Smartphone apps often run with full privileges to access the network and sensitive local resources, making it difficult for remote systems to have any trust in the provenance of network connections they receive. Even within the phone, different apps with different privileges can communicate with one another, allowing one app to trick another into improperly exercising its privileges (a Confused Deputy attack). In QUIRE, we engineered two new security mechanisms into Android to address these issues. First, we track the call chain of IPCs, allowing an app the choice of operating with the diminished privileges of its callers or to act explicitly on its own behalf. Second, a lightweight signature scheme allows any app to create a signed statement that can be verified anywhere inside the phone. Both of these mechanisms are reflected in network RPCs, allowing remote systems visibility into the state of the phone when an RPC is made. We demonstrate the usefulness of QUIRE with two example applications. We built an advertising service, running distinctly from the app which wants to display ads, which can validate clicks passed to it from its host. We also built a payment service, allowing an app to issue a request which the payment service validates with the user. An app cannot not forge a payment request by directly connecting to the remote server, nor can the local payment service tamper with the request. 1

Modern browsers and smartphone operating systems treat applications as mutually untrusting, potentially malicious principals. Applications are (1) isolated except for explicit IPC or inter-application communication channels and (2) unprivileged by default, requiring user permission for additional privileges. Although inter-application communication supports useful collaboration, it also introduces the risk of permission redelegation. Permission re-delegation occurs when an application with permissions performs a privileged task for an application without permissions. This undermines the requirement that the user approve each application’s access to privileged devices and data. We discuss permission re-delegation and demonstrate its risk by launching real-world attacks on Android system applications; several of the vulnerabilities have been confirmed as bugs. We discuss possible ways to address permission redelegation and present IPC Inspection, a new OS mechanism for defending against permission re-delegation. IPC Inspection prevents opportunities for permission redelegation by reducing an application’s permissions after it receives communication from a less privileged application. We have implemented IPC Inspection for a browser and Android, and we show that it prevents the attacks we found in the Android system applications. 1

Address Space Layout Randomization (ASLR) is a defensive technique supported by many desktop and server operating systems. While smartphone vendors wish to make it available on their platforms, there are technical challenges in implementing ASLR on these devices. Pre-linking, limited processing power and restrictive update processes make it difficult to use existing ASLR implementation strategies even on the latest generation of smartphones. In this paper we introduce retouching, a mechanism for executable ASLR that requires no kernel modifications and is suitable for mobile devices. We have implemented ASLR for the Android operating system and evaluated its effectiveness and performance. In addition, we introduce crash stack analysis, a technique that uses crash reports locally on the device, or in aggregate in the cloud to reliably detect attempts to brute-force ASLR protection. We expect that retouching and crash stack analysis will become standard techniques in mobile ASLR implementations.

Exploits on mobile phones can be used for various reasons; a benign one may be to achieve system-level access on a device that was locked by the manufacturer or service provider (also known as ‘jailbreaking ’ or ‘rooting’), while potentially malicious reasons are manifold. Independently of the use case however, a specific exploit is not sufficient to achieve the desired access rights. Typically, exploits provide temporary privilege escalation immediately after their execution. To provide additional access to applications, permanent privilege escalation is required – in the benign case, including secure access control for the user to decide which (parts of) applications are granted elevated access. In this paper, we present a framework that can use arbitrary temporary exploits on Android devices to achieve permanent ‘root ’ capabilities for select (parts of) applications. 1.

With more than 300 million cards sold, HID iClass is one of the most popular contactless smart cards on the market. It is widely used for access control, secure login and payment systems. The card uses 64-bit keys to provide authenticity and integrity.

Abstract. In the past research on smart phone operating system security has been scattered over blog posts and other non-archival publications. Over the last 5 years with advent of Android, iOS and Windows Phone 7, an increasing amount of research has also been published in the academic sphere on individual security mechanisms of the three platfroms. However, for a non-expert it is hard to get an overview over this research area. In this paper, we close this gap and provide a structured easy to access overview on the security features and prior research of the three most popular smartphone platforms: Android, iOS, and Windows Phone 7. In particular, we discuss and compare how each of these platforms uses sandboxing and memory protection, provides code signing, protects service connections, provides application shop security, and handles permissions. 1