Mobile
8/20/2014
02:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

US, German Researchers Build Android Security Framework

The Android Security Modules (ASM) framework aims to streamline and spread security features, updates to Android devices.

Security researchers from the US and Germany have developed a framework for Android that would allow companies and users to more easily plug in security tools and enhancements to the mobile devices.

The researchers, from NC State and Technische Universitat Darmstadt/CASED in Germany, basically modified the core Android operating system such that developers and users could more easily add new security features to Android devices. The so-called Android Security Modules (ASM) Framework is a way to more comprehensively and easily update the oft-targeted mobile platform with new defenses from attacks and privacy threats.

Android's popularity has been its detriment when it comes to security: The pervasive and open-source OS comes in multiple flavors and iterations on various smartphone and tablet platforms, depending on the vendor, model, and wireless provider. Patching and updating firmware has been haphazard in many cases, and enterprises faced with BYOD pressures have struggled to efficiently and sufficiently lock down the devices for their employees.

But the researchers say that if Google were to implement ASM, which provides a sort of application programming interface framework, Android devices could more easily and widely get augmented with security enhancements and exploit protections.

"This enables the sorts of privacy and security enhancements for Android to actually see the light of day," says Dr. William Enck, an assistant professor of computer science at NC State and co-author of "ASM:  A Programmable Interface for Extending Android Security," which he and the other authors will present on Friday at the Usenix Security Symposium in San Diego.

Enck says the framework makes Android devices more attractive for businesses. "The real power of ASM is being a generic, extensible way to enhancing security on smartphones," he says. "I think there's a strong need for this… framework as Android becomes more and more pervasive."

He and his fellow researchers on the project, Adwait Nadkarni, a PhD student at NC State and  Stephan Heuser, a Ph.D. student at TU Darmstadt/CASED; and Dr. Ahmad-Reza Sadeghi, of TU Darmstadt/CASED, have reached out to Google and Android device manufacturers about the new framework.

Google as of this posting had not yet responded to a press inquiry about the new research.

Tyler Shields of Forrester Research says the ASM framework makes sense as step toward making Android devices more secure. "It would allow others to expand on the project," Shields says.

But it's not a quick nor comprehensive fix, he warns. The Android ecosystem, from Google to the smartphone makers to the wireless carriers, would need to adopt it.  "It's super complex stuff and likely going to be quite some time before Google considers something so large. This would be a major underlying change in architecture and would be quite a big undertaking to get the food chain of vendors -- Google, hardware vendor, carrier -- to all implement and manage and use this properly."

So how would ASM work for an Android user? NC State's Enck says if an Android was outfitted with ASM and the device's OS was no longer updatable with the newest OS, a security module could be developed for this older device to mitigate a specific exploit threat, for example, depending on the vulnerability. "It really depends on the vulnerability," he says.

ASM does not cover threats to the Linux kernel, however, he says.

"My goal is to see the ASM framework adopted into the Android open source project. That way, it would [be available] to the widest number of phones. And I would hope the large smartphone vendors would be adopting it," he says.

"Android is a platform with many different customers," and the hope is to offer widespread availability of security improvements to it via ASM, he says.

[Black Hat speaker details how security researchers can expedite their work across numerous Android devices at once. Read Tapping Into A Homemade Android Army.]

The researchers are offering the ASM framework source code for free, non-commercial use. Their research paper with the full technical details is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/22/2014 | 8:41:45 AM
Re: what will Google do (if anything)?
I think this will be the next big game changer for Android security. As long as the ease of implementation for third-party developers allow for the continuation of strengthening the security plugins. Otherwise, this initiative will become reliant on the creator for updates. But from what I have seen with android, most of its strength is placed in open-source.

How does this differ from Samsung Knox Security? Besides the fact that the other only applies to Samsung. I believe that Knox does defend rootkit but if anyone has further expertise in the matter I am interested.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/20/2014 | 4:03:18 PM
what will Google do (if anything)?
I haven't heard back from Google on this yet. Tyler's comment about just what it would take for this to take off is interesting. Anyone think this could be the game-changer for Android security? 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.