Editor: Gary McGraw, gem@cigital.

com

Focus

Understanding
Android Security
William Enck, Machigar steeply in 2009. Many other cell support applications developed for
Ongtang, and Patrick McDaniel phone providers have either prom- other platforms: applications ex-
Pennsylvania State University ised or plan to support it in the ecute on top of a Java middleware
near future. layer running on an embedded Li-

T
he next generation of open A large community of develop- nux kernel, so developers wishing
operating systems won’t be ers has organized around Android, to port their application to Android
on desktops or mainframes and many new products and appli- must use its custom user interface
but on the small mobile devices we cations are now available for it. One environment. Additionally, An-
carry every day. The openness of of Android’s chief selling points is droid restricts application interac-
these new environments will lead that it lets developers seamlessly tion to its special APIs by running
to new applications and markets extend online services to phones. each application as its own user
and will enable greater integra- The most visible example of this identity. Although this controlled
tion with existing online services. feature is—unsurprisingly— interaction has several beneficial
However, as the importance of the the tight integration of Google’s security features, our experiences
data and services our cell phones Gmail, Calendar, and Contacts developing Android applications
support increases, so too do the op- Web applications with system util- have revealed that designing secure
portunities for vulnerability. It’s es- ities. Android users simply supply a applications isn’t always straight-
sential that this next generation of username and password, and their forward. Android uses a simple
platforms provide a comprehensive phones automatically synchro- permission label assignment model
and usable security infrastructure. nize with Google services. Other to restrict access to resources and
Developed by the Open Hand- vendors are rapidly adapting their other applications, but for reasons
set Alliance (visibly led by Google), existing instant messaging, social of necessity and convenience, its
Android is a widely anticipated networks, and gaming services to designers have added several po-
open source operating system for Android, and many enterprises are tentially confusing refinements as
mobile devices that provides a base looking for ways to integrate their the system has evolved.
operating system, an application own internal operations (such as This article attempts to unmask
middleware layer, a Java software inventory management, purchas- the complexity of Android security
development kit (SDK), and a col- ing, receiving, and so forth) into it and note some possible development
lection of system applications. Al- as well. pitfalls that occur when defining an
though the Android SDK has been Traditional desktop and server application’s security. We conclude
available since late 2007, the first operating systems have struggled by attempting to draw some lessons
publicly available Android-ready to securely integrate such personal and identify opportunities for fu-
“G1” phone debuted in late Oc- and business applications and ser- ture enhancements that should aid
tober 2008. Since then, Android’s vices on a single platform; although in clarity and correctness.
growth has been phenomenal: T- doing so on a mobile platform such
Mobile’s G1 manufacturer HTC as Android remains nontrivial, Android Applications
estimates shipment volumes of many researchers hope it provides The Android application frame-
more than 1 million phones by the a clean slate devoid of the compli- work forces a structure on devel-
end of 2008, and industry insiders cations that legacy software can opers. It doesn’t have a main()
expect public adoption to increase cause. Android doesn’t officially function or single entry point for

10 Published by the IEEE Computer Society ■ 1540-7993/09/$25.00 © 2009 IEEE ■ IEEE Security & Privacy
 Focus

FriendTracker application FriendViewer application

execution—instead, developers
must design applications in terms BootReceiver FriendTracker FriendReceiver FriendTracker
of components.
Broadcast receiver Service Broadcast receiver Activity
Example Application
We developed a pair of applications FriendTracker FriendViewer
control FriendProvider
to help describe how Android ap-
plications operate. Interested readers Activity Content provider Activity
can download the source code from
our Web site ([Link] Figure 1. Example Android application. The FriendTracker and FriendViewer applications
android_sec_tutorial.html). consist of multiple components of different types, each of which provides a different set of
Let’s consider a location-sen- functionalities. Activities provide a user interface, services execute background processing,
sitive social networking applica- content providers are data storage facilities, and broadcast receivers act as mailboxes for
tion for mobile phones in which messages from other applications.
users can discover their friends’
locations. We split the functional-
ity into two applications: one for activity needs to perform some Application code can also address
tracking friends and one for view- operation that must continue af- a broadcast receiver explicitly by
ing them. As Figure 1 shows, the ter the user interface disappears including the namespace assigned
FriendTracker application consists (such as download a file or play to its containing application.
of components specific to tracking music), it commonly starts a ser-
friend locations (for example, via a vice specifically designed for that Figure 1 shows the FriendTrack-
Web service), storing geographic action. The developer can also er and FriendViewer applications
coordinates, and sharing those co- use services as application-spe- containing the different compo-
ordinates with other applications. cific daemons, possibly starting nent types. The developer speci-
The user then uses the Friend- on boot. Services often define fies components using a manifest
Viewer application to retrieve the an interface for Remote Proce- file (also used to define policy as
stored geographic coordinates and dure Call (RPC) that other sys- described later). There are no re-
view friends on a map. tem components can use to send strictions on the number of com-
Both applications contain mul- commands and retrieve data, as ponents an application defines for
tiple components for performing well as register callbacks. each type, but as a convention, one
their respective tasks; the compo- • Content provider components store component has the same name as
nents themselves are classified by and share data using a relational the application. Frequently, this is
their component types. An Android database interface. Each content an activity, as in the FriendViewer
developer chooses from predefined provider has an associated “au- application. This activity usually
component types depending on the thority” describing the content it indicates the primary activity that
component’s purpose (such as inter- contains. Other components use the system application launcher
facing with a user or storing data). the authority name as a handle uses to start the user interface;
to perform SQL queries (such as however, the specific activity cho-
Component Types SELECT, INSERT, or DELETE) to sen on launch is marked by meta
Android defines four component read and write content. Although information in the manifest. In
types: content providers typically store the FriendTracker application,
values in database records, data for example, the FriendTracker-
• Activity components define an retrieval is implementation-spe- Control activity is marked as the
application’s user interface. cific—for example, files are also main user interface entry point.
Typically, an application devel- shared through content provider In this case, we reserved the name
oper defines one activity per interfaces. “FriendTracker” for the service
“screen.” Activities start each • Broadcast receiver components act component performing the core
other, possibly passing and re- as mailboxes for messages from application logic.
turning values. Only one activ- other applications. Commonly, The FriendTracker application
ity on the system has keyboard application code broadcasts mes- contains each of the four com-
and processing focus at a time; sages to an implicit destination. ponent types. The FriendTracker
all others are suspended. Broadcast receivers thus sub- service polls an external service to
• Service components perform scribe to such destinations to discover friends’ locations. In our
background processing. When an receive the messages sent to it. example code, we generate loca-

[Link]/security/ ■ IEEE Security & Privacy 11

 Focus

System server Contacts application (system)

stalled applications and user choic-
System Location es. The implicit name is called an
ViewContact
service manager
action string because it specifies the
type of requested action—for ex-
Broadcast intent bind start ample, if the “VIEW” action string
FriendTracker FriendViewer is specified in an intent with data
application Broad- application
cast fields pointing to an image file,
intent the system will direct the intent to
BootReceiver FriendTracker FriendReceiver FriendMap
the preferred image viewer. De-
velopers also use action strings to
start/stop read/write read start broadcast a message to a group of
read broadcast receivers. On the receiv-
FriendTracker FriendViewer
control FriendProvider ing end, developers use an intent
filter to subscribe to specific action
strings. Android includes addition-
Figure 2. Component interaction. Android’s application-level interactions let the FriendTracker al destination resolution rules, but
and FriendViewer applications communicate with each other and system-provided applications. action strings with optional data
Interactions occur primarily at the component level. types are the most common.
Figure 2 shows the interac-
tion between components in the
tions randomly, but extending the ferent displays and features—that FriendTracker and FriendViewer
component to interface with a Web is, many applications can reuse the applications and with components
service is straightforward. The logic performed in FriendTracker. in applications defined as part of
FriendProvider content provider the base Android distribution. In
maintains the most recent geo- Component Interaction each case, one component initiates
graphic coordinates for friends, the The primary mechanism for communication with another. For
FriendTrackerControl activity de- component interaction is an in- simplicity, we call this inter-com-
fines a user interface for starting and tent, which is simply a message ponent communication (ICC). In
stopping the tracking functionality, object containing a destination many ways, ICC is analogous to in-
and the BootReceiver broadcast re- component address and data. ter-process communication (IPC)
ceiver obtains a notification from The Android API defines meth- in Unix-based systems. To the de-
the system once it boots (the ap- ods that accept intents, and uses veloper, ICC functions identically
plication uses this to automatically that information to start activities regardless of whether the target is
start the FriendTracker service). (startActivity(Intent) ), in the same or different application,
The FriendViewer application start services (startService with the exception of the security
is primarily concerned with show- (Intent)), and broadcast messag- rules defined later in this article.
ing information about friends’ lo- es (sendBroadcast(Intent)). The available ICC actions de-
cations. The FriendViewer activity The invocation of these methods pend on the target component.
lists all friends and their geograph- tells the Android framework to Each component type supports
ic coordinates, and the FriendMap begin executing code in the tar- interaction specific to its type—
activity displays them on a map. get application. This process of for example, when FriendViewer
The FriendReceiver broadcast re- intercomponent communication is starts FriendMap, the FriendMap
ceiver waits for messages that in- known as an action. Simply put, an activity appears on the screen.
dicate the physical phone is near intent object defines the “intent” Service components support start,
a particular friend and displays a to perform an “action.” stop, and bind actions, so the
message to the user upon such an One of Android’s most powerful FriendTrackerControl activity,
event. Although we could have features is the flexibility allowed by for instance, can start and stop the
placed these components within its intent-addressing mechanism. FriendTracker service that runs
the FriendTracker application, Although developers can uniquely in the background. The bind ac-
we created a separate application address a target component using tion establishes a connection be-
to demonstrate cross-application its application’s namespace, they tween components, allowing the
communication. Additionally, by can also specify an implicit name. initiator to execute RPCs defined
separating the tracking and user In the latter case, the system deter- by the service. In our example,
interface logic, we can create al- mines the best component for an FriendTracker binds to the loca-
ternative user interfaces with dif- action by considering the set of in- tion manager in the system server.

12 IEEE Security & Privacy ■ January/February 2009

 Focus

Android applications
FriendTracker application FriendViewer application Contacts application

ICC reference monitor

Android middleware
user: app_11 user: app_12 user: app_4
home: /data/data/friendtracker home: /data/data/friendviewer home: /data/data/contacts
Linux system

Figure 3. Protection. Security enforcement in Android occurs in two places: each application executes as its own user identity, allowing
the underlying Linux system to provide system-level isolation; and the Android middleware contains a reference monitor that mediates
the establishment of inter-component communication (ICC). Both mechanisms are vital to the phone’s security, but the first is
straightforward to implement, whereas the second requires careful consideration of both mechanism and policy.

Once bound, FriendTracker in- in that table. Components use this system, but would also have en-
vokes methods to register a call- URI to perform a SQL query on abled a network-based adversary
back that provides updates on the a content provider, optionally in- to exploit this flaw ([Link]
phone’s location. Note that if a ser- cluding WHERE conditions via the eva lu ator [Link] /content/ca se
vice is currently bound, an explicit query API. -studies/iphone/[Link]).
“stop” action won’t terminate the ICC isn’t limited by user and
service until all bound connec- Security Enforcement process boundaries. In fact, all
tions are released. As Figure 3 shows, Android pro- ICC occurs via an I/O control
Broadcast receiver and content tects applications and data through command on a special device
provider components have unique a combination of two enforcement node, /dev/binder. Because
forms of interaction. ICC targeted mechanisms, one at the system lev- the file must be world readable
at a broadcast receiver occurs as an el and the other at the ICC level. and writable for proper opera-
intent sent (broadcast) either ex- ICC mediation defines the core tion, the Linux system has no way
plicitly to the component or, more security framework and is this ar- of mediating ICC. Although user
commonly, to an action string ticle’s focus, but it builds on the separation is straightforward and
the component subscribes to. For guarantees provided by the under- easily understood, controlling ICC
example, FriendReceiver sub- lying Linux system. is much more subtle and warrants
scribes to the developer-defined In the general case, each ap- careful consideration.
“FRIEND_NEAR” action string. plication runs as a unique user As the central point of secu-
FriendTracker broadcasts an in- identity, which lets Android limit rity enforcement, the Android
tent to this action string when it the potential damage of program- middleware mediates all ICC es-
determines that the phone is near ming flaws. For example, the Web tablishment by reasoning about
a friend; the system then starts browser vulnerability discovered labels assigned to applications and
FriendReceiver and displays a recently after the official release components. A reference monitor1
message to the user. of T-Mobile G1 phones only af- provides mandatory access control
Content providers don’t use fected the Web browser (http:// (MAC) enforcement of how ap-
intents—rather, they’re ad- [Link]/content/ plications access components. In its
dressed via an authority string case-studies/android/[Link]). simplest form, access to each com-
embedded in a special content Because of this design choice, the ponent is restricted by assigning it
Uniform Resource Identifier exploit couldn’t affect other ap- an access permission label; this text
(URI) of the form content:// plications or the system. A similar string need not be unique. Devel-
<authority>/<table>/ vulnerability in Apple’s iPhone opers assign applications collections
[<id>]. Here, <table> indicates gave way to the first “jail break- of permission labels. When a com-
a table in the content provider, and ing” technique, which let users ponent initiates ICC, the reference
<id> optionally specifies a record replace parts of the underlying monitor looks at the permission

[Link]/security/ ■ IEEE Security & Privacy 13

 Focus

Application 1 Application 2
to determine if a component is pri-
Permission A: ... B: 1
Permission vate. Security-aware developers
labels labels
should always explicitly define the
... X ... exported attribute for compo-
1 C:
Inherit permissions 2
nents intended to be private.

Implicitly Open
Figure 4. Access permission logic. The Android middleware implements a reference monitor Components
providing mandatory access control (MAC) enforcement about how applications access Developers frequently define in-
components. The basic enforcement model is the same for all component types. Component tent filters on activities to indicate
A’s ability to access components B and C is determined by comparing the access permission that they can handle certain types
labels on B and C to the collection of labels assigned to application 1. of action/data combinations. Re-
call the example of how the system
finds an image viewer when an
labels assigned to its containing ap- incorporated several refinements intent specifying the VIEW action
plication and—if the target com- to the basic security model, some and an image reference is passed
ponent’s access permission label is of which have subtle side effects to the “start activity” API. In this
in that collection—allows ICC es- and make its overall security diffi- case, the caller can’t know before-
tablishment to proceed. If the label cult to understand. The rest of this hand (much less at development
isn’t in the collection, establishment section provides an exhaustive list time) what access permission is re-
is denied even if the components of refinements we identified as of quired. The developer of the target
are in the same application. Figure the v1.0r1 SDK release. activity can permit such function-
4 depicts this logic. ality by not assigning an access per-
The developer assigns permis- Public vs. Private mission to it—that is, if a public
sion labels via the XML manifest Components component doesn’t explicitly have
file that accompanies every appli- Applications often contain com- an access permission listed in its
cation package. In doing so, the ponents that another application manifest definition, Android per-
developer defines the application’s should never access—for example, mits any application to access it.
security policy—that is, assigning an activity designed to return a Although this default allows
permission labels to an application user-entered password could be policy specification enables func-
specifies its protection domain, started maliciously. Instead of de- tionality and ease of development,
whereas assigning permissions to fining an access permission, the de- it can lead to poor security prac-
the components in an application veloper could make a component tices and is contrary to Saltzer and
specifies an access policy to protect private by either explicitly setting Schroeder’s principle of fail-safe
its resources. Because Android’s the exported attribute to false in defaults.4 Referring back to our
policy enforcement is mandatory, the manifest file or letting Android example FriendViewer application,
as opposed to discretionary,2 all infer if the component should be if the FriendReceiver broadcast re-
permission labels are set at install private from other attributes in its ceiver isn’t assigned an access per-
time and can’t change until the manifest definition. mission, any unprivileged installed
application is reinstalled. How- Private components simplify application can forge a FRIEND_
ever, despite its MAC properties, security specification. By making NEAR message, which represents a
Android’s permission label model a component private, the devel- significant security concern for ap-
only restricts access to components oper doesn’t need to worry which plications making decisions based
and doesn’t currently provide in- permission label to assign it or how on information passed via the in-
formation flow guarantees, such as another application might acquire tent. As a general practice, securi-
in domain type enforcement.3 that label. Any application can ac- ty-aware developers should always
cess components that aren’t explic- assign access permissions to public
Security Refinements itly assigned an access permission, components—in fact, they should
Android’s security framework is so the addition of private compo- have an explicit reason for not as-
based on the label-oriented ICC nents and inference rules (intro- signing one. All inputs should be
mediation described thus far, but duced in the v0.9r1 SDK release, scrutinized under these conditions.
our description is incomplete. Par- August 2008) significantly reduces
tially out of necessity and partially the attack surface for many applica- Broadcast Intent
for convenience, the Google de- tions. However, the developer must Permissions
velopers who designed Android be careful when allowing Android Components aren’t the only re-

14 IEEE Security & Privacy ■ January/February 2009

 Focus

source that requires protection. In query with write side effects (IN- Not all system resources (such as
our FriendTracker example, the SERT, DELETE, UPDATE) doesn’t the network, camera, and mi-
FriendTracker service broadcasts have the write permission, the que- crophone) are accessed through
an intent to the FRIEND_NEAR ac- ry is denied. The separate read and components—instead, Android
tion string to indicate the phone is write permissions let the developer provides direct API access. In fact,
physically near a friend’s location. distinguish between data users and the services that provide indi-
Although this event notification interactions that affect the data’s rect access to hardware often use
lets the FriendViewer application integrity. Security-aware develop- APIs available to third-party ap-
update the user, it potentially in- ers should define separate read and plications. Android protects these
forms all installed applications of write permissions, even if the dis- sensitive APIs with additional per-
the phone’s proximity. In this case, tinction isn’t immediately apparent. mission label checks: an applica-
sending the unprotected intent tion must declare a corresponding
is a privacy risk. More generally, Service Hooks permission label in its manifest file
unprotected intent broadcasts can Although they weren’t explic- to use them. Bitfrost takes a simi-
unintentionally leak information itly identified, the FriendTrack- lar approach (the “one laptop per
to explicitly listening attackers. er service defines RPC child” security model5), but it al-
To combat this, the Android API interfaces: isTracking() and lows controlled permission change
for broadcasting intents optionally addNickname(String). The after installation.
allows the developer to specify a isTracking() method doesn’t By protecting sensitive APIs
permission label to restrict access change the service’s running with permissions, Android forces
to the intent object. state; it simply returns wheth- an application developer to de-
The access permission label as- er FriendTracker is currently clare the desire to interface with
signment to a ­broadcasted intent— tracking locations. However, the system in a specific way. Con-
for example, sendBroadcast addNickname(String) does sequently, vulnerable applications
(intent, “perm.FRIEND_NEAR”)— modify the running state by telling can’t gain unknown access if ex-
restricts the set of applications that FriendTracker to start tracking an- ploited. The most commonly en-
can receive it (in this example, other friend. Due to this state mod- countered protected API is for
only to applications containing ification, the developer might want network connections—for exam-
the “perm.FRIEND_NEAR” per- to differentiate access to the two ple, the FriendViewer application
mission label). This lets the devel- interfaces. Unfortunately, Android requires Internet access for map
oper control how information is only lets the developer assign one information, so it must declare
disseminated, but this refinement permission label to restrict starting, the INTERNET permission label.
pushes an application’s security stopping, and binding to a service. In general, protected APIs make
policy into its source code. The Under this model, any application an application’s protection domain
manifest file therefore doesn’t give that can start or stop FriendTrack- much clearer because the policy is
the entire picture of the applica- er can also tell it to monitor new defined in the manifest file.
tion’s security. friends. To address this, Android
provides the checkPermission() Permission
Content Provider method, which lets developers arbi- Protection Levels
Permissions trarily extend the reference moni- Early versions of the Android SDK
In our FriendTracker application, tor with a more restrictive policy. let developers mark a permission
the FriendProvider content pro- In effect, these service hooks let the as “application” or “system.” The
vider stores friends’ geographic developer write code to perform default application level meant
coordinates. As a developer, we custom runtime security. that any application requesting the
want our application to be the only Service hooks provide much permission label would receive it.
one to update the contents but for greater flexibility when defining Conversely, system permission la-
other applications to be able to access policy—in fact, several ser- bels were granted only to applica-
read them. Android allows such a vices provided in the base Android tions installed in /data/system
security policy by modifying how distribution use them. However, (as opposed to /data/app, which
access permissions are assigned to like broadcast intent permissions, is independent of label assign-
content providers—instead of us- service hooks move policy into the ment). The likely reason is that
ing one permission label, the de- application code, which can cloud only system applications should be
veloper can assign both read and application security. able to perform operations such as
write permissions. interfacing directly with the tele-
If the application performing a Protected APIs phony API.

[Link]/security/ ■ IEEE Security & Privacy 15

 Focus

The v0.9r1 SDK (August 2008) gerous” helps, but it depends on certain delegation techniques have
extended the early model into four the user understanding the secu- substantial negative effects on the
protection levels for permission rity implications. tractability of policy evaluation.6
labels, with the meta information
specified in the manifest of the Pending Intents URI Permissions
package defining the permission. All the security refinements de- The v1.0r1 SDK release (September
“Normal” permissions act like scribed up to this point fall within 2008) introduced another delegation
the old application permissions the realm of an extension to the ba- mechanism—URI per­missions.
and are granted to any application sic MAC model. The v0.9r1 SDK Recall that Android uses a special
that requests them in its mani- release (August 2008) introduced content URI to address content
fest; “dangerous” permissions are the concept of a “pending intent,” providers, optionally specifying a
granted only after user confirma- which is rather straightforward: a record within a table. The devel-
tion. Similar to security checks in developer defines an intent object oper can pass such a URI in an
popular desktop operating systems as normally done to perform an intent’s data field—for example, an
such as Microsoft Vista’s user ac- action (to start an activity, for ex- intent can specify the VIEW action
count control (UAC), when an ap- ample). However, instead of per- and a content URI identifying an
plication is installed, the user sees forming the action, the developer image file. If used to start an activ-
a screen listing short descriptions passes the intent to a special meth- ity, the system will choose a com-
of requested dangerous permis- od that creates a PendingIntent ob- ponent in a different application to
sions along with OK and Cancel ject corresponding to the desired view the image. If the target appli-
buttons. Here, the user has the action. The PendingIntent object is cation doesn’t have read permission
opportunity to accept all permis- simply a reference pointer that can to the content provider containing
sion requests or deny the installa- pass to another application, say, via the image file, the developer can
tion. “Signature” permissions are ICC. The recipient application can use a URI permission instead. In
granted only to applications signed modify the original intent by fill- this case, the developer sets a read
by the same developer key as the ing in unspecified address and data flag in the intent that grants the
package defining the permission fields and specify when the action target application access to the spe-
(application signing became man- is invoked. The invocation itself cific intent-identified record.
datory in the v0.9r1 SDK). Finally, causes an RPC with the original URI permissions are essen-
“signature or system” permissions application, in which the ICC ex- tially capabilities for database re-
act like signature permissions but ecutes with all its permissions. cords. Although they provide least
exist for legacy compatibility with Pending intents allow applica- privilege4 access to content provid-
the older system permission type. tions included with the framework ers, the addition of a new delega-
The new permission protection to integrate better with third- tion mechanism further diverges
levels provide a means of control- party applications. Used correctly, from the original MAC model. As
ling how developers assign permis- they can improve an application’s mentioned with pending intents,
sion labels. Signature permissions security—in fact, several Android delegation potentially impacts the
ensure that only the framework APIs require pending intents, such tractability of policy analysis. A
developer can use the specific as the location manager, which has content provider must explicitly
functionality (only Google appli- a “proximity update” feature that allow URI permissions, therefore
cations can directly interface the notifies an application via intent they require the data store devel-
telephony API, for example). Dan- broadcast when a geographic area oper’s participation.
gerous permissions give the end is entered or exited. The pending
user some say in the permission- intent lets an application direct the Lessons in
granting process—for example, broadcast to a specific private broad- Defining Policy
FriendTracker defines the per- cast receiver. This prevents forging Our experiences working with
mission label associated with the without the need to coordinate per- Android security policy revealed
FRIEND_NEAR intent broadcast as missions with system applications. that it begins with a relatively easy
dangerous. However, the permis- However, pending intents di- to understand MAC enforcement
sion protection levels express only verge from Android’s MAC model model, but the number and subtlety
trivial granting policies. A third- by introducing delegation. By using of refinements make it difficult for
party application still doesn’t have a pending intent, an application someone to discover an application’s
much control if it wants another delegates the ability to influence policy simply by looking at it. Some
developer to use the permission intent contents and the time of per- refinements push policy into the
label. Making a permission “dan- forming the action. Historically, application code. Others add del-

16 IEEE Security & Privacy ■ January/February 2009

 Focus

egation, which mixes discretionary significantly reduce the need to mation and System Security, vol. 6,
controls into the otherwise typical defer install-time decisions to the no.1, 2003, pp. 128–171.
MAC model. This situation makes user—that is, the policy invariants 7. W. Enck, M. Ongtang, and P.
gathering a firm grasp on Android’s capture the appropriate response. McDaniel, Mitigating Android
security model nontrivial. We’ve successfully used Kirin to Software Misuse Before It Happens,
Even with all the refinements, identify multiple vulnerabilities in tech. report NAS-TR-0094-2008,
holistic security concerns have the base applications provided with Network and Security Research
gone largely unaddressed. First, Android and have subsequently es- Ctr., Dept. Computer Science
what does a permission label re- tablished an ongoing relationship and Eng., Pennsylvania State
ally mean? The label itself is merely with Google to fix the flaws and Univ., Nov. 2008.
a text string, but its assignment to further investigate Android’s secu-
an application provides access to rity via Kirin. William Enck is a PhD candidate in
potentially limitless resources. Sec- In many ways, Android pro- the Systems and Internet Infrastruc-
ond, how do you control access to vides more comprehensive se- ture Security (SIIS) Laboratory in the
permission labels? Android’s per- curity than other mobile phone Department of Computer Science and
mission protection levels provide platforms. However, learning Engineering at Pennsylvania State Uni-
some control, but more expressive how to effectively use its building versity. His research interests include
constraints aren’t possible. As a pur- blocks isn’t easy. We’re only begin- operating systems security, telecom-
posefully simple example, should ning to see different types of appli- munications security, and systems and
an application be able to access both cations, and as Android matures, network security. Enck has an MS in
the microphone and the Internet? we’ll learn how faulty application computer science and engineering from
policy affects the phone’s security. Pennsylvania State University. Contact
We believe that tools such as Ki- him at 344 Information Sciences and

W ill granting a permission

break the phone’s security?
Do the access permission assign-
rin and those like it will help mold
Android into the secure operating
system needed for next-generation
Technology Building, University Park,
PA 16802; Email: enck@[Link].

ments to an application’s com- computing platforms. Machigar Ongtang is a PhD candidate

ponents put the phone or the in the Systems and Internet Infrastruc-
application at risk? Android cur- References ture Security (SIIS) Laboratory in the
rently provides no means of an- 1. J.P. Anderson, Computer Security Department of Computer Science and
swering these questions. Technology Planning Study, tech. Engineering at Pennsylvania State Uni-
We developed an enhanced report ESD-TR-73-51, Mitre, versity. Her research interests include
installer and security framework Oct. 1972. pervasive computing, context-aware se-
to answer a variant of these ques- 2. M.A. Harrison, W.L. Ruzzo, and curity, and telecommunications securi-
tions—namely, “does an applica- J.D. Ullman, “Protection in Op- ty. Ongtang has an MSc in information
tion break some larger phone-wide erating Systems,” Comm. ACM, technology for manufacture from the
security policy?” Our tool, called vol. 19, no. 8, 1976, pp. 461–471. University of Warwick, UK. Contact her
Kirin,7 extracts an application’s 3. L. Badger et al., “Practical Do- at 344 Information Sciences and Tech-
security policy from its manifest main and Type Enforcement for nology Building, University Park, PA
file to determine if the requested UNIX,” Proc. IEEE Symp. Security 16802; Email: ongtang@[Link].
permissions and component per- and Privacy, IEEE CS Press, 1995,
mission assignments are consistent pp. 66–77. Patrick McDaniel is a co-director of
with the stakeholders’ definition of 4. J. Saltzer and M. Schroeder, “The the Systems and Internet Infrastruc-
a secure phone (stakeholders in this Protection of Information in Com- ture Security (SIIS) Laboratory and as-
context range from the network puter Systems,” Proc. IEEE, vol. sociate professor in the Department
provider to an enterprise to a user). 63, no. 9, 1975, pp. 1278–1308. of Computer Science and Engineering
Kirin uses a formalized model of 5. I. Krstic and S.L. Garfinkel, “Bit- at Pennsylvania State University. His
the policy mechanisms described in frost: The One Laptop per Child research interests include systems and
this article to generate automated Security Model,” Proc. Symp. Us- network security, telecommunications
proofs of compliance using a Prolog able Privacy and Security, ACM security, and security policy. McDaniel
engine running on the phone. If an Press, 2007, pp. 132–142. has a PhD in computer science from the
application’s policy isn’t compli- 6. N. Li, B.N. Grosof, and J. Feigen- University of Michigan. Contact him at
ant, it won’t be installed. By defin- baum, “Delegation Logic: A Log- 360A Information Sciences and Tech-
ing security requirements in logic, ic-Based Approach to Distributed nology Building, University Park, PA
which we call policy invariants, we Authorization,” ACM Trans. Infor- 16802; Email: mcdaniel@[Link].

[Link]/security/ ■ IEEE Security & Privacy 17