Researchers build security framework for Android

University researchers have modified the Android operating system to let developers plug in enterprise-class security enhancements that would normally require overhauling a mobile device's firmware.

The code added to the OS is called the Android Security Modules (ASM) framework, which is described in a paper from security researchers at North Carolina State University and Technische Universität Darmstadt/CASED in Germany.

The paper will be presented Aug. 22 at the USENIX Security Symposium in San Diego.

Android is designed for all types of devices and does not offer many separate features for consumers, government and enterprises. The ASM framework makes it easier to add the kind of security needed for enterprise and government users, but is not necessary for consumers.

"The Android Security Modules framework is really the building blocks for adding new security functionality to Android," William Enck, a senior author of the paper and an assistant professor at NCSU, said.

As an extensible, generic framework, ASM makes it possible to plug in security enhancements without having to touch the device's firmware.

"If adopted by Google, we envision ASM enabling in-the-field security enhancement of Android devices without requiring root access, a significant limitation of existing bring-your-own-device solutions," the research paper says.

Integrated with the operating system and the Android kernel, ASM provides the authorization hooks that let modules control access to contact lists, geo-location data, phone records and text messages.

"Just about anything you have from a permissions standpoint on Android, you have the ability to extend with an ASM security module," Enck said.

ASM provides more than just access to data. It also lets developers manipulate it, Enck said.

For example, a developer could build a module that filters the contact list, so only authorized apps could access business contacts.

Such a module would be useful to companies that let employees use their own smartphones for work-related tasks, such as accessing the corporate network or email server.

Marc Rogers, principal security researcher for Lookout, said the researchers had "an interesting approach with a lot promise."

"They are building these enhancements into a common framework which will have low-level hooks into the Android OS allowing the framework to act swiftly and effectively when it comes to blocking a threat," Rogers said.

The researchers have sent their paper to Google and a few device manufacturers, but have not received any commitments for use of the technology.

Getting Google to buy into the technology is key to getting it into Android.

"Without rooting the device, the level of access this will need will only be available through direct cooperation with Google or an Android hardware OEM (original equipment manufacturer)," Rogers said.

The ASM source code is available at no charge for non-commercial use. Commercial use would require a license from the universities.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsGooglesecuritymobile device securitymobile securitysmartphonesAndroidNorth Carolina State Universitymobile application security

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place