User-delegated privileges, permissions in Android's jargon, form a central component of mobile system' privacy protection. To protect the users' privacy and ensure the system's security, it is paramount that users are able to correctly grant privileges to apps as well as that app developers know how to correctly use and request permissions. In this line of work, we investigate whether app developers have adopted to the runtime permission model of Android and if users' understand how to make use of it.
Further, a second central line of work is to redesign the permission model to allow defensive programming with app compartmentalization and least-privilege execution. Android's permission model currently upholds the notion of an "ambient authority" in which all components of an app inherit the same privileges, which prevents efficient privilege separation of particular components (e.g., advertisement libs). We proposed replacing permissions with object capabilities (Dawoud and Bugiel 2019), which allow a more fine-grained, efficient management of permissions, and show that capabilities fit very well into the design of mobile systems like Android.
The Android middleware has been a popular target for security extensions over the last few years. For instance, context-aware policies, DRM-like solution, developer-centric policies, or generic mandatory access control infrastructures have been brought forward, just to name a few. However, almost no consideration has been given on how to analyze or security test the large, highly complex code base of the Android middleware. In this project, we advance the state-of-the-art of analysis and security testing to enable various security- and privacy-focused investigations, such as permission mapping (Backes et al. 2016), fuzzing, or placement of access control hooks.
While the majority of Android security research has focused on the platform, market operators, and end-users as primary security principals, the Android ecosystem consists of many more stakeholders that have a (sometimes significant) influence on the security state of the overall ecosystem. (Acar et al. 2016) In this project, we investigate and quantify this influence of third-party stakeholders (Backes, Bugiel, and Derr 2016; Derr et al. 2017; Oltrogge et al. 2018) and propose new techniques and workflows that improve the overall security state of the Android ecosystem (Huang et al. 2017; Huang et al. 2019).
The LibScout tool as part of this research has been made publicly available at github.
Android Security Framework (ASF) is a generic, extensible security framework for Android that enables the development and integration of a wide spectrum of security models in form of code-based security modules. The design of ASF reflects lessons learned from the literature on established security frameworks (such as Linux Security Modules or the BSD MAC Framework) and intertwines them with the particular requirements and challenges from the design of Android’s software stack. ASF provides a novel security API that supports authors of Android security extensions in developing their modules. This overcomes the current unsatisfactory situation to provide security solutions as separate patches to the Android software stack or to embed them into Android’s mainline codebase. As a result, ASF provides different practical benefits such as a higher degree of acceptance, adaptation, and maintenance of security solutions than previously possible on Android. We present a prototypical implementation of ASF and demonstrate its effectiveness and efficiency by modularizing different security models from related work, such as context-aware access control, inlined reference monitoring, and type enforcement.
Source code, example security modules, and documentation can be retrieved from the project website.
Peer-reviewed publications with contributions by members of the Trusted Systems Group: