Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Android Platform Security Model (2023)

René Mayrhofer, Jeffrey Vander Stoep, Chad Brubaker, Dianne Hackborn, Bram Bonné, Güliz Seray Tuncay, Roger Piqueras Jover, Michael A. Specter

TL;DR

This work articulates Android's security posture within a large, open ecosystem by formalizing a multi-party authorization model that requires consent from users, developers, and the platform for actions. It integrates threat modeling tailored to mobile contexts with a defense-in-depth implementation spanning sandboxing, permissions, encryption, attestation, and patching, anchored by Verified Boot and hardware-backed protections. The paper identifies how these mechanisms co-evolve across Android releases to mitigate physical, network, code, content, and supply-chain threats, while acknowledging deliberate deviations (special cases) for practical usability and enterprise requirements. Collectively, the analysis yields a canonical reference for researchers and practitioners, clarifying how Android preserves security and privacy in a diverse device ecosystem and guiding future improvements.

Abstract

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility, Android's security model must strike a difficult balance between security, privacy, and usability for end users; provide assurances for app developers; and maintain system performance under tight hardware constraints. This paper aims to both document the assumed threat model and discuss its implications, with a focus on the ecosystem context in which Android exists. We analyze how different security measures in past and current Android implementations work together to mitigate these threats, and, where there are special cases in applying the security model in practice; we discuss these deliberate deviations and examine their impact.

The Android Platform Security Model (2023)

TL;DR

This work articulates Android's security posture within a large, open ecosystem by formalizing a multi-party authorization model that requires consent from users, developers, and the platform for actions. It integrates threat modeling tailored to mobile contexts with a defense-in-depth implementation spanning sandboxing, permissions, encryption, attestation, and patching, anchored by Verified Boot and hardware-backed protections. The paper identifies how these mechanisms co-evolve across Android releases to mitigate physical, network, code, content, and supply-chain threats, while acknowledging deliberate deviations (special cases) for practical usability and enterprise requirements. Collectively, the analysis yields a canonical reference for researchers and practitioners, clarifying how Android preserves security and privacy in a diverse device ecosystem and guiding future improvements.

Abstract

Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility, Android's security model must strike a difficult balance between security, privacy, and usability for end users; provide assurances for app developers; and maintain system performance under tight hardware constraints. This paper aims to both document the assumed threat model and discuss its implications, with a focus on the ecosystem context in which Android exists. We analyze how different security measures in past and current Android implementations work together to mitigate these threats, and, where there are special cases in applying the security model in practice; we discuss these deliberate deviations and examine their impact.

Paper Structure

This paper contains 60 sections, 5 equations, 3 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Structure
  3. Android background and scope
  4. Android as an open ecosystem
  5. Android is defined by compatibility requirements
  6. Threat model
  7. Adversaries can get physical access to Android devices.
  8. Network communication is untrusted.
  9. Untrusted code is executed on the device.
  10. Untrusted content is processed by the device.
  11. Many stakeholders in the ecosystem can act as supply chain attack vectors.
  12. The Android Platform Security Model
  13. ① Multi-party authorization.
  14. ② Open ecosystem access.
  15. ③ Security is a compatibility requirement.
  16. ...and 45 more sections

Figures (3)

  • Figure 1: Layers of sandboxing
  • Figure 2: Changes to mediaserver and codec sandboxing from Android 6 to Android 10
  • Figure 3: Verified Boot flow and different states: (YELLOW): warning screen for LOCKED devices with custom root of trust set; (ORANGE): warning screen for UNLOCKED devices; (RED): warning screen for dm-verity corruption or no valid OS found url-verified-boot-flow.