|Abstract:||Mobile operating systems (i.e., mobile platforms) favor flexibility and re-usability as design principles and provide mobile applications with channels for establishing cross-origin interactions in an effort to realize these principles. Under this cross-origin scheme, applications accomplish tasks collaboratively with other principals, such as the web, other applications, and system components, by relying on them for certain functionality and data, considerably saving platform resources as well as the programming efforts of application developers. While clearly helping to provide a captivating mobile experience, this rich set of interactions within mobile platforms unfortunately also create significant attack vectors and pose notable security risks that need to be carefully taken into account to ensure the security of the platform.
In this thesis, we focus on the security of cross-origin interaction channels on mobile operating systems. We choose Android as a use case due to its popularity and open source and show that cross-origin interactions constitute a significant impediment to establishing least privilege on Android. More specifically, we show that there are severe issues in the security mechanisms that are put in place by Android or even a lack of adequate mechanisms to protect these interactions, which enable adversaries to stealthily obtain sensitive user data, high-risk platform resources, and application functionalities. We demonstrate the severity of these vulnerabilities by our measurement studies and showcases of exploits on popular real-world applications with millions of downloads on Google Play and show that a majority of Android users are rendered vulnerable due to these critical issues. As a remedy, we propose practical designs that strive to make Android more robust and secure by addressing the problems with cross-origin channels in a systematic, effective, and efficient manner.
In particular, we show that mobile applications that utilize embedded web browsers are under the risk of inadvertently exposing critical resources to untrusted web domains and we propose a systematic and practical access control mechanism to address this issue. Additionally, we disclose serious vulnerabilities in Android's permission framework that put inter-process communication and platform resources at severe risk and we redesign Android permissions to systematically resolve the issues. Finally, we present new attacks on Android's runtime permissions which proves that this new permission model cannot satisfy its key security guarantees due to design issues and vulnerabilities, jeopardizing the security of platform resources. We discuss the current approach taken by Android to mitigate these issues and demonstrate how this mechanism, although seemingly an ideal solution, is still intrinsically broken due to the existing vulnerabilities that we discovered.
All in all, this thesis aims to identify issues that threaten least privilege on mobile platforms and strives to provide practical mitigation solutions to resolve such issues. Our work has influenced the design and implementation of some of the critical security mechanisms in Android and has consequently led to changes in the official Android releases by Google. Even though we used Android as a use case here, the issues we disclosed in this thesis can also be encountered on other mobile platforms that utilize cross-origin interactions and our methodologies and designs go beyond Android to the design of mobile operating systems more generally.