible and effective ecosystem to instantiate different security solutions. These use-cases are defined in an efficient policy language that is inspired by SELinux, but is tailored to the specifics of Android’s API-oriented system design to decrease the policy complexity. Possible policy-driven use-cases are, for instance, empowering the user to define fine-grained, per-app access control to his personal data, developer defined access control to components of his applications, enabling multi-persona phones, or temporarily locking the phone in a “phone booth mode”.