Android Security Analysis Final Report

According to recent worldwide sales figures reported by Gartner, Android is the most popular operating system (OS) when considering all general-purpose computing platforms (smartphones, tablets, laptops, and PCs). Mobile OSes such as Android introduce new security architectures designed with the experience of past lessons learned from traditional computing platforms. Most notably, Android provides a sandbox for applications (hereinafter "apps") which isolates app data and code execution from other apps [2]. Android places security controls on allowed interactions between apps, and between each app and underlying device resources. The Android security architecture is designed to provide protection from malicious app behaviors, and to increase resilience to prevent or minimize the impact of exploitation of security vulnerabilities.

By default, apps cannot access data stored by another app, and are restricted from interfering with the behavior of another app. Apps must request permission to access device capabilities such as the microphone, camera, or physical location services, such as Global Positioning System (GPS). Apps also must request permission to access sensitive information repositories such as contact lists. Apps are also limited in their ability to access other underlying device resources and services. Every app must include a manifest file that defines the app’s permissions and other important properties. The contents of the manifest file are read and enforced by the Android OS.

Nevertheless, opportunities for exploiting app security vulnerabilities exist. Several types of vulnerabilities are commonly found in Android apps. These vulnerabilities, when present, can be exploited by resident malicious apps or by network-based attackers. Additionally, malicious apps may attempt to exploit Android platform vulnerabilities as a means of bypassing Android’s sandbox protections. This report describes the results of our research efforts to mitigate these issues.