Mobile security and privacy: the quest for the mighty access control

Mobile smart devices are changing our lives and are the emerging dominant computing platform for end-users. Mobile applications (apps) provide flexible access to critical services such as online banking, health records, enterprise applications, or social networks. The increasing computing and storage capabilities, new interfaces such as near field communication technology (NFC) or integration of hardware-based secure execution environments as well as rich context sensing capabilities have turned these devices to enablers for many useful (and fancy) applications. In particular, we consider two emerging trends with high commercial interest: smart devices as access tokens (e.g., in conjunction with NFC), and smart devices as powerful sensors for context-aware access control to resources. We elaborate on the functional, security, and privacy challenges to realizing these applications in practice. To tackle these challenges (and depending on the underlying use-case) we clearly need security and privacy protecting measures at different system abstraction layers (applications, operating system, and hardware) and we may need them simultaneously. Although mobile operating systems have been designed with security in mind from their infancy, they fail to resist sophisticated attacks as shown recently. We observe diverse attack vectors from application-level privilege escalation attacks and sensory malware to runtime attacks that hijack the execution flow of apps, in particular the recently proposed just-in-time return-oriented programming attack technique which circumvents fine-grained address space layout randomization. Moreover, runtime attacks can be leveraged to compromise the underlying operating system through kernel based attacks (e.g., root exploits) allowing an attacker to get full control over the mobile device. In the recent years, researchers have presented many proposals to enhance the security and privacy at different abstraction layers with the strong focus on the Android operating system for obvious reasons (open-source and popularity). Investigating the large body of literature on Android security we observe that almost all proposals for security extensions to Android constitute mandatory access control (MAC) mechanisms that are tailored to the specific semantics of the addressed problem, for instance, establishing fine-grained access control to the user's private data or protecting the platform integrity. Moreover, these solutions consider protection mechanisms that operate only at a specific system abstraction layer, i.e., either at the middleware (and/or application) layer, or at the kernel-layer. In addition, security and privacy policy management itself would need to be made more context-aware and user-centric. We elaborate on security solutions (including our work) that aim to mitigate attacks at application-level including control flow integrity (CFI) against runtime attacks on mobile devices, and discuss their trade-offs. We then present a generic security architecture - inspired by concepts of the Flask architecture - for the Android OS which covers mandatory access control (MAC) on both the kernel- and middleware layers. It aims to serve as a flexible and effective ecosystem to instantiate different security solutions. Moreover, it aims at enforcing sensing- and context-based policies, e.g., using sensed contexts and their security-relevant properties to grant and deny access to device resources dynamically, in a truly context-aware manner. We then discuss further challenges in particular for deployment in practice Last but not least we leave the question open, how mighty the access control mechanisms should be on mobile smart devices to have an appropriate and reasonable trade-off of security, privacy and usability in practice.