Don’t Touch that Column: Portable, Fine-Grained Access Control for Android’s Native Content Providers

Aisha Ali-Gombe, Golden G. Richard III, Irfan Ahmed, Vassil Roussev

Android applications access native SQLite databases through their Universal Resource Identifiers (URIs), exposed by the Content provider library. By design, the SQLite engine used in the Android system does not enforce access restrictions on database content nor does it log database accesses. Instead, Android enforces read and write permissions on the native providers through which databases are accessed via the mandatory applications permissions system. This system is very coarse grained, however, and can allow applications far greater access to sensitive data than a user might intend.

In this paper, we present a novel technique called priVy that merges static bytecode weaving and database query rewriting to achieve low-level access control for Android native providers at the application level. priVy defines access control for both database schema and entities and does not require any modifications to the underlying operating system and/or framework code. Instead, it provides a new Controller stub which is statically woven into the target application and a Controller interface for setting access levels, thus making it accessible and easily adoptable by average users. We provide an evaluation in terms of the resilience of applications to instrumentation as well as static and runtime instrumentation overhead. In our testing, priVy incurs an average of 1032 additional method calls or joinpoints created and it takes an average of 15 seconds to recompile an app and imposes virtually no runtime overhead.

Review:
The paper presents a system (priVy) to provide fine-grained access control to the Android native content providers, such as contacts and calendar. Access to these providers can potentially leak important data or cause other attacks such as denial of service. Therefore the provided solution should help prevent these issues. The technical solution is implemented using aspect-oriented programming and bytecode instrumentation. The experimental results show that runtime overhead is small and the approach works well.

The PC generally liked the paper. The authors presented a solid system with a considerable amount of engineering efforts. The approach, without OS/framework changes, seems to be more easily deployable than some previous solutions. However, the PC felt that the paper could be much stronger if move novel techniques are used, and stronger evaluations are conducted (e.g., using a much larger testing dataset).