SEApp: Bringing Mandatory Access Control to Android Apps

Mandatory Access Control (MAC) has provided a great contribution to the improvement of the security of modern operating systems. A clear demonstration is represented by Android, which has progressively assigned a greater role to SELinux since its introduction in 2013. These benefits have been mostly dedicated to the protection of system components against the behavior of apps and no control is offered to app developers on the use of MAC. Our solution overcomes this limitation, giving developers the power to define ad-hoc MAC policies for their apps, supporting the internal compartmentalization of app components. This is a natural evolution of the security mechanisms already available in Android, but its realization requires to consider that (i) the security of system components must be maintained, (ii) the solution must be usable by developers, and (iii) the performance impact should be limited. Our proposal meets these three requirements. The proposal is supported by an open-source implementation.

[1]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[2]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[3]  Trent Jaeger,et al.  Toward Automated Information-Flow Integrity Verification for Security-Critical Applications , 2006, NDSS.

[4]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Ahmad-Reza Sadeghi,et al.  Flexible and Fine-grained Mandatory Access Control on Android for Diverse Security and Privacy Policies , 2013, USENIX Security Symposium.

[6]  Carl A. Gunter,et al.  Free for All! Assessing User Data Exposure to Advertising Libraries on Android , 2016, NDSS.

[7]  Trent Jaeger,et al.  An architecture for enforcing end-to-end access control over web applications , 2010, SACMAT '10.

[8]  Ahmad-Reza Sadeghi,et al.  ASM: A Programmable Interface for Extending Android Security , 2014, USENIX Security Symposium.

[9]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[10]  Michael Backes,et al.  Boxify: Full-fledged App Sandboxing for Stock Android , 2015, USENIX Security Symposium.

[11]  Crispin Cowan,et al.  Linux Security Module Framework , 2002 .

[12]  René Mayrhofer,et al.  The Android Platform Security Model , 2019, ACM Trans. Priv. Secur..

[13]  Pierangela Samarati,et al.  Authentication, access control, and audit , 1996, CSUR.

[14]  Authentication , 2021, Deep Learning for EEG-Based Brain–Computer Interfaces.

[15]  Michael Backes,et al.  Android security framework: extensible multi-layered access control on Android , 2014, ACSAC '14.

[16]  Stefano Paraboschi,et al.  AppPolicyModules: Mandatory Access Control for Third-Party Apps , 2015, AsiaCCS.

[17]  Trent Jaeger,et al.  Leveraging "choice" to automate authorization hook placement , 2012, CCS '12.

[18]  Xiao Zhang,et al.  AFrame: isolating advertisements from mobile applications in Android , 2013, ACSAC.

[19]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[20]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[21]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[22]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[23]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Christopher Krügel,et al.  On the Security and Engineering Implications of Finer-Grained Access Controls for Android Developers and Users , 2015, DIMVA.

[25]  Sven Bugiel,et al.  DroidCap: OS Support for Capability-based Permissions in Android , 2019, NDSS.

[26]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[27]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[28]  Rose Wimenitz James , 1924, The Psychological Clinic.

[29]  Ninghui Li,et al.  Analysis of SEAndroid Policies: Combining MAC and DAC in Android , 2017, ACSAC.

[30]  Matthew Smith,et al.  SoK: Lessons Learned from Android Security Research for Appified Software Platforms , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  Stefano Paraboschi,et al.  Policy Specialization to Support Domain Isolation , 2015, SafeConfig@CCS.

[32]  吉田 則裕,et al.  Android Open Source Projectを対象としたパッチレビュー活動の調査 , 2012 .

[33]  Sotiris Ioannidis,et al.  REAPER: Real-time App Analysis for Augmenting the Android Permission System , 2019, CODASPY.

[34]  Jie Huang,et al.  The ART of App Compartmentalization: Compiler-based Library Privilege Separation on Stock Android , 2017, CCS.