New framework would facilitate use of new Android security modules

August 20, 2014 by Matt Shipman

Computer security researchers from North Carolina State University and Technische Universität Darmstadt/CASED in Germany have developed a modification to the core Android operating system that allows developers and users to plug in new security enhancements. The new Android Security Modules (ASM) framework aims to eliminate the bottleneck that prevents developers and users from taking advantage of new security tools.

"In the ongoing arms race between white hats and black hats, researchers and developers are constantly coming up with new security extensions," says Dr. William Enck, an assistant professor of computer science at NC State and a senior author of a paper describing the new framework. "But these new tools aren't getting into the hands of users because every new extension requires users to change their device's firmware, or operating system (OS).

"The ASM framework allows users to implement these new extensions without overhauling their firmware," Enck says. "The framework is available now for security enthusiasts. But for widespread adoption, either Google or one of the Android phone manufacturers will need to adopt the framework and incorporate it into the OS."

The ASM framework allows the creation of custom security control modules that better protect phones owned by consumers and businesses. The custom security modules receive "callbacks" for every security-sensitive operation in the Android OS. In this context, a callback means that Android is contacting the security module to determine whether an operation should proceed.

"Our ASM framework can be used in various personal and enterprise scenarios. For instance, security modules can implement dual persona: i.e., enable to securely use their smartphones and tablets at home and at work while strictly separating private and enterprise data," says Enck.

"Security modules can also enhance consumer privacy. The framework provides callbacks that can filter, modify, or anonymize data before it is shared with third-party apps, in order to protect personal information," Enck says. "For instance consider an app like Whatsapp, which usually copies all your contacts to its server – which is not needed for it to function." With ASM, the user can make sure Whatsapp only gets the information it really needs.

"In addition, we designed the framework to allow apps to create their own hooks, which could be enforced by the security module," Enck says. "This increases flexibility for app developers and allows them to benefit from the security protections provided by the module."

The researchers also went to great lengths to ensure that the ASM framework complies with the guarantees Google and others make with app developers. For example, the framework can only make data access more restrictive.

The researchers will present a paper on the ASM framework Aug. 22 at the USENIX Security Symposium in San Diego, California. The researchers are now reaching out to Google and Android phone manufacturers to demonstrate the effectiveness of the ASM framework. More information on the ASM , including sourcecode, is available at

Explore further: Bluebox Security reveals Android vulnerability in run up to Blackhat convention

More information: Paper: "ASM: A Programmable Interface for Extending Android Security":

Authors: Stephan Heuser and Ahmad-Reza Sadeghi, Technische Universität Darmstadt; Adwait Nadkarni and William Enck, North Carolina State University

Presented: Aug. 22, 2014, at USENIX Security Symposium in San Diego, California

Abstract: Android, iOS, and Windows 8 are changing the application architecture of consumer operating systems. These new architectures required OS designers to rethink security and access control. While the new security architectures improve on traditional desktop and server OS designs, they lack sufficient protection semantics for different classes of OS customers (e.g., consumer, enterprise, and government). The Android OS in particular has seen over a dozen research proposals for security enhancements. This paper seeks to promote OS security extensibility in the Android OS. We propose the Android Security Modules (ASM) framework, which provides a programmable interface for defining new reference monitors for Android. We drive the ASM design by studying the authorization hook requirements of recent security enhancement proposals and identify that new OSes such as Android require new types of authorization hooks (e.g., replacing data). We describe the design and implementation of ASM and demonstrate its utility by developing reference monitors called ASM apps. Finally, ASM is not only beneficial for security researchers. If adopted by Google, we envision ASM enabling in-the-field security enhancement of Android devices without requiring root access, a significant limitation of existing bring-your-own-device solutions.

Related Stories

App security testing tool

July 22, 2013

"Please contact the administrator." This error message usually flashes up on the monitor when employees want to install new software on their office computer. The reason is simple. Companies want to protect themselves and ...

Mobile security: Android versus Apple

October 9, 2013

Smartphones are big business, prompting fierce competition between providers. One major concern for consumers is whether a smartphone will keep their private data safe from malicious programs. To date, however, little independent ...

Researchers find thousands of secret keys in Android apps

June 18, 2014

In a paper presented—and awarded the prestigious Ken Sevcik Outstanding Student Paper Award—at the ACM SIGMETRICS conference on June 18, Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate ...

Security CTO to detail Android Fake ID flaw at Black Hat

July 29, 2014

Where have you heard this before: A team of security researchers discover a security flaw in Android devices. This is, however, news. This time, experts are talking about a flaw that involves a widespread vulnerability dating ...

Recommended for you

Drone market to hit $10 billion by 2024: experts

October 3, 2015

The market for military drones is expected to almost double by 2024 to beyond $10 billion (8.9 billion euros), according to a report published Friday by specialist defence publication IHS Jane's Intelligence Review.

Radio frequency 'harvesting' tech unveiled in UK

September 30, 2015

An energy harvesting technology that its developers say will be able to turn ambient radio frequency waves into usable electricity to charge low power devices was unveiled in London on Wednesday.

Professors say US has fallen behind on offshore wind power

September 29, 2015

University of Delaware faculty from the College of Earth, Ocean, and Environment (CEOE), the College of Engineering and the Alfred Lerner School of Business and Economics say that the U.S. has fallen behind in offshore wind ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.