Title: Mobile Security and Privacy: The Quest for the Mighty Access Control
Mobile smart devices are changing our lives and are the emerging dominant computing platform for end-users. Mobile applications (apps) provide flexible access to critical services such as online banking, health records, enterprise applications, or social networks. They offer high computing, storage and sensing capabilities and new interfaces such as near field communication technology (NFC) that enable many new useful applications.
Although mobile operating systems have been designed with security in mind from their infancy, they still fail to resist sophisticated attacks as shown recently. We observe diverse attack vectors: application-level privilege escalation, sensory malware, runtime attacks hijacking the execution flow of apps as well as compromising the operating system.
In the recent years, researchers have presented many proposals to enhance the security and privacy of smart mobile devices at different abstraction layers with the strong focus on the Android operating system for obvious reasons (open-source and popularity). We observe that almost all proposals for security extensions to Android constitute mandatory access control (MAC) mechanisms that are tailored to the specific semantics of the addressed problem, for instance, establishing fine-grained access control to the user's private data or protecting the platform integrity.
We elaborate on solutions (including our work) that aim at mitigating attacks at application-level including control-flow integrity (CFI) against runtime attacks on mobile devices, and discuss their trade-offs. We then present a generic security architecture for the Android OS with MAC on both the kernel- and middleware layers. The goal is to build a flexible and effective ecosystem that allows for instantiating different security and privacy solutions, e.g., context-based access control. We then discuss further research challenges in particular the trade-off between access control mechanisms, the achieved level of protection and usability in practice.