Please note: This master’s thesis presentation will be given online.
Zeinab El-Rewini, Master’s candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Yousra Aafer
Android’s permission model is used to regulate access to the Application Program Interfaces (APIs) within the Android system services, which provide access to sensitive system resources, such as the camera and microphone. To successfully invoke sensitive APIs, a caller must hold one or more Android permissions.
Like all access control systems, the Android permission model is vulnerable to anomalies in security policy enforcement, including inconsistent access control enforcement. These inconsistencies occur when there are multiple paths to a sensitive resource, some with stronger access control enforcement than others. Attackers can exploit an inconsistency to improperly access a sensitive resource by taking the path with the weakest access control checks.
Many access control anomalies are a natural byproduct of the fragmented Android ecosystem, in which various vendors and carriers customize the baseline Android Open Source Project (AOSP) code base for their unique business needs. One consequence of this customization is software bloat, which is known to expand the attack surface. Though the security impacts of customization in the Android ecosystem have been studied extensively, the literature is missing a study on customization-induced code bloat and its effect on Android access control flaws. Additionally, though a significant body of research has been dedicated to Android access control inconsistency detection, the existing state-of-the-art tools experience high false positive rates, as they assume that an access control check targets all control-dependent resources.
In this thesis, we make two significant contributions to address both gaps in the literature. First, we conduct the first large-scale longitudinal study analyzing the security impact of Residual APIs, which are unused custom APIs that have been forgotten over the course of a customized AOSP code base’s evolution. We find that Residuals are prevalent in the code bases of all major Original Equipment Manufacturers (OEMs) and that they result in security-critical vulnerabilities, including cases of inconsistent access control enforcement. Second, we introduce a novel inconsistency detection approach that uncovers the implicit relations between framework-level resources and protections and reduces false positives.