Enforcing ACL Access Control on Android Platform

Abstract

Android is an operating system with Linux kernel running on smartphone. Part of system resources are provided in the form of APIs offered by system service. Access permission to these resources for application is controlled in Android middleware according to app’s UID. Since any application can run native code such like C/C++ and bypass the permission check in framework layer, Linux kernel uses UGO (user/group/others) access control to protect resource in Android. However, UGO enforces control through group instead of UID, system is unable to authorize a specific app to access resources according to its UID. Thus, some weaknesses remain, such as malicious code may have the privilege to access privacy data and operate the important system peripherals by native code. In this paper, we present an ACL (Access Control List) based access control mechanism to Android system, which can provide fine-grained access control according to the UID of application in file system of Android. This ACL based access control mechanism enables the fine-grained policy may be enforced reliably and prevents some attacks that access resources by native code directly, such as transplantation attack. We make a customized system at both the kernel layer and the framework layer. We develop an entire prototype and verify the compatibility, effectiveness and performance overhead of our system. The result shows it can effectively prevent the abnormal access through C/C++ code. The customized system has a negligible impact on performance overhead and also offers a stable operating environment for applications.