Visible to the public TWC: Small: Understanding and Mitigating the Security Hazards of Mobile FragmentationConflict Detection Enabled

Project Details

Lead PI

Performance Period

Oct 01, 2015 - Sep 30, 2018


Indiana University

Award Number

Mobile computing technologies are rapidly evolving and phone (and other mobile device) manufacturers are under constant pressure to offer new product models. Each manufacturer customizes operating system software for its devices and often changes this software to support its new models. Given the many manufacturers in the mobile device marketplace and the many different generations of products, there are many customized branches of mobile operating systems in use at any time. Unfortunately, high-impact, security-critical flaws have been introduced through the combination of the operating system customization process and the design of mobile applications. This project is the first to systematically study and mitigate such security hazards. The researchers are collaborating closely with device manufacturers to transfer the results of the project into practice.

More specifically, the project involves an in-depth study of the security risks and pitfalls that lead to fragmentation-related vulnerabilities. The researchers are developing novel technologies to detect such flaws in existing systems and avoid them when building new ones. The project includes the development of automatic analysis techniques that scan a large number of factory images to identify inconsistencies in the protection of a system capability on different operating system (OS) layers (e.g., Android framework layer, Linux layer, etc.), and across a customized version and its official counterpart. This consistency check helps elevate the security qualities of customized systems to that of Android official systems. Furthermore, to mitigate the security risk introduced by the services or apps designed for cross-version, cross-device compatibility, the research team is studying techniques for automatically analyzing a variety of services on new OS releases, enhancing the mechanism for capturing exploits on them, and eliminating new security hazards like hanging capabilities.