Workshop in Information Security

Project: Android Declassification Infrastructure

Smart phone 3rd party applications are becoming more and more popular as smart-phones become richer in sensors, capabilities and private information. Moreover, it is common that the applications have dangerous privileges to access these sensors, capabilities and information. Clearly, over-privileged smart phone applications are a dire security concern to end-users.

In this project students will design and implement a set of Android applications – “the infrastructure” – which aims to enable much safer Android programming, by helping applications become much less privileged without harming their functionality. In Android, applications can offer services to other applications. The infrastructure applications are a set of services useful to many other Android applications. These services offer implementation of common application behavior and, in particular, commonly required declassification behavior (see below).

Applications utilizing this infrastructure will be easier to develop, less buggy and most importantly – less privileged and more secure. Notably, Microsoft Windows Phone has a small part of this infrastructure (several services, or common behaviors’ implementation) integrated in their API and OS environment. Android Development environment does not offer these API calls, but offers something better perhaps – the ability to easily implement them (and many more) as Android applications offering these services to other apps.

Students participating in this project will learn general principles of information security and apply them to real-life programs. They will also get familiar with Android Development, and will get to utilize its unique flexibility in ways seldom done elsewhere so far. We believe the infrastructure implemented here is important to Android Development as it is being performed today, and it (or a developed form of it) could be widely used by many applications one day.

Declassification
A declassifier is a privileged entity with access to classified information, offering declassified information to non-privileged entities. For example, an encryption service is exposed to plaintext (is privileged to learn classified data) but exposes encrypted data to non-privileged processes. Thus, we say that this data has been declassified. The least privilege principle dictates we should confine classified information as much as possible. Thus, it is best to decouple declassification behavior from the code using the declassified information (so that there’s less privileged code). Apparently, this is very commonly possible in real-life scenarios.

For example, some smart phone applications retain “access contacts” privilege, but only use the contacts surnames. We would like to be able to make applications just privileged enough to “access contacts surnames”, but no more than that. But alas, Android does not offer the possibility of granting an application “access contacts surnames” privilege.
Imagine a privileged service (with “access contacts” privilege, which can be granted in Android), which agrees to send other applications just contacts’ surnames. The service makes sure he only sends surnames to privileged-enough (“access contacts surnames”) applications. This is a declassifier, and it is exactly what we wanted – we can now make some applications less privileged.

Fortunately, Android Development offers some unique features making it possible to implement this behavior in a simple and intuitive manner.

Many other examples exist for applying the same principle, and in this project we will identify and implement the most important ones of them.