Focus

Understanding
Android Security

T
he next generation of open operating systems middleware layer running on an
embedded Linux kernel, so de-
won’t be on desktops or mainframes but on the velopers wishing to port their
application to Android must use
small mobile devices we carry every day. The its custom user interface environ-
ment. Additionally, Android re-
openness of these new environments will lead to stricts application interaction to its
special APIs by running each ap-
new applications and markets and will enable greater integration plication as its own user identity.
Although this controlled interac-
William Enck, with existing online services. and applications are now available tion has several beneficial security
Machigar However, as the importance of the for it. One of Android’s chief sell- features, our experiences devel-
Ongtang, data and services our cell phones ing points is that it lets developers oping Android applications have
and Patrick support increases, so too do the seamlessly extend online services revealed that designing secure
McDaniel opportunities for vulnerability. It’s to phones. The most visible exam- applications isn’t always straight-
Pennsylvania essential that this next generation ple of this feature is, unsurprising- forward. Android uses a simple
State of platforms provides a compre- ly, the tight integration of Google’s permission label assignment model
University hensive and usable security infra- Gmail, Calendar, and Contacts to restrict access to resources and
structure. Web applications with system util- other applications, but for reasons
Developed by the Open Hand- ities. Android users simply supply a of necessity and convenience, its
set Alliance (visibly led by Google), username and password, and their designers have added several po-
Android is a widely anticipated phones automatically synchro- tentially confusing refinements as
open source operating system for nize with Google services. Other the system has evolved.
mobile devices that provides a vendors are rapidly adapting their This article attempts to un-
base operating system, an applica- existing instant messaging, social mask the complexity of Android
tion middleware layer, a Java soft- networks, and gaming services to security and note some possible
ware development kit (SDK), and Android, and many enterprises are development pitfalls that occur
a collection of system applications. looking for ways to integrate their when defining an application’s se-
Although the Android SDK has own internal operations (such as curity. We conclude by attempt-
been available since late 2007, the inventory management, purchas- ing to draw some lessons and
first publicly available Android- ing, receiving, and so forth) into identify opportunities for future
ready “G1” phone debuted in late it as well. enhancements that should aid in
October 2008. Since then, An- Traditional desktop and server clarity and correctness.
droid’s growth has been phenom- operating systems have struggled
enal: T-Mobile’s G1 manufacturer to securely integrate such per- Android Applications
HTC estimates shipment volumes sonal and business applications The Android application frame-
of more than 1 million phones by and services on a single platform. work forces a structure on devel-
the end of 2008, and industry in- Although doing so on a mobile opers. It doesn’t have a main()
siders expect public adoption to platform such as Android remains function or single entry point for
increase steeply in 2009. Many nontrivial, many researchers hope execution—instead, developers
other cell phone providers have ei- it provides a clean slate devoid of must design applications in terms
ther promised or plan to support it the complications that legacy soft- of components.
in the near future. ware can cause. Android doesn’t
A large community of devel- officially support applications de- Example Application
opers has organized around An- veloped for other platforms: ap- We developed a pair of applications
droid, and many new products plications execute on top of a Java to help describe how Android ap-

50 Published by the IEEE Computer Society ■ 1540-7993/09/$25.00 © 2009 IEEE ■ IEEE Security & Privacy

plications operate. Interested readers
can download the source code from
our Web site (http://siis.cse.psu.
edu/android_sec_tutorial.html).
Let’s consider a location-sen-
sitive social networking applica-
tion for mobile phones in which
users can discover their friends’
locations. We split the functional-
ity into two applications: one for
tracking friends and one for view-
ing them. As Figure 1 shows, the
FriendTracker application consists
of components specific to tracking
friend locations (for example, via a
Web service), storing geographic
coordinates, and sharing those co-
ordinates with other applications.
The user then uses the Friend-
Viewer application to retrieve the
stored geographic coordinates and
view friends on a map.
Both applications contain mul-
tiple components for performing
their respective tasks; the com-
ponents themselves are classi-
fied by their component types. An
Android developer chooses from
predefined component types de-
pending on the component’s pur-
pose (such as interfacing with a
user or storing data).
Component Types
Android defines four component
types:
• Activity components define an
application’s user interface.
Typically, an application devel-
oper defines one activity per
“screen.” Activities start each
other, possibly passing and re-
turning values. Only one activ-
ity on the system has keyboard
and processing focus at a time;
all others are suspended.
• Service components perform
background processing. When
an activity needs to perform
some operation that must con-
tinue after the user interface
disappears (such as download a
file or play music), it commonly
starts a service specifically de-
signed for that action. The de-
Focus
FriendTracker application FriendViewer application
BootReceiver FriendTracker FriendReceiver FriendTracker
Broadcast receiver Service Broadcast receiver Activity
FriendTracker- FriendViewer
Control FriendProvider
Activity Content provider Activity
Figure 1. Example Android application. The FriendTracker and FriendViewer applications
consist of multiple components of different types, each of which provides a different set of
functionalities. Activities provide a user interface, services execute background processing,
content providers are data storage facilities, and broadcast receivers act as mailboxes for
messages from other applications.
veloper can also use services as Figure 1 shows the Friend­
application-­specific daemons, Tracker and FriendViewer appli-
possibly starting on boot. Ser- cations containing the different
vices often define an interface component types. The developer
for Remote Procedure Call specifies components using a man-
(RPC) that other system com- ifest file (also used to define policy
ponents can use to send com- as described later). There are no
mands and retrieve data, as well restrictions on the number of com-
as register callbacks. ponents an application defines for
• Content provider components store each type, but as a convention, one
and share data using a relational component has the same name as
database interface. Each content the application. Frequently, this is
provider has an associated “au- an activity, as in the FriendViewer
thority” describing the content it application. This activity usually
contains. Other components use indicates the primary activity that
the authority name as a handle the system application launcher
to perform SQL queries (such as uses to start the user interface;
SELECT, INSERT, or DELETE) to however, the specific activity cho-
read and write content. Although sen on launch is marked by meta
content providers typically store information in the manifest. In
values in database records, data the FriendTracker application,
retrieval is implementation- for example, the FriendTracker-
­specific—for example, files are Control activity is marked as the
also shared through content pro- main user interface entry point.
vider interfaces. In this case, we reserved the name
• Broadcast receiver components “FriendTracker” for the service
act as mailboxes for messages component performing the core
from other applications. Com- application logic.
monly, application code broad- The FriendTracker application
casts messages to an implicit contains each of the four com-
destination. Broadcast receivers ponent types. The FriendTracker
thus subscribe to such destina- service polls an external service
tions to receive the messages to discover friends’ locations. In
sent to it. Application code can our example code, we generate
also address a broadcast receiv- locations randomly, but extend-
er explicitly by including the ing the component to interface
namespace assigned to its con- with a Web service is straightfor-
taining application. ward. The FriendProvider con-
www.computer.org/security/ ■ IEEE Security & Privacy 51
 Focus
System server
System Location
service manager
Broadcast intent Bind
FriendTracker
application Broad-
cast
BootReceiver
intent
FriendReceiver
FriendTracker
Start/stop Read/write Read
FriendTracker- Read
FriendViewer
Control FriendProvider
Figure 2. Component interaction. Android’s application-level interactions let the FriendTracker
and FriendViewer applications communicate with each other and system-provided applications.
Interactions occur primarily at the component level.
tent provider maintains the most
recent geographic coordinates for
friends, the FriendTrackerCon-
trol activity defines a user inter-
face for starting and stopping the
tracking functionality, and the
BootReceiver broadcast receiver
obtains a notification from the
system once it boots (the applica-
tion uses this to automatically start
the FriendTracker service).
The FriendViewer application
is primarily concerned with show-
ing information about friends’ lo-
cations. The FriendViewer activity
lists all friends and their geograph-
ic coordinates, and the FriendMap
activity displays them on a map.
The FriendReceiver broadcast re-
ceiver waits for messages that in-
dicate the physical phone is near
a particular friend and displays a
message to the user upon such an
event. Although we could have
placed these components within
the FriendTracker application,
we created a separate application
to demonstrate cross-application
communication. Additionally, by
separating the tracking and user
interface logic, we can create al-
ternative user interfaces with dif-
ferent displays and features—that
is, many applications can reuse the
logic performed in FriendTracker.
52 IEEE Security & Privacy ■ January/February 2009
Contacts application (system)
ViewContact
Start
FriendViewer
application
FriendMap
Start
Component Interaction
The primary mechanism for
component interaction is an in-
tent, which is simply a message
object containing a destination
component address and data.
The Android API defines meth-
ods that accept intents and uses
that information to start activities
(startActivity(Intent) ),
start services (startService
(Intent)), and broadcast messag-
es (sendBroadcast(Intent)).
The invocation of these methods
tells the Android framework to
begin executing code in the target
application. This process of in-
tercomponent communication is
known as an action. Simply put, an
intent object defines the “intent”
to perform an “action.”
One of Android’s most pow-
erful features is the flexibility al-
lowed by its intent-addressing
mechanism. Although develop-
ers can uniquely address a target
component using its application’s
namespace, they can also specify
an implicit name. In the latter
case, the system determines the
best component for an action by
considering the set of installed ap-
plications and user choices. The
implicit name is called an action
string because it specifies the type
of requested action—for exam-
ple, if the “VIEW” action string
is specified in an intent with data
fields pointing to an image file,
the system will direct the intent to
the preferred image viewer. De-
velopers also use action strings to
broadcast a message to a group of
broadcast receivers. On the receiv-
ing end, developers use an intent
filter to subscribe to specific action
strings. Android includes addi-
tional destination resolution rules,
but action strings with optional
data types are the most common.
Figure 2 shows the interac-
tion between components in the
FriendTracker and FriendViewer
applications and with components
in applications defined as part of
the base Android distribution. In
each case, one component initi-
ates communication with another.
For simplicity, we call this inter-
component communication (ICC).
In many ways, ICC is analogous
to ­inter-process communication
(IPC) in Unix-based systems. To
the developer, ICC functions iden-
tically regardless of whether the
target is in the same or a different
application, with the exception of
the security rules defined later in
this article.
The available ICC actions de-
pend on the target component.
Each component type supports
interaction specific to its type—
for example, when FriendViewer
starts FriendMap, the FriendMap
activity appears on the screen.
Service components support start,
stop, and bind actions, so the
FriendTrackerControl activity,
for instance, can start and stop the
FriendTracker service that runs
in the background. The bind ac-
tion establishes a connection be-
tween components, allowing the
initiator to execute RPCs defined
by the service. In our example,
FriendTracker binds to the loca-
tion manager in the system server.
Once bound, FriendTracker in-
vokes methods to register a call-
back that provides updates on

FriendTracker application
user: app_11
home: /data/data/friendtracker
Figure 3. Protection. Security enforcement in Android occurs in two places: each application executes as its own user identity, allowing
the underlying Linux system to provide system-level isolation; and the Android middleware contains a reference monitor that mediates
the establishment of inter-component communication (ICC). Both mechanisms are vital to the phone’s security, but the first is
straightforward to implement, whereas the second requires careful consideration of both mechanism and policy.
the phone’s location. Note that if
a service is currently bound, an
explicit “stop” action won’t ter-
minate the service until all bound
connections are released.
Broadcast receiver and content
provider components have unique
forms of interaction. ICC targeted
at a broadcast receiver occurs as an
intent sent (broadcast) either ex-
plicitly to the component or, more
commonly, to an action string
the component subscribes to. For
example, FriendReceiver sub-
scribes to the developer-defined
“FRIEND_NEAR” action string.
FriendTracker broadcasts an in-
tent to this action string when it
determines that the phone is near
a friend; the system then starts
FriendReceiver and displays a
message to the user.
Content providers don’t use in-
tents—rather, they’re addressed via
an authority string embedded in a
special content URI of the form
content://<authority>/
<table>/[<id>]. Here, ­<table>
indicates a table in the content pro-
vider, and <id> optionally specifies
a record in that table. Components
use this URI to perform a SQL
query on a content provider, op-
tionally including WHERE condi-
tions via the query API.
Android applications
FriendViewer application
ICC reference monitor
Android middleware
user: app_12
home: /data/data/friendviewer
Linux system
Security Enforcement
As Figure 3 shows, Android pro-
tects applications and data through
a combination of two enforcement
mechanisms, one at the system
level and the other at the ICC lev-
el. ICC mediation defines the core
security framework and is this ar-
ticle’s focus, but it builds on the
guarantees provided by the under-
lying Linux system.
In the general case, each ap-
plication runs as a unique user
identity, which lets Android limit
the potential damage of program-
ming flaws. For example, the Web
browser vulnerability discovered
recently after the official release of
T-Mobile G1 phones only affected
the Web browser itself (http://
securityevaluators.com/content/
case-studies/android/index.jsp).
Because of this design choice, the
exploit couldn’t affect other ap-
plications or the system. A similar
vulnerability in Apple’s iPhone
gave way to the first “jail break-
ing” technique, which let users
replace parts of the underlying
system, but would also have en-
abled a network-based adversary
to exploit this flaw (http://security
eva lu ator s.com /content/ca se
-studies/iphone/index.jsp).
ICC isn’t limited by user and
www.computer.org/security/
Focus
Contacts application
user: app_4
home: /data/data/contacts
process boundaries. In fact, all
ICC occurs via an I/O control
command on a special device
node, /dev/binder. Because
the file must be world readable
and writable for proper opera-
tion, the Linux system has no way
of mediating ICC. Although user
separation is straightforward and
easily understood, controlling
ICC is much more subtle and war-
rants careful consideration.
As the central point of secu-
rity enforcement, the Android
middleware mediates all ICC es-
tablishment by reasoning about
labels assigned to applications and
components. A reference moni-
tor1 provides mandatory access
control (MAC) enforcement of
how applications access compo-
nents. In its simplest form, access
to each component is restricted by
assigning it an access permission
label; this text string need not be
unique. Developers assign applica-
tions collections of permission la-
bels. When a component initiates
ICC, the reference monitor looks
at the permission labels assigned to
its containing application and—
if the target component’s access
permission label is in that collec-
tion—allows ICC establishment
to proceed. If the label isn’t in the
■ IEEE Security & Privacy 53
 Focus
Application 1
Permission A: ...
labels
... X
1
Inherit permissions
Figure 4. Access permission logic. The Android middleware implements a reference monitor
providing mandatory access control (MAC) enforcement about how applications access
components. The basic enforcement model is the same for all component types. Component
A’s ability to access components B and C is determined by comparing the access permission
labels on B and C to the collection of labels assigned to application 1.
collection, establishment is denied
even if the components are in the
same application. Figure 4 depicts
this logic.
The developer assigns permis-
sion labels via the XML manifest
file that accompanies every appli-
cation package. In doing so, the
developer defines the application’s
security policy—that is, assigning
permission labels to an application
specifies its protection domain,
whereas assigning permissions to
the components in an application
specifies an access policy to protect
its resources. Because Android’s
policy enforcement is mandatory,
as opposed to discretionary,2 all
permission labels are set at install
time and can’t change until the
application is reinstalled. How-
ever, despite its MAC properties,
Android’s permission label model
only restricts access to components
and doesn’t currently provide in-
formation flow guarantees, such as
in domain type enforcement.3
Security Refinements
Android’s security framework is
based on the label-oriented ICC
mediation described thus far, but
our description is incomplete. Par-
tially out of necessity and partially
for convenience, the Google de-
velopers who designed Android
incorporated several refinements
to the basic security model, some
of which have subtle side effects
and make its overall security diffi-
cult to understand. The rest of this
54 IEEE Security & Privacy ■ January/February 2009
Application 2
B: 1
Permission
labels
C: ...
2
section provides an exhaustive list
of refinements we identified as of
the v1.0r1 SDK release.
Public vs. Private
Components
Applications often contain com-
ponents that another application
should never access—for example,
an activity designed to return a
user-entered password could be
started maliciously. Instead of de-
fining an access permission, the
developer could make a compo-
nent private by either explicitly
setting the exported attribute to
false in the manifest file or letting
Android infer if the component
should be private from other attri-
butes in its manifest definition.
Private components simplify se-
curity specification. By making a
component private, the developer
doesn’t need to worry which per-
mission label to assign it or how
another application might acquire
that label. Any application can ac-
cess components that aren’t explic-
itly assigned an access permission,
so the addition of private compo-
nents and inference rules (intro-
duced in the v0.9r1 SDK release,
August 2008) significantly reduces
the attack surface for many applica-
tions. However, the developer must
be careful when allowing Android
to determine if a component is pri-
vate. Security-aware developers
should always explicitly define the
exported attribute for compo-
nents intended to be private.
Implicitly Open
Components
Developers frequently define in-
tent filters on activities to indicate
that they can handle certain types
of action/data combinations. Re-
call the example of how the sys-
tem finds an image viewer when
an intent specifying the VIEW
action and an image reference is
passed to the “start activity” API.
In this case, the caller can’t know
beforehand (much less at develop-
ment time) what access permission
is required. The developer of the
target activity can permit such
functionality by not assigning an
access permission to it—that is, if
a public component doesn’t ex-
plicitly have an access permission
listed in its manifest definition,
Android permits any application
to access it.
Although this default policy
specification enables functional-
ity and ease of development, it can
lead to poor security practices and
is contrary to Saltzer and Schroed-
er’s principle of fail-safe defaults.4
Referring back to our example
FriendViewer application, if the
FriendReceiver broadcast receiver
isn’t assigned an access permission,
any unprivileged installed appli-
cation can forge a FRIEND_NEAR
message, which represents a sig-
nificant security concern for appli-
cations making decisions based on
information passed via the intent.
As a general practice, security-
aware developers should always
assign access permissions to public
components—in fact, they should
have an explicit reason for not as-
signing one. All inputs should be
scrutinized under these conditions.
Broadcast Intent
Permissions
Components aren’t the only re-
source that requires protection. In
our FriendTracker example, the
FriendTracker service broadcasts
an intent to the FRIEND_NEAR ac-
tion string to indicate the phone is
physically near a friend’s location.

Although this event notification
lets the FriendViewer application
update the user, it potentially in-
forms all installed applications of
the phone’s proximity. In this case,
sending the unprotected intent is a
privacy risk. More generally, un-
protected intent broadcasts can
unintentionally leak information
to explicitly listening attackers.
To combat this, the Android API
for broadcasting intents optionally
allows the developer to specify a
permission label to restrict access
to the intent object.
The access permission label as-
signment to a ­broadcasted intent—
for example, sendBroadcast
(intent, “perm.FRIEND_NEAR”)—
restricts the set of applications that
can receive it (in this example,
only to applications containing
the “perm.FRIEND_NEAR” per-
mission label). This lets the devel-
oper control how information is
disseminated, but this refinement
pushes an application’s security
policy into its source code. The
manifest file therefore doesn’t give
the entire picture of the applica-
tion’s security.
Content Provider
Permissions
In our FriendTracker application,
the FriendProvider content pro-
vider stores friends’ geographic
coordinates. As a developer, we
want our application to be the only
one to update the contents but for
other applications to be able to
read them. Android allows such a
security policy by modifying how
access permissions are assigned to
content providers—instead of us-
ing one permission label, the de-
veloper can assign both read and
write permissions.
If the application perform-
ing a query with write side ef-
fects ­(INSERT, DELETE, UPDATE)
doesn’t have the write permission,
the query is denied. The separate
read and write permissions let
the developer distinguish between
data users and interactions that af-
fect the data’s integrity. Security-
aware developers should define
separate read and write permis-
sions, even if the distinction isn’t
immediately apparent.
Service Hooks
Although it wasn’t explicitly iden-
tified, the ­FriendTracker ser-
vice defines RPC interfaces: is
Tracking() and addNickname
(String). The isTracking()
method doesn’t change the ser-
vice’s running state; it simply re-
turns whether FriendTracker is
currently tracking locations. How-
ever, addNickname(String)
does modify the running state
by telling FriendTracker to start
tracking another friend. Due to
this state modification, the devel-
oper might want to differentiate
access to the two interfaces. Un-
fortunately, Android only lets the
developer assign one permission
label to restrict starting, stopping,
and binding to a service. Under
this model, any application that can
start or stop FriendTracker can also
tell it to monitor new friends. To
address this, Android provides the
checkPermission() method,
which lets developers arbitrarily
extend the reference monitor with
a more restrictive policy. In effect,
these service hooks let the devel-
oper write code to perform custom
runtime security.
Service hooks provide much
greater flexibility when defining
access policy—in fact, several ser-
vices provided in the base Android
distribution use them. However,
like broadcast intent permissions,
service hooks move policy into
the application code, which can
cloud application security.
Protected APIs
Not all system resources (such as
the network, camera, and mi-
crophone) are accessed through
components—instead, Android
provides direct API access. In fact,
the services that provide indi-
rect access to hardware often use
www.computer.org/security/
Focus
APIs available to third-party ap-
plications. Android protects these
sensitive APIs with additional per-
mission label checks: an applica-
tion must declare a corresponding
permission label in its manifest file
to use them. Bitfrost takes a simi-
lar approach (the “one laptop per
child” security model5), but it al-
lows controlled permission change
after installation.
By protecting sensitive APIs
with permissions, Android forces
an application developer to de-
clare the desire to interface with
the system in a specific way. Con-
sequently, vulnerable applications
can’t gain unknown access if ex-
ploited. The most commonly en-
countered protected API is for
network connections—for exam-
ple, the FriendViewer application
requires Internet access for map
information, so it must declare
the INTERNET permission label.
In general, protected APIs make
an application’s protection domain
much clearer because the policy is
defined in the manifest file.
Permission
Protection Levels
Early versions of the Android SDK
let developers mark a permission
as “application” or “system.” The
default application level meant
that any application requesting the
permission label would receive it.
Conversely, system permission la-
bels were granted only to applica-
tions installed in /data/system
(as opposed to /data/app, which
is independent of label assign-
ment). The likely reason is that
only system applications should be
able to perform operations such as
interfacing directly with the tele-
phony API.
The v0.9r1 SDK (August
2008) extended the early model
into four protection levels for
permission labels, with the meta
information specified in the
manifest of the package defining
the permission. “Normal” per-
missions act like the old applica-
■ IEEE Security & Privacy 55
 Focus
tion permissions and are granted
to any application that requests
them in its manifest; “dangerous”
permissions are granted only after
user confirmation. Similar to se-
curity checks in popular desktop
operating systems such as Micro-
soft Vista’s user account control
(UAC), when an application is in-
stalled, the user sees a screen list-
ing short descriptions of requested
dangerous permissions along with
OK and Cancel buttons. Here,
the user has the opportunity to
accept all permission requests or
deny the installation. “Signature”
permissions are granted only to
applications signed by the same
developer key as the package de-
fining the permission (application
signing became mandatory in the
v0.9r1 SDK). Finally, “signature
or system” permissions act like
signature permissions but exist
for legacy compatibility with the
older system permission type.
The new permission protec-
tion levels provide a means of
controlling how developers as-
sign permission labels. Signature
permissions ensure that only the
framework developer can use
the specific functionality (only
Google applications can directly
interface the telephony API, for
example). Dangerous permissions
give the end user some say in the
permission-granting process—for
example, FriendTracker defines
the permission label associated
with the FRIEND_NEAR intent
broadcast as dangerous. However,
the permission protection levels
express only trivial granting poli-
cies. A third-party application still
doesn’t have much control if it
wants another developer to use the
permission label. Making a per-
mission “dangerous” helps, but it
depends on the user understand-
ing the security implications.
Pending Intents
All the security refinements de-
scribed up to this point fall within
the realm of an extension to the
56 IEEE Security & Privacy ■ January/February 2009
basic MAC model. The v0.9r1
SDK release (August 2008) intro-
duced the concept of a “pending
intent,” which is rather straightfor-
ward: a developer defines an intent
object as normally done to per-
form an action (to start an activity,
for example). However, instead of
performing the action, the devel-
oper passes the intent to a special
method that creates a PendingIn-
tent object corresponding to the
desired action. The PendingIntent
object is simply a reference pointer
that can pass to another applica-
tion, say, via ICC. The recipient
application can modify the origi-
nal intent by filling in unspecified
address and data fields and specify
when the action is invoked. The
invocation itself causes an RPC
with the original application, in
which the ICC executes with all
its permissions.
Pending intents allow applica-
tions included with the framework
to integrate better with third-par-
ty applications. Used correctly,
they can improve an application’s
security—in fact, several Android
APIs require pending intents, such
as the ­location manager, which has
a “proximity update” feature that
notifies an application via intent
broadcast when a geographic area
is entered or exited. The pending
intent lets an application direct
the broadcast to a specific private
broadcast receiver. This prevents
forging without the need to co-
ordinate permissions with system
applications.
However, pending intents
diverge from Android’s MAC
model by introducing delegation.
By using a pending intent, an ap-
plication delegates the ability to
influence intent contents and the
time of performing the action.
Historically, certain delegation
techniques have substantial nega-
tive effects on the tractability of
policy evaluation.6
URI Permissions
The v1.0r1 SDK release (Sep-
tember 2008) introduced another
delegation mechanism—URI per­
missions. Recall that Android
uses a special content URI to ad-
dress content providers, optionally
specifying a record within a table.
The developer can pass such a
URI in an intent’s data field—for
example, an intent can specify the
VIEW action and a content URI
identifying an image file. If used
to start an activity, the system will
choose a component in a differ-
ent application to view the image.
If the target application doesn’t
have read permission to the con-
tent provider containing the im-
age file, the developer can use a
URI permission instead. In this
case, the developer sets a read flag
in the intent that grants the target
application access to the specific
intent-identified record.
URI permissions are essen-
tially capabilities for database re-
cords. Although they provide least
privilege4 access to content provid-
ers, the addition of a new delega-
tion mechanism further diverges
from the original MAC model. As
mentioned with pending intents,
delegation potentially impacts the
tractability of policy analysis. A
content provider must explicitly
allow URI permissions, therefore
they require the data store devel-
oper’s participation.
Lessons in
Defining Policy
Our experiences working with
the Android security policy re-
vealed that it begins with a rela-
tively easy-to-understand MAC
enforcement model, but the num-
ber and subtlety of refinements
make it difficult for someone to
discover an application’s policy
simply by looking at it. Some re-
finements push policy into the
application code. Others add dele-
gation, which mixes discretionary
controls into the otherwise typical
MAC model. This situation makes
gathering a firm grasp on An-
droid’s security model nontrivial.

Even with all the refinements,
holistic security concerns have
gone largely unaddressed. First,
what does a permission label really
mean? The label itself is merely
a text string, but its assignment
to an application provides access
to potentially limitless resources.
Second, how do you control access
to permission labels? Android’s
permission protection levels pro-
vide some control, but more ex-
pressive constraints aren’t possible.
As a purposefully simple example,
should an application be able to
access both the microphone and
the Internet?
W ill granting a permission
break the phone’s security?
Do the access permission assign-
[email protected]
.
ments to an application’s com-
ponents put the phone or the
application at risk? Android cur-
rently provides no means of an-
swering these questions.
We developed an enhanced
installer and security frame-
work to answer a variant of
these questions—namely, “does
an application break some larger
phone-wide security policy?”
[email protected]
.
Our tool, called Kirin,7 extracts
an application’s security policy
from its manifest file to deter-
mine if the requested permis-
sions and component permission
assignments are consistent with
the stakeholders’ definition of
a secure phone (stakeholders in
this context range from the net-
work provider to an enterprise to
a user). Kirin uses a formalized
model of the policy mechanisms
described in this article to gen-
[email protected]
.
erate automated proofs of com-
pliance using a Prolog engine
running on the phone. If an ap-
plication’s policy isn’t compliant,
it won’t be installed. By defining
security requirements in logic,
which we call policy invariants,
we significantly reduce the need
to defer install-time decisions to
the user—that is, the policy in-
variants capture the appropriate
response. We’ve successfully used
Kirin to identify multiple vulner-
abilities in the base applications
provided with Android and have
subsequently established an ongo-
ing relationship with Google to
fix the flaws and further investi-
gate Android’s security via Kirin.
In many ways, Android pro-
vides more comprehensive security
than other mobile phone platforms.
However, learning how to effec-
tively use its building blocks isn’t
easy. We’re only beginning to see
different types of applications, and
as Android matures, we’ll learn
how faulty application policy af-
fects the phone’s security. We be-
lieve that tools such as Kirin and
those like it will help mold An-
droid into the secure operating
system needed for next-generation
computing platforms.
References
1. J.P. Anderson, Computer Security
Technology Planning Study, tech.
report ESD-TR-73-51, Mitre,
Oct. 1972.
2. M.A. Harrison, W.L. Ruzzo, and
J.D. Ullman, “Protection in Op-
erating Systems,” Comm. ACM,
vol. 19, no. 8, 1976, pp. 461–471.
3. L. Badger et al., “Practical Do-
main and Type Enforcement for
UNIX,” Proc. IEEE Symp. Secu-
rity and Privacy, IEEE CS Press,
1995, pp. 66–77.
4. J. Saltzer and M. Schroeder, “The
Protection of Information in
Computer Systems,” Proc. IEEE,
vol. 63, no. 9, 1975, pp. 1278–
1308.
5. I. Krstic and S.L. Garfinkel, “Bit-
frost: The One Laptop per Child
Security Model,” Proc. Symp. Us-
able Privacy and Security, ACM
Press, 2007, pp. 132–142.
6. N. Li, B.N. Grosof, and J. Feigen-
baum, “Delegation Logic: A Log-
ic-Based Approach to Distributed
Authorization,” ACM Trans. Infor-
mation and System Security, vol. 6,
no.1, 2003, pp. 128–171.
7. W. Enck, M. Ongtang, and P.
www.computer.org/security/
Focus
McDaniel, Mitigating Android
Software Misuse Before It Happens,
tech. report NAS-TR-0094-2008,
Network and Security Research
Ctr., Dept. Computer Science and
Eng., Pennsylvania State Univ.,
Nov. 2008.
William Enck is a PhD candidate in
the Systems and Internet Infrastruc-
ture Security (SIIS) Laboratory in the
Department of Computer Science and
Engineering at Pennsylvania State Uni-
versity. His research interests include
operating systems security, telecom-
munications security, and systems and
network security. Enck has an MS in
computer science and engineering from
Pennsylvania State University. Contact
him
Machigar Ongtang is a PhD candidate
in the Systems and Internet Infrastruc-
ture Security (SIIS) Laboratory in the
Department of Computer Science and
Engineering at Pennsylvania State Uni-
versity. Her research interests include
pervasive computing, context-aware
security, and telecommunications secu-
rity. Ongtang has an MSc in informa-
tion technology for manufacture from
the University of Warwick, UK. Contact
her at
Patrick McDaniel is a co-director of
the Systems and Internet Infrastruc-
ture Security (SIIS) Laboratory and as-
sociate professor in the Department
of Computer Science and Engineering
at Pennsylvania State University. His
research interests include systems and
network security, telecommunications
security, and security policy. McDaniel
has a PhD in computer science from the
University of Michigan. Contact him at
Do you have any comments or
complaints regarding this or any
other article in our issue? Send a
letter to the editor! Please email
editor, Jenny Stout, at jstout@
computer.org. We’d love to hear
from you.
■ IEEE Security & Privacy 57