1 research outputs found
A Systematic Security Evaluation of Android's Multi-User Framework
Like many desktop operating systems in the 1990s, Android is now in the
process of including support for multi-user scenarios. Because these scenarios
introduce new threats to the system, we should have an understanding of how
well the system design addresses them. Since the security implications of
multi-user support are truly pervasive, we developed a systematic approach to
studying the system and identifying problems. Unlike other approaches that
focus on specific attacks or threat models, ours systematically identifies
critical places where access controls are not present or do not properly
identify the subject and object of a decision. Finding these places gives us
insight into hypothetical attacks that could result, and allows us to design
specific experiments to test our hypothesis.
Following an overview of the new features and their implementation, we
describe our methodology, present a partial list of our most interesting
hypotheses, and describe the experiments we used to test them. Our findings
indicate that the current system only partially addresses the new threats,
leaving the door open to a number of significant vulnerabilities and privacy
issues. Our findings span a spectrum of root causes, from simple oversights,
all the way to major system design problems. We conclude that there is still a
long way to go before the system can be used in anything more than the most
casual of sharing environments.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674