FLEXDROID: Enforcing In-App Privilege Separation in Android

Mobile applications are increasingly integrating third-party libraries to provide various features, such as advertising, analytics, social networking, and more. Unfortunately, such integration with third-party libraries comes with the cost of potential privacy violations of users, because Android always grants a full set of permissions to third-party libraries as their host applications. Unintended accesses to users’ private data are underestimated threats to users’ privacy, as complex and often obfuscated third-party libraries make it hard for application developers to estimate the correct behaviors of thirdparty libraries. More critically, a wide adoption of native code (JNI) and dynamic code executions such as Java reflection or dynamic code reloading, makes it even harder to apply state-ofthe-art security analysis. In this work, we propose FLEXDROID, a new Android security model and isolation mechanism, that provides dynamic, fine-grained access control for third-party libraries. With FLEXDROID, application developers not only can gain a full control of third-party libraries (e.g., which permissions to grant or not), but also can specify how to make them behave after detecting a privacy violation (e.g., providing a mock user’s information or kill). To achieve such goals, we define a new notion of principals for third-party libraries, and develop a novel security mechanism, called inter-process stack inspection that is effective to JNI as well as dynamic code execution. Our usability study shows that developers can easily adopt FLEXDROID’s policy to their existing applications. Finally, our evaluation shows that FLEXDROID can effectively restrict the permissions of third-party libraries with negligible overheads.

[1]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[2]  Hybrid User-level Sandboxing of Third-party Android Apps , 2015, AsiaCCS.

[3]  Gang Tan,et al.  NativeGuard: protecting android applications from third-party native libraries , 2014, WiSec '14.

[4]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[5]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[6]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[7]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[8]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[9]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[10]  Dan S. Wallach,et al.  Longitudinal Analysis of Android Ad Library Permissions , 2013, ArXiv.

[11]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[12]  Ryan Stevens,et al.  MAdFraud: investigating ad fraud in android applications , 2014, MobiSys.

[13]  Wenliang Du,et al.  Compac: enforce component-level access control in android , 2014, CODASPY '14.

[14]  Tadayoshi Kohno,et al.  Securing Embedded User Interfaces: Android and Beyond , 2013, USENIX Security Symposium.

[15]  Benjamin Livshits,et al.  Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications , 2013, USENIX Security Symposium.

[16]  Yue Chen,et al.  ARMlock: Hardware-based Fault Isolation for ARM , 2014, CCS.

[17]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[18]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[19]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[20]  Xiao Zhang,et al.  AFrame: isolating advertisements from mobile applications in Android , 2013, ACSAC.

[21]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[22]  Lujo Bauer,et al.  Modeling and Enhancing Android's Permission System , 2012, ESORICS.

[23]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[24]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[25]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[26]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[27]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.