Researchers build security framework for Android

University researchers have modified the Android operating system to let developers plug in enterprise-class security enhancements that would normally require overhauling a mobile device's firmware.

The code added to the OS is called the Android Security Modules (ASM) framework, which is described in a paper from security researchers at North Carolina State University and Technische Universität Darmstadt/CASED in Germany.

The paper will be presented Aug. 22 at the USENIX Security Symposium in San Diego.

Android is designed for all types of devices and does not offer many separate features for consumers, government and enterprises. The ASM framework makes it easier to add the kind of security needed for enterprise and government users, but is not necessary for consumers.

"The Android Security Modules framework is really the building blocks for adding new security functionality to Android," William Enck, a senior author of the paper and an assistant professor at NCSU, said.

As an extensible, generic framework, ASM makes it possible to plug in security enhancements without having to touch the device's firmware.

"If adopted by Google, we envision ASM enabling in-the-field security enhancement of Android devices without requiring root access, a significant limitation of existing bring-your-own-device solutions," the research paper says.

Integrated with the operating system and the Android kernel, ASM provides the authorization hooks that let modules control access to contact lists, geo-location data, phone records and text messages.

"Just about anything you have from a permissions standpoint on Android, you have the ability to extend with an ASM security module," Enck said.

ASM provides more than just access to data. It also lets developers manipulate it, Enck said.

For example, a developer could build a module that filters the contact list, so only authorized apps could access business contacts.

Such a module would be useful to companies that let employees use their own smartphones for work-related tasks, such as accessing the corporate network or email server.

Marc Rogers, principal security researcher for Lookout, said the researchers had "an interesting approach with a lot promise."

"They are building these enhancements into a common framework which will have low-level hooks into the Android OS allowing the framework to act swiftly and effectively when it comes to blocking a threat," Rogers said.

The researchers have sent their paper to Google and a few device manufacturers, but have not received any commitments for use of the technology.

Getting Google to buy into the technology is key to getting it into Android.

"Without rooting the device, the level of access this will need will only be available through direct cooperation with Google or an Android hardware OEM (original equipment manufacturer)," Rogers said.

The ASM source code is available at no charge for non-commercial use. Commercial use would require a license from the universities.

Tags smartphonesmobile securityGoogleAndroidconsumer electronicsmobile device securityNorth Carolina State Universitymobile application security

Show Comments