Paper (PDF): http://www.enck.org/pubs/heuser-sec14.pdf
Computer Security Researchers have developed a modification to the core Android operating system that will allow developers and users to plug in security enhancements, without the need to change the firmware on the device.
"In the ongoing arms race between white hats and black hats, researchers and developers are constantly coming up with new security extensions," says Dr. William Enck, an assistant professor of computer science at NC State and a senior author of a paper describing the new framework. "But these new tools aren't getting into the hands of users because every new extension requires users to change their device's firmware, or operating system (OS).
"The ASM framework allows users to implement these new extensions without overhauling their firmware," Enck says. "The framework is available now for security enthusiasts. But for widespread adoption, either Google or one of the Android phone manufacturers will need to adopt the framework and incorporate it into the OS."
The ASM framework allows the creation of custom security control modules that better protect phones owned by consumers and businesses. The custom security modules receive "callbacks" for every security-sensitive operation in the Android OS. In this context, a callback means that Android is contacting the security module to determine whether an operation should proceed.
"Our ASM framework can be used in various personal and enterprise scenarios. For instance, security modules can implement dual persona: i.e., enable users to securely use their smartphones and tablets at home and at work while strictly separating private and enterprise data," says Enck.
"Security modules can also enhance consumer privacy. The framework provides callbacks that can filter, modify, or anonymize data before it is shared with third-party apps, in order to protect personal information," Enck says. "For instance consider an app like Whatsapp, which usually copies all your contacts to its server – which is not needed for it to function." With ASM, the user can make sure Whatsapp only gets the information it really needs.
(Score: 4, Interesting) by frojack on Saturday August 23 2014, @01:46AM
If Google would just re-write the permissions system all of these problems would go away.
Users should have much finer grained control of the permissions the apps get, and the ability turn off permissions (or simply return no data) when the Game you bought suddenly decides to look at all your contacts.
As it is, developers will hang in a contacts read capability so that you can share your scores with someone (which nobody wanted to do anyway), but once you give them those permissions nothing prevents them from mining your entire contact list.
Just let us turn them off. If the app stops working, too bad.
No, you are mistaken. I've always had this sig.
(Score: 2) by PizzaRollPlinkett on Saturday August 23 2014, @07:41PM
You lost me at 'modules receive "callbacks" for every security-sensitive operation' - what stops the badniks from writing these modules and installing them on devices? Sounds like writing the equivalent of a VxD on Windows that can monitor anything the system does. If I was a badnik (don't worry, I'm too lazy) I would be all over this looking for ways to use it to do bad things. I even broke my own rule and went to their ASM web site, but it's very lite on details. I guess I could download the source, but don't really want to.
(E-mail me if you want a pizza roll!)