Cues, Clones, and Cars: Access Control Issues in Customized Android

Abstract

Android’s open-source design and extensive customization have fueled its dominance across smartphones, automotive systems, wearables, and other domains. This flexibility, however, introduces serious security challenges, particularly in the enforcement of access control. Prior research has investigated inconsistencies within the framework, across layers, and across Android versions, yet important gaps remain, especially in detecting vendor-introduced data-driven customizations, replicated APIs, and platform-specific adaptations (e.g., automotive) that are difficult to capture with existing techniques.

This dissertation investigates how Android contextual features can be systematically leveraged to uncover access control vulnerabilities that evade prior analyses. It presents four main contributions:

- Bluebird: a probabilistic inference framework that derives access control requirements from application-side sensitivity indicators (UI cues and app-side access control). By fusing NLP-driven signals with static analysis, Bluebird identifies APIs whose protections do not match implied sensitivity. Applied to 14 ROMs, Bluebird flagged 391 likely under-protected private APIs.% and supported 11 proof-of-concept exploits.

- Ariadne: a static-analysis based technique built around a novel access control dependency graph abstraction that models explicit and inferred access control relationships among framework data holders. Ariadne detects inconsistencies introduced by data-driven vendor customizations that traditional tools miss. Evaluated on AOSP and vendor ROMs, it discovered 30 unique inconsistencies and enabled 13 proof-of-concept exploits.

- RepFinder: a large-scale measurement pipeline that identifies duplicated or ``Replica'' APIs created via copy-paste editing and evaluates their access control enforcement. Analyzing 342 ROMs from 10 vendors, RepFinder found replication to be widespread (~141 Replicas/ROM on average) and that a significant fraction (37% on average) of Replicas are under-protected.

- AutoAcRaptor: a platform-specific static analysis framework for AAOS that identifies automotive entry points and evaluates both access control and feature-check enforcement. Applied to 10 AAOS ROMs, AutoAcRaptor reported an average of 23 auto feature and access control anomalies per ROM.

Collectively, these contributions show that Android contextual features such as app-side sensitivity indicators, framework data holders, and platform-specific service registrations can be systematically harnessed to reveal overlooked access control vulnerabilities. They also demonstrate that techniques for identifying framework customization-induced vulnerabilities can be adapted to emerging Android-based platforms such as Android Automotive OS by accounting for platform-specific differences.

Beyond these immediate contributions, this work opens two broader research directions. First, the contextual features explored in this work may not be exhaustive. Future research should aim to identify additional contextual signals—potentially through automated discovery—and explore an integration framework that makes it easy to incorporate new analyses into a unified solution. Second, the adaptation of these techniques to other Android-based platforms remains an open challenge. While AutoAcRaptor demonstrates feasibility for Android Automotive, other platforms such as Android TV, Wear OS, and Android XR present unique differences that require dedicated investigation to determine how well these methods generalize and what extensions are needed.