Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu Hassen Sa¨ıdi Ross Anderson Computer Laboratory Computer Science Laboratory Computer Laboratory University of Cambridge SRI International University of Cambridge Cambridge, UK Menlo Park, USA Cambridge, UK [email protected] [email protected] [email protected] Abstract MacAfee [29], making it the most assaulted mobile op- The increasing popularity of Google’s mobile platform erating system during that period. While much of the Android makes it the prime target of the latest surge in initial wave of Android malware consisted of trojans that mobile malware. Most research on enhancing the plat- masquerade as legitimate applications and leak a user’s form’s security and privacy controls requires extensive personal information or send SMS messages to premium modification to the operating system, which has signif- numbers, recent malware samples indicate an escalation icant usability issues and hinders efforts for widespread in the capability and stealth of Android malware. In par- adoption. We develop a novel solution called Aurasium ticular, attempts are made to gain root access on the de- that bypasses the need to modify the Android OS while vice through escalation of privilege [37] to establish a providing much of the security and privacy that users de- stealthy permanent presence on the device or to bypass sire. We automatically repackage arbitrary applications Android permission checks. to attach user-level sandboxing and policy enforcement Fighting malware and securing Android-powered de- code, which closely watches the application’s behavior vices has focused on three major directions. The first for security and privacy violations such as attempts to re- one consists of statically [20] and dynamically [12, 36] trieve a user’s sensitive information, send SMS covertly analyzing application code to detect malicious activities to premium numbers, or access malicious IP addresses. before the application is loaded onto the user’s device. Aurasium can also detect and prevent cases of privilege The second consists of modifying the Android OS to in- escalation attacks. Experiments show that we can apply sert monitoring modules at key interfaces to allow the this solution to a large sample of benign and malicious interception of malicious activity as it occurs on the de- applications with a near 100 percent success rate, with- vice [19, 27, 17, 33, 13]. The third approach consists of out significant performance and space overhead. Aura- using virtualization to implement rigorous separation of sium has been tested on three versions of the Android domains ranging from lightweight isolation of applica- OS, and is freely available. tions on the device [35] to running multiple instances of Android on the same device through the use of a hyper- 1 Introduction visor [26, 30, 11]. Two fundamental and intertwined problems plague Google’s Android OS is undoubtedly the fastest grow- these approaches. The first is that the definition of ma- ing mobile operating system in the world. In July 2011, licious behavior in an Android application is hard to as- Nielsen placed the market share of Android in the U.S. certain. Access to privacy- and security-relevant parts at 38 percent of all active U.S. smartphones [9]. Weeks of Android’s API is controlled by an install-time appli- later, for the period ending in August, Nielsen found that cation permission system. Android users are informed Android has risen to 43 percent. More important, among about what data and resources an application will have those who bought their phones in June, July, or August, access to, and user consent is required before the appli- Google had a formidable 56 percent market share. This cation can be installed. These explicit permissions are unprecedented growth in popularity, together with the declared in the application package. Install-time permis- openness of its application ecosystem, has attracted ma- sions provide users with control over their privacy, but licious entities to aggressively target Android. Attacks are often coarse-grained. A permission granted at install on Android by malware writers have jumped by 76 per- time is granted as long as the application is installed on cent over the past three months according to a report by the device. While an application might legitimately re- quest access to the Internet, it is not clear what connec- at all; instead, it enforces flexible security and privacy tions it may establish with remote servers that may be polices to arbitrary applications by repackaging to at- malicious. Similarly, an application might legitimately tach sandboxing code to the application itself, which per- require sending SMS messages. Once the SMS permis- forms monitoring and policy enforcement. The repack- sion is granted, there are no checks to prevent the appli- aged application package (APK) can be installed on a cation from sending SMS messages to premium numbers user’s phone and will enforce at runtime any defined without user consent. In fact, the mere request for SMS policy without altering the original APK’s functionali- permission by an application can be deemed malicious ties. Aurasium exploits Android’s unique application ar- according to a recent Android applications analysis [24], chitecture of mixed Java and native code execution to where it is suggested that 82 percent of malicious ap- achieve robust sandboxing. In particular, Aurasium in- plications require permissions to access SMS. A recent troduces libc interposition code to the target application, survey [18] exposes many of the problems [22, 14] as- wrapping around the Dalvik virtual machine (VM) under sociated with application components interactions, dele- which the application’s Java code runs. The target appli- gation of permission, and permission escalation attacks cation is also modified such that the interposition hooks due to poor or missing security policy specifications by get placed each time the application starts. developers. This prompted early work [21] on security Aurasium is able to interpose almost all types of in- policy extension for Android. teractions between the application and the OS, enabling The second problem is that any approach so far that much more fine-grained policy enforcement than An- attempts to enhance the platform’s security and privacy droid’s built-in permission system. For instance, when- controls based on policy extensions requires extensive ever an application attempts to access a remote site on the modification to the operating system. This has significant Internet, the IP of the remote server is checked against usability issues and hinders any efforts for widespread an IP blacklist. Whenever an application attempts to adoption. There exists numerous tablet and phone mod- send an SMS message, Aurasium checks whether the els with different hardware configurations, each running number is a premium number. Whenever an applica- a different Android OS version with its own customiza- tion tries to access private information such as the In- tions and device drivers. This phenomenon, also known ternational Mobile Equipment Identity (IMEI), the Inter- as the infamous Android version fragmentation problem national Mobile Subscriber Identity (IMSI), stored SMS [16] demonstrates that it is difficult to provide a custom- messages, contact information, or services such as cam- built Android for all possible devices in the wild. And era, voice recorder, or location, a policy check is per- it is even more difficult to ask a normal user to apply formed to allow or disallow the access. Aurasium also the source patch of some security framework and com- monitors I/O operations such as write and read. We eval- pile the Android source tree for that user’s own device. uated Aurasium against a large number of real-world An- These issues will prevent many OS-based Android secu- droid applications and achieved over 99 percent success rity projects from being widely adopted by the normal rate. Repackaging an arbitrary application using Aura- users. Alternatively, it is equally difficult to bring to- sium is fast, requiring an average of 10 seconds. gether Google, the phone manufacturers, and the cellular Our main contributions are that providers to introduce security extensions at the level of the consumer market, due to misaligned incentives from • We have built an automated system to repackage different parties. arbitrary APKs where arbitrary policies protecting privacy and ensuring security can be enforced. Our Approach We aim at addressing these challenges • We have developed a set of policies that take advan- by providing a novel, simple, effective, robust, and de- tage of advances in malware intelligence such as IP ployable technology called Aurasium. Conceptually, we blacklisting. want Aurasium to be an application-hardening service: a user obtains arbitrary Android applications from poten- • We provide a way of protecting users from mali- tially untrusted places, but instead of installing the ap- cious applications without making any changes to plication as is, pushes the application through the Aura- the underlying Android architecture. This makes sium black box and gets a hardened version. The user Aurasium a technology that can be widely de- then installs this hardened version on the phone, assured ployed. by Aurasium that all of the application’s interactions are closely monitored for malicious activities, and policies • Aurasium is a robust technology that was tested on protecting the user’s privacy and security are actively en- three versions of Android. It has low memory and forced. runtime overhead and, unlike other approaches, is Aurasium does not need to modify the Android OS more portable across the different OS versions. 2 The paper is organized as follows: Section 2 provides small number of applications employ native code for the the some background information on the architecture of most performance-critical tasks. Android and then goes through details about the archi- tecture, enforceable policies and deployment methods of Aurasium.