Android Security

System designers have long struggled with the challenge of determining how to obtain user authorizations securely and effectively for allowing untrusted applications to perform sensitive system operations on privacy-sensitive device sensors. While trusted paths enable the system to receive authentic user input, systems have to bridge a semantic gap to determine the intent of an application-specific user input, and untrusted applications may try to spoof the user and/or the system to obtain unauthorized access. In this paper, we propose that users explicitly authorize the operations allowed by their user input events and bind it to specific contexts within which an application can operate sensitive device sensors. To demonstrate this approach, we implement the AWare authorization framework for Android, extending the Android Middleware to control access to sensitive device sensors. We evaluate the effectiveness of AWare in preventing abuse of such sensors by malicious applications in a laboratory-based user study, finding that at most 7% of the users were tricked by examples of four types of attacks when using AWare, while 88% of users were tricked when using alternative approaches on average. Also, we study the decision overhead required of the users for the finer-grained access control in AWare, finding that the user effort is limited to only 2 additional decisions, on average, per application for the study duration. Lastly, we study the compatibility of AWare with 1,000 of the most-downloaded Android applications, demonstrating that such applications can operate effectively under AWare while incurring less than 4% performance overhead on microbenchmarks.

AWare was published in USENIX Security 2017. More information can be found in this Science News article.

Voice control is a popular way to operate mobile devices, enabling users to communicate requests to their devices. However, adversaries can leverage voice control to trick mobile devices into executing commands to leak secrets or to modify critical information. Contemporary mobile operating systems fail to prevent such attacks because they do not control access to the speaker at all and fail to control when untrusted apps may use the microphone, enabling authorized apps to create exploitable communication channels. In this paper, we propose a security mechanism that tracks the creation of audio communication channels explicitly and controls the information flows over these channels to prevent several types of attacks. We design and implement AuDroid, an extension to the SE Linux reference monitor integrated into the Android operating system for enforcing lattice security policies over the dynamically changing use of system audio resources. To enhance flexibility, when information flow errors are detected, the device owner, system apps, and services are given the opportunity to resolve information flow errors using known methods, enabling AuDroid to run many configurations safely. We evaluate our approach on 17 widely-used apps that make extensive use of the microphone and speaker, finding that AuDroid prevents six types of attack scenarios on audio channels while permitting all 17 apps to run effectively. AuDroid shows that it is possible to prevent attacks using audio channels without compromising functionality or introducing significant performance overhead.

AuDroid appeared in ACSAC 2015. More information can be found in this The Stack article.

The smartphone marketplace has evolved significantly and swiftly during the last few years. In particular, the number and variety of third-party applications available to smartphone users has grown almost exponentially. These applications are frequently of negligible cost (often free) and undergo limited (if any) quality assurance or security verification. Unfortunately, security features in existing smartphone operating systems are insufficient to protect users against malicious or poorly designed applications. The TaintDroid system is designed track and identify smartphone privacy risks created by downloaded applications. TaintDroid uses dynamic taint analysis to track privacy sensitive information from their sources (e.g., GPS hardware, microphone, phone identifier storage, etc) to the point at which it leaves the phone through a wireless network interface. To perform this analysis in real time on existing smartphone hardware, TaintDroid uses several careful optimizations, trading tracking granularity for performance. In a study of 30 popular applications for the Android phone platform, TaintDroid identified that two-thirds of the studied applications transmitted privacy sensitive information beyond reasonable expectations of the user. Of the 30 applications, 15 shared the phone’s geographic location to advertisement servers, and 7 applications transmitted sensitive phone identifiers (e.g., the phone number and the device’s IMEI) without the user’s knowledge. These results confirm potential privacy concerns with smartphone applications and indicate that smartphone users must take great care when downloading applications.

TaintDroid was published in USENIX OSDI 2010. More information on TaintDroid, a demo, and the source code is available at appanalysis.org.