Systematically Detecting Access Control Flaws in the Android Framework

Abstract

Android's permission model is used to regulate access to the Application Program Interfaces (APIs) within the Android system services, which provide access to sensitive system resources, such as the camera and microphone. To successfully invoke sensitive APIs, a caller must hold one or more Android permissions.

Like all access control systems, the Android permission model is vulnerable to anomalies in security policy enforcement, including inconsistent access control enforcement. These inconsistencies occur when there are multiple paths to a sensitive resource, some with stronger access control enforcement than others. Attackers can exploit an inconsistency to improperly access a sensitive resource by taking the path with the weakest access control checks.

Many access control anomalies are a natural byproduct of the fragmented Android ecosystem, in which various vendors and carriers customize the baseline Android Open Source Project (AOSP) code base for their unique business needs. One consequence of this customization is software bloat, which is known to expand the attack surface. Though the security impacts of customization in the Android ecosystem have been studied extensively, the literature is missing a study on customization-induced code bloat and its effect on Android access control flaws.

Additionally, though a significant body of research has been dedicated to Android access control inconsistency detection, the existing state-of-the-art tools experience high false positive rates, as they precisely link access control checks to resources. That is, if is a sensitive resource is shown to be control-dependent on an access control check, the existing tools consider that check required for that resource with full confidence. In practice, this assumption is faulty as an access control check may not target all control-dependent resources.

In this thesis, we make two significant contributions to address both gaps in the literature. First, we conduct the first large-scale longitudinal study analyzing the security impact of Residual APIs, which are unused custom APIs that have been forgotten over the course of a customized AOSP code base's evolution. We find that Residuals are prevalent in the code bases of all major Original Equipment Manufacturers (OEMs) and that they result in security-critical vulnerabilities, including cases of inconsistent access control enforcement.

Second, we introduce a novel probabilistic inconsistency detection approach that introduces a measure of uncertainty to the linkage between resources and access control checks. Our approach uncovers implicit relations between framework-level resources and protections and leverages probabilistic inference techniques to generate recommendations that link resources to protections with a degree of uncertainty. We find that our approach improves existing tools by reducing false positives.