Android Security Framework:
Extensible Multi-Layered Access Control on Android
Michael Backes, Sven Bugiel, Sebastian Gerling, Philipp von Styp-Rekowsky
{backes,bugiel,sgerling,styp-rekowsky}@cs.uni-saarland.de
Saarland University/CISPA, Germany
ABSTRACT
We introduce the Android Security Framework (ASF),a
generic, extensible security framework for Android that en-
ables the development and integration of a wide spectrum of
security models in form of code-based security modules. The
design of ASF reflects lessons learned from the literature
on established security frameworks (such as Linux Security
Modules or the BSD MAC Framework) and intertwines them
with the particular requirements and challenges from the
design of Android’s software stack. ASF provides a novel
security API that supports authors of Android security ex-
tensions in developing their modules. This overcomes the
current unsatisfactory situation to provide security solutions
as separate patches to the Android software stack or to em-
bed them into Android’s mainline codebase. This system
security extensibility is of particular benefit for enterprise or
government solutions that require deployment of advanced se-
curity models, not supported by vanilla Android. We present
a prototypical implementation of ASF and demonstrate its
effectiveness and efficiency by modularizing different secu-
rity models from related work, such as dynamic permissions,
inlined reference monitoring, and type enforcement.
1. INTRODUCTION
For several decades now, the need for operating system
security mechanisms to provide strong security and privacy
guarantees has been well understood [24, 34, 26, 5]. Yet, re-
cent classes of attacks against smartphone end-user’s privacy
and security [19, 41, 29, 9] have shown that the fairly new
smart device operating systems fail to provide these strong
guarantees, for instance, with respect to access control or
information flow control. To remedy this situation, security
research has proposed a wide spectrum of security models and
extensions for mobile operating systems, most of them for the
popular open-source Android OS. These extensions include
context-related access control [10], developer-centric security
policies [28], and dynamic, fine-grained permissions [42, 21,
3]. They also comprise security models [7, 33, 36, 8] such as
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full cita-
tion on the first page. Copyrights for components of this work owned by others than
ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-
publish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from Permissions@acm.org.
ACSAC’14, December 08–12, 2014, New Orleans, LA, USA
Copyright is held by the owner/author(s). Publication rights licensed to ACM.
ACM 978-1-4503-3005-6/14/12 ...$15.00.
http://dx.doi.org/10.1145/2664243.2664265.
domain isolation and type enforcement, which are usually at
the heart of enterprise and governmental security solutions.
However, the lack of a comprehensive security API for
the development and modularization of security extensions
on Android has created the unsatisfactory situation that
all of these novel and warranted security models are either
provided as model-specific patches to the Android software
stack, or they became an integrated component of the An-
droid OS design [36]. When considering the body of literature
on established security frameworks, such as Linux Security
Modules (LSM) [40] or the BSD MAC Framework [39], their
history has taught that the need to patch the OS or the hard-
wiring of a specific security model impairs both the practical
and theoretical benefits of security solutions. First, there
is in general no consensus on the “right” security model,
as demonstrated by the broad range of Android security
extensions [10, 28, 3, 42, 7, 36]. Thus, OS security mecha-
nisms should not limit policy authors to one specific security
model by embedding it into the OS design. Second, providing
security solutions as “security-model-specific Android forks”
impedes their maintainability across different OS versions,
because every update to the Android software stack has to
be re-evaluated for and applied to each fork separately.
Contributions.
In this paper, we propose the design and
implementation of Android Security Framework (ASF),
which allows security experts to develop and deploy their
security models in form of modules as part of Android’s
platform security. This provides the means to easily extend
the Android security mechanisms and avoids that security
designers have to choose “the right Android security fork” or
that the OS vendor has to impose a specific security model.
In the design of ASF we transfer the lessons learned and
guiding principles from the literature on established OS secu-
rity infrastructures to Android and intertwine them with new
requirements for efficient security policies for multi-tiered
software stacks of smart devices. In contrast to concurrent,
independent work [20], which introduced extensibility for
security apps (i.e., add-ons), our design establishes a generic
and extensible security framework that allows instantiating
security models by design as part of Android’s platform se-
curity and enables not only extending but also replacing
Android’s default security mechanisms. This is particularly
beneficial when tailoring Android for higher-security deploy-
ments like enterprise phones, where the default mechanisms
are insufficient or even obsolete (e.g., when the IT department
is an additional stakeholder that decides on apps’ privileges
and installation). We make the following contributions: