Fine-grained Access Control for Mobile Platforms Thomas Nyman Department of Computer Science University of Helsinki [email protected].fi ABSTRACT considerable financial losses with phone plans allowing ac- With the introduction of the smartphone, mobile phones cess with little user intervention to premium numbers and have gone from closed systems with limited capability to mo- services [18]. bile software platforms with rich software ecosystems. The same operating systems are now present in other mobile de- Even though the number of mobile malware samples col- vices as well, such as tablets. The security mechanism of lected by security companies such as F-secure and McAfee such software platforms have, apart from end-user require- has increased dramatically in 2012 compared to previous ments, heavily been influenced by business and legislative years [12, 19], the reasons behind platform security measures requirements. in place in mobile devices are largely related to business and regulatory requirements. Apart from malware, the threat The enormous growth of the smartphone business has spurred model of mobile operating systems also includes malicious interest in research on mobile device security. This paper users attempting to circumvent content protection schemes, explores the security architecture and access control mech- subsidy locks or otherwise tamper with the device. Regula- anisms present in Android, a well established mobile device tors want to ensure secure storage of radio frequency param- platform and compares the approach to Tizen, a up-and- eters and device identifiers usable as theft deterrent, such comping mobile operating systems developed by Intel and as the International Mobile Equipment Identifier (IMEI). Samsung. In addition some research directions in mobile Mobile networks operators want to enforce vendor lock-in, device security are briefly presented. such as in preventing customer who bought subsidized mo- bile phones from moving to other operators for the duration of their contract. Preventing tampering with the IMEI and 1. INTRODUCTION the International Mobile Subscriber Identifier (IMSI) is es- In 1996 Nokia introduced the Nokia 9000 Communicator, sential in enforcing such subsidy locks [18]. one of the first devices reminiscent of modern smartphones. In addition to phone calls it allowed uses to send and receive In order to meet the business, regulatory and end-user re- faxes, e-mail and SMS messages as well as access the Inter- quirements mobile platform vendors have developed various net. It also featured functions such as an electronic address hardware and platform security measures. Many platforms book, calendar, notepad and perhaps most importantly an have been designed with some kind of permissions based open development environment enabling third party applica- security schemes of varying granularity allowing limited ac- tion development [5]. Since then, smartphones have become cess to device capabilities by third-party applications ac- a multi-billion dollar business. According to estimates by cording to the principle of least privilege. A trend in such Strategy Analytics the number of smartphones in use ex- systems seems to be movement towards finer granularity in ceeded 1 billion units in 2012 [7]. permissions and better extendability by third-party develop- ers. The developments of mobile platforms and the increase Modern smartphones are characterized by many of the same in popularity of smartphones has also led to an increased properties as the original Nokia Communicator. They sup- interest in research on mobile device security [18]. port installation of third-party applications, typically have wireless Internet access and also contain private or sensitive This paper explores the security architecture and access con- information such as personal messages, contacts etc. [18]. trol models of two Linux-based operating systems for mobile Recently, the same operating systems present in smartphones devices. A well established system, namely Android, is com- have been adopted to a multitude of different devices, such pared to Tizen, a up-and-coming system targeting various as tablets, netbooks, smart TVs and perhaps, in the near device types. The architecture and access control models future, In-Vehicle Infotainment (IVI) systems as well [24]. of the two systems are described in Section 2. Commonal- ities and differences between the two services are discussed Mobile phones started out as closed systems with limited in more detail in Section 3. Section 4 gives a brief overview functionality. As mobile platforms have been opened up to of the current state of research concerning mobile device se- third-party developers, it's become increasingly important curity. Section 5 concludes. to protect end users from malicious or malfunctioning soft- ware. Apart from privacy issues, which can become a nui- sance, such software can cause direct harm, such as incurring 2. MOBILE SOFTWARE PLATFORMS Content Providers provide persistent local data storage What follows is an overview of the security architecture and and also facilitate sharing data between applications. access control models of Android and Tizen. Both operating Content Providers are accessed through a Uniform Re- systems are Linux-based, which presents a favorable basis for source Identifier (URI) defined by the application own- comparison. Furthermore information on the internals for ing the content provider [8]. both systems is publicly available. Other prominent mobile platforms, such as iOS, Windows Phone 8 and Blackberry, for which information is not as readily available, are outside Application access to system resources is controlled via install- the scope of this paper as are recently introduced operating time permissions. Permissions may be required to invoke systems such as Firefox OS and Ubuntu Phone. methods defined in the Android Application Framework API, access Content Providers and for Inter Process Communi- cation (IPC). Applications can also define permissions of 2.1 Android their own in order to protect access to application compo- Android is an operating system for mobile devices devel- nents [13]. oped by a consortium of technology companies and mo- bile operators known as the Open Handset Alliance, led by Android applications are distributed as Application Package Google [23]. According to estimates made by research com- Files (APKs). Applications must declare in advance what pany Gartner, Android had a market share of close to 70% permissions they require in a application manifest file, con- of worldwide smartphone sales to end users in the fourth tained within the APK. When an user installs a application quarter of 2012 [14]. Android is also the most targeted plat- the permissions required by that applications are displayed form by malware. According to a report by F-secure, close to the user, who must confirm the permissions in order to to 80% mobile threats targets the Android platform [12]. continue with the installation. The user does not have the option to selectively refuse certain permissions from a par- 2.1.1 Architecture Overview ticular application but can abort the installation [25]. The foundation of the Android platform architecture, shown in Figure 1, is the Linux kernel and a set of device drivers APKs are cryptographically signed with a developer certifi- depending on the devices hardware configuration. At the cate. Applications updates are required to be signed with core of the architecture lies the Android Runtime, consist- the same certificate as the original application [25]. Appli- ing of the Core Libraries and the Dalvik virtual machine, a cations will not receive automatic updates if the the new register based bytecode interpreter optimized for mobile sys- version of the applications declares more permissions than tems. Android also includes C/C++ libraries which provide the old one. In this case the application update must the various functionality to different system components, such confirmed by the user. This has been suggested as an in- as a BSD-derived standard C system library (libc), SQLite- centive to break the principle of least privilege, and declare database and the Webkit rendering engine. The function- unnecessary permissions in order to automatically update in ality of these libraries is exposed to developers through the the future when the extra permissions have become neces- Android Application Framework, which provides an Applica- sary [13]. tion Programming Interface (API) for accessing middleware system services underlying each application [1]. Application Sandbox The kernel enforces process and file level separation between Application Components applications and the Android system through Linux user Android applications are typically written using the Java identifiers (UID) and group identifiers (GUID). Each appli- programming language, where the Java standard library has cation is assigned a unique low-privilege UID, which func- been replaced with the Android Application Framework. tions as the effective UID of the application process and However, applications can also include or consist completely owner of the applications files. Thus, by default, applica- of native code [3]. tions cannot interact with one another or access each others files. As the application sandbox is enforced by the kernel, Android applications consist of four different kind of com- all software above the kernel, including the C/C++ libraries, ponents [8]: application framework and runtime and the application code