Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization

Possemato, Andrea; Aonzo, Simone; Balzarotti, Davide; Fratantonio, Yanick

doi:10.1109/sp40001.2021.00074

Cited by 20 publications

(12 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…A separate growing body of work examines Android OS security from an access control perspective [26], [31], [37], [46], [47]. Android access control, especially SEAndroid, plays an essential role in securing IPC.…”

Section: Related Workmentioning

confidence: 99%

“…We use a modified version of the ATextract tool [44] to extract the files needed to analyze the SELinux policies and native daemons from the firmware images. For Android versions higher than 8.0, and for vendors that are not supported by the modified version of the ATextract tool, we use the newly released unpacking tool developed by Possemato et al [37]. The tool was modified to restructure the extracted image in the right format to be interpreted by our analysis pipeline.…”

Section: Image Extractionmentioning

confidence: 99%

“…Multiple tools have been developed that facilitate the unpacking process or different stages of it. However, to our knowledge, there is no freely available unified factory image unpacking tool that can unpack any firmware image across different versions and vendors, except for the one we used [37], [44]. These tools are outdated, however, and only support Android versions 5-9 for AOSP, and 5-8 for other vendors.…”

Section: Limitationsmentioning

confidence: 99%

See 2 more Smart Citations

SAUSAGE: Security Analysis of Unix domain Socket Usage in Android

Elgharabawy¹,

Kojusner²,

Mannan³

et al. 2022

Preprint

View full text Add to dashboard Cite

The Android operating system is currently the most popular mobile operating system in the world. Android is based on Linux and therefore inherits its features including its Inter-Process Communication (IPC) mechanisms. These mechanisms are used by processes to communicate with one another and are extensively used in Android. While Androidspecific IPC mechanisms have been studied extensively, Unix domain sockets have not been examined comprehensively, despite playing a crucial role in the IPC of highly privileged system daemons. In this paper, we propose SAUSAGE, an efficient novel static analysis framework to study the security properties of these sockets. SAUSAGE considers access control policies implemented in the Android security model, as well as authentication checks implemented by the daemon binaries. It is a fully static analysis framework, specifically designed to analyze Unix domain socket usage in Android system daemons, at scale. We use this framework to analyze 200 Android images across eight popular smartphone vendors spanning Android versions 7-9. As a result, we uncover multiple access control misconfigurations and insecure authentication checks. Our notable findings include a permission bypass in highly privileged Qualcomm system daemons and an unprotected socket that allows an untrusted app to set the scheduling priority of other processes running on the system, despite the implementation of mandatory SELinux policies. Ultimately, the results of our analysis are worrisome; all vendors except the Android Open Source Project (AOSP) have access control issues, allowing an untrusted app to communicate to highly privileged daemons through Unix domain sockets introduced by hardware manufacturer or vendor customization.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Image Extractionmentioning

confidence: 99%

Section: Limitationsmentioning

confidence: 99%

See 1 more Smart Citation

SAUSAGE: Security Analysis of Unix domain Socket Usage in Android

Elgharabawy¹,

Kojusner²,

Mannan³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Neste cenário, os Original Equipment Manufacturers (OEMs) desenvolvem seus modelos particulares e em fabricas próprias [Possemato et al 2021]. Caso estes fabricantes optem por utilizar o Android e os serviços Google Mobile Service (GMS) em seus dispositivos, deve-se atender um conjunto de regras e requisitos definidos em uma documentação disponibilizada pelo Google chamada Compatibility Definition Document (CDD) [Developers 2022], além disso existem definições sobre como os aplicativos do Google devem vir instalados na release, este é conhecido como Mobile Application Distribution Agreement (MADA).…”

Section: Introductionunclassified

Desenvolvimento E Avaliação De Um Controlador Preditivo Não-Linear Baseado Em Modelo Quasilinear Modificado

Sobrinho¹,

Fontes²

2023

Engenharia Elétrica E De Computação: Docência, Pesquisa E Inovação Tecnológica

View full text Add to dashboard Cite

Editora Direitos para esta edição cedidos à Atena Editora pelos autores. Open access publication by Atena Editora Todo o conteúdo deste livro está licenciado sob uma Licença de Atribuição Creative Commons. Atribuição-Não-Comercial-NãoDerivativos 4.0 Internacional (CC BY-NC-ND 4.0). O conteúdo dos artigos e seus dados em sua forma, correção e confiabilidade são de responsabilidade exclusiva dos autores, inclusive não representam necessariamente a posição oficial da Atena Editora. Permitido o download da obra e o compartilhamento desde que sejam atribuídos créditos aos autores, mas sem a possibilidade de alterála de nenhuma forma ou utilizá-la para fins comerciais.Todos os manuscritos foram previamente submetidos à avaliação cega pelos pares, membros do Conselho Editorial desta Editora, tendo sido aprovados para a publicação com base em critérios de neutralidade e imparcialidade acadêmica.A Atena Editora é comprometida em garantir a integridade editorial em todas as etapas do processo de publicação, evitando plágio, dados ou resultados fraudulentos e impedindo que interesses financeiros comprometam os padrões éticos da publicação. Situações suspeitas de má conduta científica serão investigadas sob o mais alto padrão de rigor acadêmico e ético.

show abstract

“…The Android Operational System, which is one of the biggest software of the world, has an adhesion about 71,93% on Mobile devices in January 2021 [Laricchia 2022], it has some rigid quality standards to be attended. In this scenario, the Original Equipment Manufacturers (OEMs) develops their private models on its own industries [Possemato et al 2021]. In case these manufacturers choose to use Android and services as Google Mobile Service (GMS) on their devices, they must comply with an amount of rules and requirements defined in contract, which is called Mobile Application Distribution Agreement (MADA).…”

Section: Introductionmentioning

confidence: 99%

An Industry Case Study: Methodology Application to the Reviewing Process on Android Releases Homologation

Lancellotta¹,

Barbosa²,

Santos³

et al. 2022

Anais Estendidos Do XIII Congresso Brasileiro De Software: Teoria E Prática (CBSoft Estendido 2022)

View full text Add to dashboard Cite

Quality is the main factor at any process, in the software context is not different. The Android Operational System has rigid quality standards. Device producers who choose to use Android, must comply with rules and contract requirements. The quality assurance concerning these rules on Android release homologation process is challenging, due to the great amount of test artifacts to be analyzed at the end of process. In this paper, we propose a methodology to improve the review step for Android releases homologation. As a preliminary result, we identified 52,84% of improvement using the proposed approach. In advance of this research, we intend to implement the automation and evaluate it’s impact in a context of software quality product in our company.

show abstract

Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization

Cited by 20 publications

References 9 publications

SAUSAGE: Security Analysis of Unix domain Socket Usage in Android

SAUSAGE: Security Analysis of Unix domain Socket Usage in Android

Desenvolvimento E Avaliação De Um Controlador Preditivo Não-Linear Baseado Em Modelo Quasilinear Modificado

An Industry Case Study: Methodology Application to the Reviewing Process on Android Releases Homologation

Contact Info

Product

Resources

About