Run-Time Enforcement of Information-Flow Properties on Android (Extended Abstract)

Recent years have seen a dramatic increase in the number and im- portance of mobile devices. The security properties that these devices provide to their applications, however, are inadequate to protect against many undesired behaviors. A broad class of such behaviors is violations of simple information- flow properties. This paper proposes an enforcement system that permits Android applications to be concisely annotated with information-flow policies, which the system enforces at run time. Information-flow constraints are enforced both be- tween applications and between components within applications, aiding develop- ers in implementing least privilege. We model our enforcement system in detail using a process calculus, and use the model to prove noninterference. Our sys- tem and model have a number of useful and novel features, including support for Android's single- and multiple-instance components, floating labels, declas- sification and endorsement capabilities, and support for legacy applications. We have developed a prototype of our system on Android 4.0.4 and tested it on a Nexus S phone, verifying that it can enforce practically useful policies that can be implemented with minimal modification to off-the-shelf applications.