US, German researchers create framework for core Android security modules

Summary:Modifications to the core Android operating system would allow companies to plug in security enhancements for mobile devices, potentially improving the security of BYOD schemes within the enterprise.

glowing-keyboard-hacker-security-620x465

International security researchers have offered up a framework for Google's Android operating system that allows users and developers to plug in extra security enhancements.

The researchers, from North Carolina State University and Technische Universitat Darmstadt/CASED in Germany, have developed a modification to the core Android operating system called the Android Security Modules (ASM) framework. The framework aims to eliminate the bottleneck which can prevent developers and users from taking advantage of new security tools, and make it easier for third parties to integrate the latest cybersecurity programs on offer.

The project is described in a paper (.PDF) due for release at the Usenix Security Symposium in San Diego this week.

Dr. William Enck, an assistant professor of computer science at NC State and senior author of the paper commented:

"In the ongoing arms race between white hats and black hats, researchers and developers are constantly coming up with new security extensions. But these new tools aren't getting into the hands of users because every new extension requires users to change their device's firmware, or operating system (OS).

The ASM framework allows users to implement these new extensions without overhauling their firmware."

While the Android operating system's open and free nature makes it attractive for developers and users alike, there are many variations on both smartphone and tablet platforms. This, in conjunction with Android's popularity, means that firmware and patching can be haphazard -- and a potential risk to businesses relying on the OS, or for companies which implement BYOD (bring your own device) schemes. However, with a sufficient security underpinning, Android devices could be more adequately protected -- as well as the data they contain.

The ASM framework is one way to better protect Android-based devices, argues the researchers. Custom security control modules within the framework could receive "callbacks" for security-sensitive operations in the Android OS, which means that the OS contacts the security module directly to determine if an operation should go ahead. Enck said:

"Our ASM framework can be used in various personal and enterprise scenarios. For instance, security modules can implement dual persona: i.e., enable users to securely use their smartphones and tablets at home and at work while strictly separating private and enterprise data.

Security modules can also enhance consumer privacy. The framework provides callbacks that can filter, modify, or anonymize data before it is shared with third-party apps, in order to protect personal information."

Enck says the framework is available now for security specialists, but insists that for widespread adoption, either Google or Android handset manufacturers need to adopt the framework and integrate it within the operating system. However, the framework is unlikely to be a quick fix, as Google would need to alter the core architecture of the OS -- which is no small task.

The framework is available here for non-commercial use.

Topics: Security, Android

About

Charlie Osborne, a medical anthropologist who studied at the University of Kent, UK, is a journalist, freelance photographer and former teacher. She has spent years travelling and working across Europe and the Middle East as a teacher, and has been involved in the running of businesses ranging from media and events to B2B sales. Charli... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.