VirtualPatch: Distributing Android security patches through Android virtualization

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-09 DOI:10.1016/j.cose.2025.104615

Simeone Pizzi, Samuele Doria, Nicholas Miazzo, Eleonora Losiouk

{"title":"VirtualPatch: Distributing Android security patches through Android virtualization","authors":"Simeone Pizzi, Samuele Doria, Nicholas Miazzo, Eleonora Losiouk","doi":"10.1016/j.cose.2025.104615","DOIUrl":null,"url":null,"abstract":"<div><div>The Android Operating System (OS) is a complex system that might contain vulnerabilities and allow malicious apps to damage the legitimate ones on the same device or steal sensitive user data. Vulnerabilities in the Android OS are fixed through security patches that can only be distributed through an update of the whole OS. Google is responsible for the development of security patches for the official Android platform i.e., the Android Open Source Project (AOSP). However, several other mobile vendors (e.g., Samsung, Xiaomi) sell smartphones running a customized version of AOSP and are responsible for integrating the AOSP security patches into their custom OS. This integration should occur before Google makes a vulnerability and the associated security patch public. Unfortunately, this is not always the case: we have found that the median time that Samsung requires to integrate a security patch is 35 days. This is astonishing and confirms the urgent need for a solution.</div><div>In this paper, we propose VirtualPatch, a solution that allows the development of security patches and their immediate distribution on any Android device without involving mobile vendors. VirtualPatch creates a virtual environment through the Android virtualization technique and executes the target app with security patches inside it. To evaluate VirtualPatch, we selected 25 Android CVEs. For each of them, we developed the exploit and the security patch through VirtualPatch, and we then proved that the latter could prevent the former. We successfully implemented security patches for all the 25 Android CVEs and measured the additional overhead introduced by VirtualPatch at the startup time and at runtime. Finally, we conducted a user study with 29 participants to evaluate VirtualPatch usability.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104615"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003049","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The Android Operating System (OS) is a complex system that might contain vulnerabilities and allow malicious apps to damage the legitimate ones on the same device or steal sensitive user data. Vulnerabilities in the Android OS are fixed through security patches that can only be distributed through an update of the whole OS. Google is responsible for the development of security patches for the official Android platform i.e., the Android Open Source Project (AOSP). However, several other mobile vendors (e.g., Samsung, Xiaomi) sell smartphones running a customized version of AOSP and are responsible for integrating the AOSP security patches into their custom OS. This integration should occur before Google makes a vulnerability and the associated security patch public. Unfortunately, this is not always the case: we have found that the median time that Samsung requires to integrate a security patch is 35 days. This is astonishing and confirms the urgent need for a solution.

In this paper, we propose VirtualPatch, a solution that allows the development of security patches and their immediate distribution on any Android device without involving mobile vendors. VirtualPatch creates a virtual environment through the Android virtualization technique and executes the target app with security patches inside it. To evaluate VirtualPatch, we selected 25 Android CVEs. For each of them, we developed the exploit and the security patch through VirtualPatch, and we then proved that the latter could prevent the former. We successfully implemented security patches for all the 25 Android CVEs and measured the additional overhead introduced by VirtualPatch at the startup time and at runtime. Finally, we conducted a user study with 29 participants to evaluate VirtualPatch usability.

查看原文本刊更多论文

VirtualPatch：通过Android虚拟化方式分发Android安全补丁

Android操作系统是一个复杂的系统，它可能存在漏洞，允许恶意应用程序破坏同一设备上的合法应用程序或窃取敏感用户数据。Android操作系统中的漏洞是通过安全补丁修复的，这些安全补丁只能通过整个操作系统的更新来分发。谷歌负责为Android官方平台，即Android开源项目（AOSP）开发安全补丁。然而，其他几家手机厂商（如三星、b小米）销售运行定制版AOSP的智能手机，并负责将AOSP安全补丁集成到他们的定制操作系统中。这种集成应该在谷歌公开漏洞和相关的安全补丁之前进行。不幸的是，情况并非总是如此：我们发现，三星集成安全补丁所需的平均时间是35天。这是令人震惊的，并证实迫切需要找到解决办法。在本文中，我们提出了VirtualPatch，这是一种允许开发安全补丁并在任何Android设备上立即分发的解决方案，而无需涉及移动供应商。VirtualPatch通过Android虚拟化技术创建一个虚拟环境，并在其中执行带有安全补丁的目标应用程序。为了评估VirtualPatch，我们选择了25个Android cve。对于每一个漏洞，我们都通过VirtualPatch开发了漏洞和安全补丁，并证明了后者可以防止前者。我们成功地为所有25个Android cve实现了安全补丁，并测量了VirtualPatch在启动时和运行时引入的额外开销。最后，我们对29名参与者进行了用户研究，以评估VirtualPatch的可用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.