skip to main content
research-article
Open Access

The Android Platform Security Model

Published:28 April 2021Publication History
Skip Abstract Section

Abstract

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.

References

  1. 2015. Stagefright Vulnerability Report. Retrieved from https://www.kb.cert.org/vuls/id/924951.Google ScholarGoogle Scholar
  2. 2017. BlueBorne. Retrieved from https://go.armis.com/hubfs/BlueBorne%20-%20Android%20Exploit%20(20171130).pdf?t=1529364695784.Google ScholarGoogle Scholar
  3. 2017. CVE-2017-13177. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13177.Google ScholarGoogle Scholar
  4. 2018. Retrieved from https://www.stonetemple.com/mobile-vs-desktop-usage-study/.Google ScholarGoogle Scholar
  5. 2018. Retrieved from http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet.Google ScholarGoogle Scholar
  6. 2018. Android Enterprise Security White Paper. Retrieved from https://source.android.com/security/reports/Google_Android_Enterprise_Security_Whitepaper_2018.pdf.Google ScholarGoogle Scholar
  7. 2018. Android Security 2017 Year In Review. Retrieved from https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf.Google ScholarGoogle Scholar
  8. 2018. CVE-2017-17558: Remote Code Execution in Media Frameworks. Retrieved from https://source.android.com/security/bulletin/2018-06-01#kernel-components.Google ScholarGoogle Scholar
  9. 2018. CVE-2018-9341: Remote Code Execution in Media Frameworks. Retrieved from https://source.android.com/security/bulletin/2018-06-01#media-framework.Google ScholarGoogle Scholar
  10. 2018. SVE-2018-11599: Theft of Arbitrary Files Leading to Emails and Email Accounts Takeover. Retrieved from https://security.samsungmobile.com/securityUpdate.smsb.Google ScholarGoogle Scholar
  11. 2018. SVE-2018-11633: Buffer Overflow in Trustlet. Retrieved from https://security.samsungmobile.com/securityUpdate.smsb.Google ScholarGoogle Scholar
  12. 2019. Android Now FIDO2 Certified. Retrieved from https://fidoalliance.org/android-now-fido2-certified-accelerating-global-migration-beyond-passwords/.Google ScholarGoogle Scholar
  13. 2020. Personal identification—ISO-compliant driving licence—Part 5: Mobile driving licence (mDL) application. Draft International Standard: ISO/IEC DIS 18013-5.Google ScholarGoogle Scholar
  14. Y. Acar, M. Backes, S. Bugiel, S. Fahl, P. McDaniel, and M. Smith. 2016. SoK: Lessons learned from Android security research for appified software platforms. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP’16). 433--451. DOI:https://doi.org/10.1109/SP.2016.33Google ScholarGoogle ScholarCross RefCross Ref
  15. Anne Adams and Martina Angela Sasse. 1999. Users are not the enemy. Commun. ACM 42, 12 (Dec. 1999), 40--46. DOI:https://doi.org/10.1145/322796.322806Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Andrew Ahn. 2018. How We Fought Bad Apps and Malicious Developers in 2017. Retrieved from https://android-developers.googleblog.com/2018/01/how-we-fought-bad-apps-and-malicious.html.Google ScholarGoogle Scholar
  17. Bonnie Brinton Anderson, Anthony Vance, C. Brock Kirwan, Jeffrey L. Jenkins, and David Eargle. 2016. From warning to wallpaper: Why the brain habituates to security warnings and what can be done about it. J. Manage. Inf. Syst. 33, 3 (2016), 713--743. DOI:https://doi.org/10.1080/07421222.2016.1243947Google ScholarGoogle ScholarCross RefCross Ref
  18. Anil Kumar Reddy, P. Paramasivam, and Prakash Babu Vemula. 2015. Mobile secure data protection using eMMC RPMB partition. In Proceedings of the 2015 International Conference on Computing and Network Communications (CoCoNet’15). 946--950. DOI:https://doi.org/10.1109/CoCoNet.2015.7411305Google ScholarGoogle ScholarCross RefCross Ref
  19. AOSP. [n.d.]. Android Compatibility Definition Document. Retrieved from https://source.android.com/compatibility/cdd.Google ScholarGoogle Scholar
  20. AOSP. [n.d.]. Android Enterprise Recommended Requirements. https://www.android.com/enterprise/recommended/requirements/.Google ScholarGoogle Scholar
  21. AOSP. [n.d.]. Android Platform Permissions Requesting Guidance. Retrieved from https://material.io/design/platform-guidance/android-permissions.html#request-types.Google ScholarGoogle Scholar
  22. AOSP. [n.d.]. Android Verified Boot Flow. Retrieved from https://source.android.com/security/verifiedboot/boot-flow.Google ScholarGoogle Scholar
  23. AOSP. [n.d.]. App Manifest Overview. Retrieved from https://developer.android.com/guide/topics/manifest/manifest-intro.Google ScholarGoogle Scholar
  24. AOSP. [n.d.]. App Manifest Permission Element. Retrieved from https://developer.android.com/guide/topics/manifest/permission-element.Google ScholarGoogle Scholar
  25. AOSP. [n.d.]. Developer Documentation android.security.identity. Retrieved from https://developer.android.com/reference/android/security/identity/package-summary.Google ScholarGoogle Scholar
  26. AOSP. [n.d.]. Developer Documentation android.security.keystore.KeyGenParameterSpec. Retrieved from https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Google ScholarGoogle Scholar
  27. AOSP. [n.d.]. Gatekeeper. Retrieved from https://source.android.com/security/authentication/gatekeeper.Google ScholarGoogle Scholar
  28. AOSP. [n.d.]. Hardware-backed Keystore. Retrieved from https://source.android.com/security/keystore/.Google ScholarGoogle Scholar
  29. AOSP. [n.d.]. Intents and Intent Filters. Retrieved from https://developer.android.com/guide/components/intents-filters.Google ScholarGoogle Scholar
  30. AOSP. [n.d.]. Network security configuration. Retrieved from https://developer.android.com/training/articles/security-config.Google ScholarGoogle Scholar
  31. AOSP. [n.d.]. Privacy: MAC Randomization. Retrieved from https://source.android.com/devices/tech/connect/wifi-mac-randomization.Google ScholarGoogle Scholar
  32. AOSP. [n.d.]. Privileged Permission Allowlisting. Retrieved from https://source.android.com/devices/tech/config/perms-whitelist.Google ScholarGoogle Scholar
  33. AOSP. [n.d.]. Restrictions on Non-SDK Interfaces. Retrieved from https://developer.android.com/distribute/best-practices/develop/restrictions-non-sdk-interfaces.Google ScholarGoogle Scholar
  34. AOSP. [n.d.]. Security Updates and Resources—Process Types. Retrieved from https://source.android.com/security/overview/updates-resources#process_types.Google ScholarGoogle Scholar
  35. AOSP. [n.d.]. Verifying Boot. Retrieved from https://source.android.com/security/verifiedboot/verified-boot.Google ScholarGoogle Scholar
  36. AOSP. [n.d.]. Verifying Hardware-backed Key Pairs with Key Attestation. Retrieved from https://developer.android.com/training/articles/security-key-attestation.Google ScholarGoogle Scholar
  37. AOSP. 2018. Android Protected Confirmation. Retrieved from https://developer.android.com/preview/features/security#android-protected-confirmation.Google ScholarGoogle Scholar
  38. AOSP. 2018. Android Verified Boot 2.0. Retrieved from https://android.googlesource.com/platform/external/avb/+/android11-release/README.md.Google ScholarGoogle Scholar
  39. AOSP. 2018. APK Signature Scheme v3. Retrieved from https://source.android.com/security/apksigning/v3.Google ScholarGoogle Scholar
  40. AOSP. 2018. SELinux for Android 8.0: Changes & Customizations. Retrieved from https://source.android.com/security/selinux/images/SELinux_Treble.pdf.Google ScholarGoogle Scholar
  41. AOSP. 2019. Restrictions on Starting Activities from the Background. Retrieved from https://developer.android.com/guide/components/activities/background-starts.Google ScholarGoogle Scholar
  42. AOSP. 2020. Android 11 Biometric Authentication. Retrieved from https://developer.android.com/about/versions/11/features#biometric-auth.Google ScholarGoogle Scholar
  43. AOSP. 2020. Security and Privacy Enhancements in Android 10. Retrieved from https://source.android.com/security/enhancements/enhancements10.Google ScholarGoogle Scholar
  44. Dan Austin and Jeff Vander Stoep. 2016. Hardening the media stack. Retrieved from https://android-developers.googleblog.com/2016/05/hardening-media-stack.html.Google ScholarGoogle Scholar
  45. Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT’10). USENIX Association, Berkeley, CA, 1--7.Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. David Barrera, Daniel McCarney, Jeremy Clark, and Paul C. van Oorschot. 2014. Baton: Certificate agility for Android’s decentralized signing infrastructure. In Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec’14). Association for Computing Machinery, New York, NY, 1--12. DOI:https://doi.org/10.1145/2627393.2627397Google ScholarGoogle Scholar
  47. D. Bell and L. LaPadula. 1975. Secure Computer System Unified Exposition and Multics Interpretation. Technical Report MTR-2997. MITRE Corp., Bedford, MA.Google ScholarGoogle Scholar
  48. James Bender. 2018. Google Play security metadata and offline app distribution. Retrieved from https://android-developers.googleblog.com/2018/06/google-play-security-metadata-and.html.Google ScholarGoogle Scholar
  49. Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. 2003. Address obfuscation: An efficient approach to combat a board range of memory error exploits. In Proceedings of the USENIX Security Symposium, Volume 12. USENIX Association, Berkeley, CA, 8--8. http://dl.acm.org/citation.cfm?id=1251353.1251361Google ScholarGoogle Scholar
  50. Chad Brubaker. 2014. Introducing nogotofail—A network traffic security testing tool. Retrieved from https://security.googleblog.com/2014/11/introducing-nogotofaila-network-traffic.html.Google ScholarGoogle Scholar
  51. Chad Brubaker. 2018. Protecting Users with TLS by Default in Android P. Retrieved from https://android-developers.googleblog.com/2018/04/protecting-users-with-tls-by-default-in.html.Google ScholarGoogle Scholar
  52. N. Burow, X. Zhang, and M. Payer. 2019. SoK: Shining Light on Shadow Stacks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP’19). 985--999. DOI:https://doi.org/10.1109/SP.2019.00076Google ScholarGoogle ScholarCross RefCross Ref
  53. Pierre Carru. 2017. Attack TrustZone with Rowhammer. Retrieved from http://www.eshard.com/wp-content/plugins/email-before-download/download.php?dl=9465aa084ff0f070a3acedb56bcb34f5.Google ScholarGoogle Scholar
  54. Dan Cashman. 2017. SELinux in Android O: Separating Policy to Allow for Independent Updates. Retrieved from https://events.static.linuxfound.org/sites/events/files/slides/LSS%20-%20Treble%20%27n%27%20SELinux.pdf.Google ScholarGoogle Scholar
  55. Jen Chai. 2019. Giving users more control over their location data. Retrieved from https://android-developers.googleblog.com/2019/03/giving-users-more-control-over-their.html.Google ScholarGoogle Scholar
  56. Haining Chen, Ninghui Li, William Enck, Yousra Aafer, and Xiangyu Zhang. 2017. Analysis of SEAndroid policies: Combining MAC and DAC in Android. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC’17). ACM, New York, NY, 553--565. DOI:https://doi.org/10.1145/3134600.3134638Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Haining Chen, Vishwath Mohan, Kevin Chyn, and Liz Louis. 2020. Lockscreen and Authentication Improvements in Android 11. Retrieved from https://android-developers.googleblog.com/2020/09/lockscreen-and-authentication.html.Google ScholarGoogle Scholar
  58. Jiska Classen and Matthias Hollick. 2019. Inside job: Diagnosing Bluetooth lower layers using off-the-shelf devices. In Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2019). ACM, 186--191. DOI:https://doi.org/10.1145/3317549.3319727Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Paul Crowley and Eric Biggers. 2018. Adiantum: Length-preserving encryption for entry-level processors. IACR Trans. Symmetr. Cryptol. 2018, 4 (Dec. 2018), 39--61. DOI:https://doi.org/10.13154/tosc.v2018.i4.39-61Google ScholarGoogle Scholar
  60. Edward Cunningham. 2017. Improving app security and performance on Google Play for years to come. Retrieved from https://android-developers.googleblog.com/2017/12/improving-app-security-and-performance.html.Google ScholarGoogle Scholar
  61. Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security’14). USENIX Association, Berkeley, CA, 401--416.Google ScholarGoogle Scholar
  62. Rachna Dhamija, J. D. Tygar, and Marti Hearst. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI’06). ACM, New York, NY, 581--590. DOI:https://doi.org/10.1145/1124772.1124861Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Danny Dolev and Andrew Chi chih Yao. 1983. On the security of public key protocols. IEEE Trans. Inf. Theory 29, 2 (1983), 198--208. DOI:https://doi.org/10.1109/TIT.1983.1056650Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Andre Egners, Björn Marschollek, and Ulrike Meyer. 2012. Hackers in Your Pocket: A Survey of Smartphone Security Across Platforms. Technical Report 2012,7. RWTH Aachen University. https://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=FF05D208E1C00B94566D2C7DAF405C01?doi=10.1.1.261.782&rep=rep1&type=pdf.Google ScholarGoogle Scholar
  65. Malin Eiband, Mohamed Khamis, Emanuel von Zezschwitz, Heinrich Hussmann, and Florian Alt. 2017. Understanding shoulder surfing in the wild: Stories from users and observers. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (CHI’17). Association for Computing Machinery, New York, NY, 4254--4265. DOI:https://doi.org/10.1145/3025453.3025636Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. W. Enck, M. Ongtang, and P. McDaniel. 2009. Understanding Android security. IEEE Secur. Priv. 7, 1 (Jan. 2009), 50--57. DOI:https://doi.org/10.1109/MSP.2009.26Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 50--61. DOI:https://doi.org/10.1145/2382196.2382205Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013. Rethinking SSL development in an appified world. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13). ACM, New York, NY, 49--60. DOI:https://doi.org/10.1145/2508859.2516655Google ScholarGoogle ScholarDigital LibraryDigital Library
  69. Hossein Falaki, Ratul Mahajan, Srikanth Kandula, Dimitrios Lymberopoulos, Ramesh Govindan, and Deborah Estrin. 2010. Diversity in smartphone usage. In Proceedings of the 8th International Conference on Mobile Systems, Applications, and Services (MobiSys’10). ACM, New York, NY, 179--194. DOI:https://doi.org/10.1145/1814433.1814453Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. P. Faruki, A. Bharmal, V. Laxmi, V. Ganmoor, M. S. Gaur, M. Conti, and M. Rajarajan. 2015. Android security: A survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17, 2 (2015), 998--1022. DOI:https://doi.org/10.1109/COMST.2014.2386139Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, and David A. Wagner. 2012. How to ask for permission. In Proceedings of the USENIX Summit on Hot Topics in Security (HotSec’12).Google ScholarGoogle Scholar
  72. Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: User attention, comprehension, and behavior. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS’12). ACM, New York, NY, Article 3, 14 pages. DOI:https://doi.org/10.1145/2335356.2335360Google ScholarGoogle ScholarDigital LibraryDigital Library
  73. Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J. Alex Halderman, Z. Morley Mao, and Atul Prakash. 2016. Android UI deception revisited: Attacks and defenses. In Financial Cryptography and Data Security, Lecture Notes in Computer Science. Springer, Berlin, 41--59. DOI:https://doi.org/10.1007/978-3-662-54970-4_3Google ScholarGoogle Scholar
  74. Nate Fischer. 2018. Protecting WebView with Safe Browsing. Retrieved from https://android-developers.googleblog.com/2018/04/protecting-webview-with-safe-browsing.html.Google ScholarGoogle Scholar
  75. Google APIs for Android. [n.d.]. Retrieved from https://developers.google.com/android/reference/com/google/android/gms/fido/Fido.Google ScholarGoogle Scholar
  76. Yanick Fratantonio, Chenxiong Qian, Simon Chung, and Wenke Lee. 2017. Cloak and dagger: From two permissions to complete control of the UI feedback loop. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  77. Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. 2012. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security. 38--49.Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Anwar Ghuloum. 2019. Fresher OS with Projects Treble and Mainline. Retrieved from https://android-developers.googleblog.com/2019/05/fresher-os-with-projects-treble-and-mainline.html.Google ScholarGoogle Scholar
  79. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest we remember: Cold-boot attacks on encryption keys. Commun. ACM 52, 5 (May 2009), 91--98. DOI:https://doi.org/10.1145/1506409.1506429Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Grant Hernandez, Dave (Jing) Tian, Anurag Swarnim Yadav, Byron J. Williams, and Kevin R. B. Butler. 2020. BigMAC: Fine-grained policy analysis of Android firmware. In Proceedings of the 29th USENIX Security Symposium (USENIX Security’20). USENIX Association, 271--287.Google ScholarGoogle Scholar
  81. Daniel Hintze, Rainhard D. Findling, Muhammad Muaaz, Sebastian Scholz, and René Mayrhofer. 2014. Diversity in locked and unlocked mobile device usage. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication (UbiComp’14). ACM Press, 379--384. DOI:https://doi.org/10.1145/2638728.2641697Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Daniel Hintze, Rainhard D. Findling, Sebastian Scholz, and René Mayrhofer. 2014. Mobile device usage characteristics: The effect of context and form factor on locked and unlocked usage. In Proceedings of the12th International Conference on Advances in Mobile Computing and Multimedia (MoMM’14). ACM Press, New York, NY, 105--114. DOI:https://doi.org/10.1145/2684103.2684156Google ScholarGoogle ScholarDigital LibraryDigital Library
  83. Daniel Hintze, Philipp Hintze, Rainhard Dieter Findling, and René Mayrhofer. 2017. A large-scale, long-term analysis of mobile device usage characteristics. Proc. ACM Interact. Mob. Wearable Ubiq’ Technol. 1, 2, Article 13 (Jun’ 2017), 21 pages. DOI:https://doi.org/10.1145/3090078Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Sebastian Höbarth and René Mayrhofer. 2011. A framework for on-device privilege escalation exploit execution on Android. In Proceedings of the 3rd International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Phone Use, Colocated with Pervasive 2011 (IWSSI/SPMU’11).Google ScholarGoogle Scholar
  85. Michael Hölzl, Michael Roland, and René Mayrhofer. 2017. Real-world identification for an extensible and privacy-preserving mobile eID. In Privacy and Identity Management. The Smart Revolution. Privacy and Identity 2017. IFIP AICT, Vol. 526/2018. Springer, Berlin, 354--370. DOI:https://doi.org/10.1007/978-3-319-92925-5_24Google ScholarGoogle Scholar
  86. Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. 2014. A11Y attacks: Exploiting accessibility in operating systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 103--115. DOI:https://doi.org/10.1145/2660267.2660295Google ScholarGoogle ScholarDigital LibraryDigital Library
  87. Troy Kensinger. 2018. Google and Android Have Your Back by Protecting Your Backups. Retrieved from https://security.googleblog.com/2018/10/google-and-android-have-your-back-by.html.Google ScholarGoogle Scholar
  88. Hassan Khan, Urs Hengartner, and Daniel Vogel. 2018. Evaluating attack and defense strategies for smartphone PIN shoulder surfing. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (CHI’18). Association for Computing Machinery, New York, NY, 1--10. DOI:https://doi.org/10.1145/3173574.3173738Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the Gordian knot: A look under the hood of ransomware attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Magnus Almgren, Vincenzo Gulisano, and Federico Maggi (Eds.). Springer International Publishing, Cham, 3--24.Google ScholarGoogle Scholar
  90. Erik Kline and Ben Schwartz. 2018. DNS over TLS support in Android P Developer Preview. Retrieved from https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html.Google ScholarGoogle Scholar
  91. Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arxiv:1801.01203. Retrieved from http://arxiv.org/abs/1801.01203.Google ScholarGoogle Scholar
  92. Nick Kralevich. 2016. The Art of Defense: How Vulnerabilities Help Shape Security Features and Mitigations in Android. Retrieved from https://www.blackhat.com/docs/us-16/materials/us-16- Kralevich-The-Art-Of-Defense-How- Vulnerabilities-Help-Shape- Security-Features-And-Mitigations-In-Android.pdfBlackHat.Google ScholarGoogle Scholar
  93. Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. 2014. On malware leveraging the Android accessibility framework. In Mobile and Ubiquitous Systems: Computing, Networking, and Services, Ivan Stojmenovic, Zixue Cheng, and Song Guo (Eds.). Springer International Publishing, Cham, 512--523.Google ScholarGoogle Scholar
  94. Mariantonietta La Polla, Fabio Martinelli, and Daniele Sgandurra. 2013. A survey on security for mobile devices. Communications Surveys & Tutorials 15 (01 2013), 446--471.Google ScholarGoogle Scholar
  95. Ben Lapid and Avishai Wool. 2019. Cache-attacks on the ARM TrustZone implementations of AES-256 and AES-256-GCM via GPU-based analysis. In Proceedings of the Selected Areas in Cryptography (SAC’18), Carlos Cid and Michael J. Jacobson Jr. (Eds.). Springer International Publishing, Cham, 235--256.Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. B. Laurie, A. Langley, and E. Kasper. 2013. Certificate Transparency. Retrieved from https://www.rfc-editor.org/info/rfc6962.Google ScholarGoogle Scholar
  97. Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2014. I know what leaked in your pocket: Uncovering privacy leaks on Android Apps with Static Taint Analysis. arXiv:1404.7431 [cs]. Retrieved from http://arxiv.org/abs/1404.7431.Google ScholarGoogle Scholar
  98. Li Li, Tegawendé F. Bissyandé, Mike Papadakis, Siegfried Rasthofer, Alexandre Bartel, Damien Octeau, Jacques Klein, and Le Traon. 2017. Static analysis of Android apps: A systematic literature review. Inf. Softw. Technol. 88 (2017), 67--95. DOI:https://doi.org/10.1016/j.infsof.2017.04.001Google ScholarGoogle ScholarDigital LibraryDigital Library
  99. M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. v. d. Veen, and C. Platzer. 2014. ANDRUBIS—1,000,000 apps later: A view on current Android malware behaviors. In Proceedings of the 2014 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS’14). 3--17. DOI:https://doi.org/10.1109/BADGERS.2014.7Google ScholarGoogle ScholarDigital LibraryDigital Library
  100. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. arxiv:1801.01207. Retrieved fromhttp://arxiv.org/abs/1801.01207.Google ScholarGoogle Scholar
  101. T. Lodderstedt, M. McGloin, and P. Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. Retrieved from https://www.rfc-editor.org/info/rfc6819.Google ScholarGoogle Scholar
  102. Ivan Lozano. 2018. Compiler-based Security Mitigations in Android P. Retrieved from https://android-developers.googleblog.com/2018/06/compiler-based-security-mitigations-in.html.Google ScholarGoogle Scholar
  103. Iliyan Malchev. 2017. Here Comes Treble: A Modular Base for Android. Retrieved from https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html.Google ScholarGoogle Scholar
  104. René Mayrhofer. 2014. An architecture for secure mobile devices. Security and Communication Networks (2014). DOI:https://doi.org/10.1002/sec.1028Google ScholarGoogle Scholar
  105. René Mayrhofer. 2019. Insider attack resistance in the android ecosystem. Enigma 2019. https://www.usenix.org/conference/enigma2019/presentation/mayrhofer.Google ScholarGoogle Scholar
  106. René Mayrhofer, Vishwath Mohan, and Stephan Sigg. 2020. Adversary Models for Mobile Device Authentication. arxiv:cs.CR/2009.10150. Retrieved from https://arxiv.org/abs/2009.10150.Google ScholarGoogle Scholar
  107. T. McDonnell, B. Ray, and M. Kim. 2013. An empirical study of API stability and adoption in the Android ecosystem. In Proceedings of the 2013 IEEE International Conference on Software Maintenance. 70--79. DOI:https://doi.org/10.1109/ICSM.2013.18Google ScholarGoogle ScholarDigital LibraryDigital Library
  108. I. Mohamed and D. Patel. 2015. Android vs iOS security: A comparative study. In Proceedings of the 2015 12th International Conference on Information Technology—New Generations. 725--730. DOI:https://doi.org/10.1109/ITNG.2015.123Google ScholarGoogle Scholar
  109. Vishwath Mohan. 2018. Better Biometrics in Android P. Retrieved from https://android-developers.googleblog.com/2018/06/better-biometrics-in-android-p.html.Google ScholarGoogle Scholar
  110. Vikrant Nanda and René Mayrhofer. 2018. Android Pie á la Mode: Security & Privacy. Retrieved from https://android-developers.googleblog.com/2018/12/android-pie-la-mode-security-privacy.html.Google ScholarGoogle Scholar
  111. Sundar Pichai. 2018. Android Has Created More Choice, Not Less. Retrieved from https://blog.google/around-the-globe/google-europe/android-has-created-more-choice-not-less/.Google ScholarGoogle Scholar
  112. Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps’ circumvention of the Android permissions system. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). USENIX Association, Berkeley, CA, 603--620.Google ScholarGoogle Scholar
  113. Peter Riedl, Rene Mayrhofer, Andreas Möller, Matthias Kranz, Florian Lettner, Clemens Holzmann, and Marion Koelle. 2015. Only play in your comfort zone: Interaction methods for improving security awareness on mobile devices. Pers. Ubiq. Comput. 27 (Mar. 2015), 1--14. DOI:https://doi.org/10.1007/s00779-015-0840-5Google ScholarGoogle Scholar
  114. Franziska Roesner, Tadayoshi Kohno, Er Moshchuk, Bryan Parno, Helen J. Wang, and Crispin Cowan. 2012. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). 224--238. DOI:https://doi.org/10.1109/SP.2012.24Google ScholarGoogle ScholarDigital LibraryDigital Library
  115. Michael Roland, Josef Langer, and Josef Scharinger. 2013. Applying relay attacks to Google wallet. In Proceedings of the 5th International Workshop on Near Field Communication (NFC’13). IEEE, Los Alamitos, CA. DOI:https://doi.org/10.1109/NFC.2013.6482441Google ScholarGoogle ScholarCross RefCross Ref
  116. R. S. Sandhu and P. Samarati. 1994. Access control: Principle and practice. IEEE Commun. Mag. 32, 9 (Sep. 1994), 40--48. DOI:https://doi.org/10.1109/35.312842Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler. 2016. CryptoLock (and drop it): Stopping ransomware attacks on user data. In Proceedings of the 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS’16). 303--312. DOI:https://doi.org/10.1109/ICDCS.2016.46Google ScholarGoogle ScholarCross RefCross Ref
  118. Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A fast address sanity checker. In Presented as Part of the 2012 USENIX Annual Technical Conference (USENIX ATC’12). USENIX, Berkeley, CA, 309--318.Google ScholarGoogle Scholar
  119. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles (SOSP’07). ACM, New York, NY, 335--350. DOI:https://doi.org/10.1145/1294261.1294294Google ScholarGoogle ScholarDigital LibraryDigital Library
  120. Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh. 2004. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). ACM, New York, NY, 298--307. DOI:https://doi.org/10.1145/1030083.1030124Google ScholarGoogle ScholarDigital LibraryDigital Library
  121. Stephen Smalley and Robert Craig. 2013. Security enhanced (SE) Android: Bringing flexible MAC to Android. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13). 18.Google ScholarGoogle Scholar
  122. Sampath Srinivas and Karthik Lakshminarayanan. 2019. Simplifying Identity and Access Management of Your Employees, Partners, and Customers. Retrieved from https://cloud.google.com/blog/products/identity-security/simplifying-identity-and-access-management-of-your-employees-partners-and-customers.Google ScholarGoogle Scholar
  123. Jeff Vander Stoep and Chong Zhang. 2019. Queue the Hardening Enhancements. Retrieved from https://android-developers.googleblog.com/2019/05/queue-hardening-enhancements.html.Google ScholarGoogle Scholar
  124. Andrew S. Tanenbaum and Herbert Bos. 2014. Modern Operating Systems (4th ed.). Prentice Hall, Upper Saddle River, NJ.Google ScholarGoogle ScholarDigital LibraryDigital Library
  125. Adrian Tang, Simha Sethumadhavan, and Salvatore Stolfo. 2017. CLKSCREW: Exposing the perils of security-oblivious energy management. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17). USENIX Association, Berkeley, CA, 1057--1074.Google ScholarGoogle Scholar
  126. Sai Deep Tetali. 2018. Keeping 2 Billion Android Devices Safe with Machine Learning. Retrieved from https://android-developers.googleblog.com/2018/05/keeping-2-billion-android-devices-safe.html.Google ScholarGoogle Scholar
  127. Daniel R. Thomas, Alastair R. Beresford, and Andrew Rice. 2015. Security metrics for the Android ecosystem. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’15). Association for Computing Machinery, New York NY, 87--98. DOI:https://doi.org/10.1145/2808117.2808118Google ScholarGoogle ScholarDigital LibraryDigital Library
  128. Caroline Tice, Tom Roeder, Peter Collingbourne, Stephen Checkoway, Úlfar Erlingsson, Luis Lozano, and Geoff Pike. 2014. Enforcing forward-edge control-flow integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security’14). USENIX Association, Berkeley, CA, 941--955.Google ScholarGoogle Scholar
  129. Sami Tolvanen. 2017. Hardening the Kernel in Android Oreo. Retrieved from https://android-developers.googleblog.com/2017/08/hardening-kernel-in-android-oreo.html.Google ScholarGoogle Scholar
  130. Sami Tolvanen. 2018. Control Flow Integrity in the Android kernel. Retrieved from https://security.googleblog.com/2018/10/posted-by-sami-tolvanen-staff-software.html.Google ScholarGoogle Scholar
  131. Sami Tolvanen. 2019. Protecting against Code Reuse in the Linux Kernel with Shadow Call Stack. Retrieved from https://security.googleblog.com/2019/10/protecting-against-code-reuse-in-linux_30.html.Google ScholarGoogle Scholar
  132. Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida. 2016. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. ACM Press, 1675--1689. DOI:https://doi.org/10.1145/2976749.2978406Google ScholarGoogle ScholarDigital LibraryDigital Library
  133. Jeff Vander Stoep. 2015. Ioctl Command Whitelisting in SELinux. Retrieved from http://kernsec.org/files/lss2015/vanderstoep.pdfLinux Security Summit.Google ScholarGoogle Scholar
  134. Jeff Vander Stoep. 2016. Android: Protecting the Kernel. Retrieved from https://events.static.linuxfound.org/sites/events/files/slides/Android-%20protecting%20the%20kernel.pdf.Google ScholarGoogle Scholar
  135. Jeff Vander Stoep. 2017. Shut the HAL Up. Retrieved from https://android-developers.googleblog.com/2017/07/shut-hal-up.html.Google ScholarGoogle Scholar
  136. Jeff Vander Stoep and Sami Tolvanen. 2018. Year in Review: Android Kernel Security. Retrieved from https://events.linuxfoundation.org/wp-content/uploads/2017/11/LSS2018.pdf.Google ScholarGoogle Scholar
  137. W3C. [n.d.]. Web Authentication: An API for accessing Public Key Credentials. Retrieved from https://webauthn.io/.Google ScholarGoogle Scholar
  138. R. Watson. 2012. New Approaches to Operatng System Security Extensibility. Technical Report UCAM-CL-TR-818. Cambridge University.Google ScholarGoogle Scholar
  139. Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android permissions remystified: A field study on contextual integrity. In Proceedings of the 24th USENIX Security Symposium (USENIX Security’15). USENIX Association, Berkeley, CA, 499--514.Google ScholarGoogle Scholar
  140. Linux Kernel Security Subsystem Wiki. 2019. Exploit Methods/Userspace Execution. Retrieved from https://kernsec.org/wiki/index.php/Exploit_Methods/Userspace_execution.Google ScholarGoogle Scholar
  141. Shawn Willden. 2018. Insider Attack Resistance. Retrieved from https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html.Google ScholarGoogle Scholar
  142. Xiaowen Xin. 2018. Titan M Makes Pixel 3 Our Most Secure Phone Yet. Retrieved from https://blog.google/products/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet/.Google ScholarGoogle Scholar
  143. Keun Soo Yim, Iliyan Malchev, Andrew Hsieh, and Dave Burke. 2019. Treble: Fast software updates by creating an equilibrium in an active software ecosystem of globally distributed stakeholders. ACM Trans. Embed. Comput. Syst. 18, 5s, Article 104 (Oct. 2019), 23 pages. DOI:https://doi.org/10.1145/3358237Google ScholarGoogle ScholarDigital LibraryDigital Library
  144. David Zeuthen, Shawn Willden, and René Mayrhofer. 2020. Privacy-preserving features in the Mobile Driving License. Retrieved from https://security.googleblog.com/2020/10/privacy-preserving-features-in-mobile.html.Google ScholarGoogle Scholar
  145. Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in Android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13). ACM, New York, NY, 611--622. DOI:https://doi.org/10.1145/2508859.2516689Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. The Android Platform Security Model

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Privacy and Security
          ACM Transactions on Privacy and Security  Volume 24, Issue 3
          August 2021
          286 pages
          ISSN:2471-2566
          EISSN:2471-2574
          DOI:10.1145/3450360
          Issue’s Table of Contents

          Copyright © 2021 Owner/Author

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 28 April 2021
          • Revised: 1 January 2021
          • Accepted: 1 January 2021
          • Received: 1 May 2020
          Published in tops Volume 24, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!