Android Security Extensions 2 Giovanni Russello g.russello@auckland.ac.nz
Preparing the Report A report must be provided before your presentation The report should be 4 pages long The content of the report must be YOURS No copy-and-past from the main article Use your own word to describe the article
What s in the Report? The report should contain A description of the article An analysis/criticism of the main approach of the article I expect a 50/50 approach 2 pages for description 2 pages for analysis/criticism
How to Analyse/Criticise Does the paper live up to your expectations? Think about what you were expecting from this paper by reading the Abstract/Title/Intro If you were the user of this system, would it work for you? Why? Why not? Would this system help you with your security requirements? What could the authors have done differently?
Defining Malware Any software that can disrupt normal activities Any software that does not behave as declared Any software that compromises some properties Privacy Confidentiality Reliability
Poorly Designed Apps If not designed properly, apps can (unintentionally): Deplete your resources (battery, data, etc.) Expose resources (internet, location, etc.)
Over-Privileged Apps Apps (developers) can ask for any combination of permissions Users can either install the apps (granting permissions) or not install at all Combinations of permissions such as Internet and: Locations, SMS, Local Storage Can result in information leakage
Privilege Escalation Attacks An adversary tries to escalate privileges to get unauthorised access to protected resources Confused deputy attack: leverage the vulnerability of a benign application Colluding attacks: more applications collaborate to get an objectionable set of permissions
Privilege Escalation Attacks Install Time: Uses Permission = P1? Sandbox System Sandbox C A App A B S Android Apps P1 P2 S1 S2 Activity Manager Android Middleware Reference Monitor
Privilege Escalation Attacks Sandbox P1 System Sandbox C A App A B S Android Apps P1 P2 S1 S2 Activity Manager Android Middleware Reference Monitor
Privilege Escalation Attacks Sandbox P1 System Sandbox C A App A B S Android Apps P1 P2 S1 S2 Activity Manager Android Middleware Reference Monitor
Privilege Escalation Attacks Sandbox Sandbox P1 System Sandbox C App B B C App A B Android Apps P1 P2 A S A S S1 S2 Reference Monitor Activity Manager Android Middleware
Privilege Escalation Attacks Sandbox Sandbox P1 System Sandbox C App B B C App A B Android Apps P1 P2 A S A S S1 S2 Reference Monitor Activity Manager Android Middleware
Privilege Escalation Attacks Sandbox Sandbox P1 System Sandbox C App B B C App A B Android Apps P1 P2 A S A S S1 S2 Reference Monitor Activity Manager Android Middleware
Android Security Extensions Application Layer Aurasium I-ARM-Droid Dr Android Reddy Android Middleware DVM TaintDroid MockDroid TISSA Reference Monitor Saint Apex CRePE XManDroid AppFence QUIRE Installer Saint Apex Kirin XManDroid Paranoid Android Paranoid Android QUIRE Linux Kernel SELinux
Fine-grained Security Policy Saint (ACSAC 09) Allows app developers to protect their applications from being misused APEX (ASIACCS 10) Circumvent the All-or-Nothing approach of Android permission granting Porscha (ACSAC 10) Support for DRM-like policies for phone data CRePE (ISC 10) Enforcement of context-related policies
Data Filtering and Tainting MockDroid (HotMobile 11) Limiting the access to the data TISSA (Trust 11) Substituting the reply from content providers TaintDroid (OSDI 10) Labelling of data for preventing data leakage
Protection against Privilege Escalation QUIRE (USENIX Security Symposium 11) Effective against confused deputy attacks Tracing of IPC chain to check if all apps have the right to access a resource However It requires that apps have to use modified API It does not solve the problem of colluding apps
Protection against Privilege Escalation AppFence (TR 11 Uni Washington and MS Research) Based on TaintDroid for taint capability It supports data shadowing and protects from data exfiltration However Effective only against confused deputy attack
Protection against Privilege Escalation XManDroid (TR 11) Real-time IPC monitoring System state of the app communications for potential spread of privileges However No control outside the IPC channels (i.e. Internet access)
What is missing No modifications to Android API No trust on apps Control over IPC and system-level calls (internet) Data filtering capabilities Tuneable
That is why we came up with Yet Another Android Security Extension