SoK: Lessons Learned From Android Security Research
For Appified Software Platforms
Acar et al. Oakland'16

Systematization of Knowledge (SoK) papers evaluate, systematize, and contextualize existing knowledge. IEEE Symposium on Security and Privacy has a track of such papers. This paper in last year's Oakland is by the most prominent security researchers in Android security, but for not only the security community. Software engineering community can also benefit a lot, especially for people like me who are seeking for breakthroughs and want to broaden their research topics.

With a quick search on Google, we can find the definition of appification:

The replacement of Websites and Web pages with programs that run on mobile operating systems and mobile devises. With appification instead of the Web being a user’s primary user interface, it becomes an underlying service layer for apps, which become the new user interface.

Since the occurrence of "modern" smartphones, such appified platforms have been of the highest interest by researchers. With iOS is the most profitable appified platform, Android is the most widely spread. This paper focuses on Android, and tries to draw lessons and provide suggestions.

INTRODUCTION

Apps are encouraged to share features through inter-component communication, while risks are communicated to users via permission dialogs.

One of the challenges is that specific attacker models are by default designed for security solutions. However, in Android research, this attacker model has been only implicitly expressed.

The actors in the appified ecosystem are non-traditional. They provide different challenges as well as opportunities.

The focus of our systematization is on security issues and challenges in the context of appification and the app market ecosystem.

PROBLEM AND RESEARCH AREAS

Android differs from conventional software ecosystems in many aspects.

1. Access to resources:
   a. System security principals: All apps have their own UID.
   b. Reference monitor: Not only in OS for low-level access control, but also in user-space processes (Exposed IPC interfaces enforce access control on calling processes).
   c. Security policy: A clearer distinction between system and third-party apps.
2. Sharing functionalities: ICC and libraries.
3. Software distribution:
4. Software engineering:
5. Programming errors: Misuse of programming APIs.
6. Webification
7. Software Update Mechanisms: many Android devices do not receive OS updates at all. In contrast, app updates are straightforward and fast, as centralized app stores push updates immediately to their users.

ANDROID/APPIFIED ECOSYSTEM

This paper distinguish app publisher from app market.

If app signing is delegated to the app publishers, they could also surreptitiously insert malicious code.

Global Attacker Model

The authors introduced 6 attacker capabilities:

1. Dangerous permissions
2. Multiple apps
3. Piggybacking apps: repackaging
4. Native code
5. Dynamic code loading
6. Network attacks

SoK

Permission evolution

Dynamic permission requesting is designed to provide more contextual information to help end users to make decisions. However, this desired contextual integrity is not necessarily provided by dynamic permissions and runtime con- sent dialogs.

Although Android’s security design incorporates important lessons learned from prior operating system security research, the fact that it allows and even encourages differently privileged apps to communicate with each other has piqued the security research community’s interest in how this can be exploited by unprivileged apps to escalate their privileges

Permission Revolution

Challenges:

1. Missing Privilege Separation: libs have same permissions as apps
2. Ineffective Security Apps: anti-virus apps have same permissions as regular apps
3. Lack of Support for Mandatory Access Control

Two main directions for adding access control to Android: Alternative Access Control Models and Inlined Reference Monitoring.

Webification

Foremost, the two-way interaction between a host app and its embedded web content requires app developers to relax the WebView sandboxing. This enables app-to-web and web-to- app attacks.
In app-to-web attacks, malicious apps can inject JavaScript into hosted WebViews to extract sensitive user information and use the WebView APIs to navigate the WebView to untrusted websites. In web-to-app attacks, untrusted web content (possibly also injected into an insecure HTTP/S connection) can leverage the JavaScript bridge to the host app to escalate its privileges to the level of its hosting app’s process to access local system resources.

Programming-induced Leaks

Software Distribution

1. App Piracy and Malware Incentives: Repacking can be done with low effort.

Although all studies found trojan-like malware in the markets, the vast majority of re-packaged apps have been modified to siphon ad revenue from the original app authors (e.g., by exchanging the ad lib or ad identifier), thus suggesting that plagiarists of apps are fiscally motivated.

2. Application Signing Issues: Centralized app markets can be the threat to end users, i.e., they themselves could cheat end users by withholding apps or updates. Bad practices of signing apps are also a threat:

For instance, Android allows developers to define permissions that are only available to apps with the same origin (i.e., signing key) in order to establish secure ICC.

In particular, app publishers
and generators as a strongly emerging pattern for software
distribution [7] have not yet received any attention, although
their influence on the ecosystem can be considerable. It is
unclear to which extent publishers and app generators are
trustworthy or are harming the security of apps (e.g., following
security best practices) and the privacy of users (e.g., adding
tracking code).

Vendor Customization/Fragmentation Fragmentation

As of today no research has been conducted to investigate countermeasures to challenges that stem from fragmented appified ecosystems.

Software Update Mechanism