US, German researchers create framework for core Android security modules

Modifications to the core Android operating system would allow companies to plug in security enhancements for mobile devices, potentially improving the security of BYOD schemes within the enterprise.


International security researchers have offered up a framework for Google's Android operating system that allows users and developers to plug in extra security enhancements.

The researchers, from North Carolina State University and Technische Universitat Darmstadt/CASED in Germany, have developed a modification to the core Android operating system called the Android Security Modules (ASM) framework. The framework aims to eliminate the bottleneck which can prevent developers and users from taking advantage of new security tools, and make it easier for third parties to integrate the latest cybersecurity programs on offer.

The project is described in a paper (.PDF) due for release at the Usenix Security Symposium in San Diego this week.

Dr. William Enck, an assistant professor of computer science at NC State and senior author of the paper commented:

"In the ongoing arms race between white hats and black hats, researchers and developers are constantly coming up with new security extensions. But these new tools aren't getting into the hands of users because every new extension requires users to change their device's firmware, or operating system (OS).

The ASM framework allows users to implement these new extensions without overhauling their firmware."

While the Android operating system's open and free nature makes it attractive for developers and users alike, there are many variations on both smartphone and tablet platforms. This, in conjunction with Android's popularity, means that firmware and patching can be haphazard -- and a potential risk to businesses relying on the OS, or for companies which implement BYOD (bring your own device) schemes. However, with a sufficient security underpinning, Android devices could be more adequately protected -- as well as the data they contain.

The ASM framework is one way to better protect Android-based devices, argues the researchers. Custom security control modules within the framework could receive "callbacks" for security-sensitive operations in the Android OS, which means that the OS contacts the security module directly to determine if an operation should go ahead. Enck said:

"Our ASM framework can be used in various personal and enterprise scenarios. For instance, security modules can implement dual persona: i.e., enable users to securely use their smartphones and tablets at home and at work while strictly separating private and enterprise data.

Security modules can also enhance consumer privacy. The framework provides callbacks that can filter, modify, or anonymize data before it is shared with third-party apps, in order to protect personal information."

Enck says the framework is available now for security specialists, but insists that for widespread adoption, either Google or Android handset manufacturers need to adopt the framework and integrate it within the operating system. However, the framework is unlikely to be a quick fix, as Google would need to alter the core architecture of the OS -- which is no small task.

The framework is available here for non-commercial use.