The prosperity of the Android ecosystem brings in a broad spectrum of external resources (accessories, web services, etc.), which vastly enrich Android devices' functionalities. Many individuals use smartphone accessories not only for convenience and entertainment (e.g., Bluetooth earpieces, USB travel chargers, etc.), but for performing important tasks related to domains such as healthcare and fitness (e.g., diabetes self-management), finance (e.g., credit card payments) and even home security. Furthermore, web resources are extensively utilized to support Android applications providing sensitive services like mobile banking, monetary transactions and investment management. The external resources carry private user information (health, finance, etc.) and are responsible for security-critical operations (e.g., home security). However, it is not clear whether they are sufficiently protected by mobile operating systems (OS).
EXTERNAL RESOURCE PROTECTION ON ANDROID. A recent study shows that an unauthorized software application(s) or “app(s)” with BLUETOOTH and BLUETOOTH_ADMIN permissions can acquire unfettered access to Android system's Bluetooth healthcare accessories and download sensitive medical data such as, for example, a patient's blood sugar level or other personal healthcare information. Also, research indicates that network sockets opened by screenshot services are exposed to any applications with the INTERNET permission, allowing them to capture the screen of an Android phone at any given point. This lack of control on the network channel can also have other consequences. For example, given the INTERNET permission, an untrusted game application might be able to directly communicate with a corporate internal server, as an authorized application does. Moreover, popular mobile credit-card payment systems are known to be vulnerable to unauthorized access as well. For example, it is reported that credit-card information transmitted by Square dongle to its mobile application through the Audio jack is not encrypted. The credit card information can be easily accessed or acquired by any application with the AUDIO permission. Although the security vulnerability with Square dongle may be fixed with an AES encryption scheme built into its dongle (which increases the cost of the device), such accessory/app side solutions are rather ad hoc, and have security characteristics which are difficult to control. Additionally, most external resources today are completely unprotected due to reasons such as the desire to make applications easy for users, limited capabilities of accessories, cost constraints, etc.
Indeed, as further described herein, researchers have successfully exploited the popular Jawbone UP wristband (an activity tracker recording a user's sleep, eating habits and other daily activities) through the Audio channel, and downloaded all its data using an unauthorized app. This lack of protection is also ubiquitous in apps receiving sensitive information from online resources through Short Message Service (“SMS”) and those connected to external devices using Near-Field Communication (“NFC”). More specifically, an analysis of high-profile online financial services (Bank of America, Chase, PayPal, etc.) and social networks (Facebook, Twitter, etc.) that deliver messages to their customers' devices (which should be received by the system app com.android.sms or the official apps of those services), and popular apps that have the NFC capability, has concluded that they are all vulnerable. Again, unauthorized apps could get the user's messages once they are granted the RECEIVE_SMS or READ_SMS permission, and read from the NFC devices they are not supposed to touch when they possess the NFC permission. Of particular concern here are the short messages from banks, which often contain sensitive information such as a password for two-factor authentication, account balances, etc., and therefore should only be seen by their customers through com.android.sms or other official apps provided by the vendor. In addition, messages from Twitter and Facebook even carry links for resetting account passwords. Such information turns out to be completely unprotected from unauthorized apps. Demos for the attacks are posted on a private website.
Such threats to external resources are both realistic and serious, given the fact that indeed a lot of not-so-trustworthy apps do ask for related permissions (with a good reason for doing so sometimes) and have already been used by hundreds of millions of Android users. Take RECEIVE_SMS as an example. Popular third-party apps like Go Locker (50,000,000 to 100,000,000 installations) use it to receive messages (in this case, displaying the message on the lock screen). As further described below, a study on 13,500 highly-ranked apps (500 top apps from each of the 27 Google Play categories) from Google Play shows that altogether 560 apps require the RECEIVE_SMS or the READ_SMS permission, gleaning totally over 3 billion installations. The problem is that once those apps get the permission, they are also granted the privilege to read any messages, including those from Chase with one's account details, from Facebook with the link for resetting the password and from Life360 with the information about the family members' locations.
Fundamentally, Android is not designed to protect its external resources. Specifically, the Discretionary Access Control (hereinafter “DAC”) mechanism Android provides to its user is based upon permissions, which are meant for authorizing access to an Android device's local resources such as camera, SD card, etc. When it comes to external resources, all permissions can do is to merely control individual channels through which the phone talks to external resources, such as Bluetooth, NFC, Internet, SMS and Audio. This access control is too coarse-grained to safeguard external resources of critical importance to the user, as it cannot differentiate those attached to the same channel, not to mention implementation of different access policies to protect them. As a result, whoever gets the permission to the channel (e.g., BLUETOOTH, AUDIO) is always given full access to any resources associated with the channel. Even for the emerging SEAndroid powered kernel, a Mandatory Access Control (hereinafter “MAC”) mechanism incorporated into Android to enable manufacturers or organizational administrators to specify and enforce finer-grained security policies, it just covers local resources (e.g., files) and cannot even assign a security tag to an external resource.
SECURITY-ENHANCED CHANNEL CONTROL. Given the ongoing trend of using Android devices to support Internet of Things (IoT) for security-critical applications (e.g., home security), it is important to extend the Android security model to protect its external resources. This needs to be done on both the MAC and DAC layers. On one hand, device manufacturers and organizational administrators should be given the means to dictate the way their accessories and online resources should be accessed by apps: for example, only an official Samsung app is allowed to talk to the Samsung smart watch through Bluetooth. On the other hand, flexibility needs to be granted to ordinary users, who utilize third-party accessories (e.g., activity tracking wristband) and interact with third-party online services to manage their private information. For example, the user may hope to install her favorite apps like Go Locker but wants to ensure that they cannot read her bank's messages. Development of such protection mechanisms needs to be well thought-out, to avoid two separate mechanisms with duplicated functionalities, which complicates both the implementation and operations of the security model.