Please note: This master’s thesis presentation will take place in DC 3317 and online.
Muhammad Shahpar Nafees Khan, Master’s candidate
David R. Cheriton School of Computer Science
Supervisor: Professor Yousra Aafer
The Android framework’s multi-user ecosystem introduces significant security challenges, particularly in the enforcement of user-specific access controls. While previous research has highlighted inconsistencies in Android’s access control mechanisms, these efforts often overlook the complexities introduced by vendor customizations and the unique demands of a multi-user environment.
In this thesis, we conduct a systematic analysis of the Android Open Source Project (AOSP), identifying key access control patterns that serve as the foundation of our study. These patterns guide our analysis, enabling us to develop and apply a static analysis framework that examines vendor ROMs for missing user-specific access control checks. Our evaluation reveals the presence of cross-user attack surfaces, including scenarios where sensitive user data can be accessed across profiles and privileged system settings can be manipulated by non-privileged users. These findings underscore the need for consistent and rigorous enforcement of access control mechanisms to mitigate security risks in Android’s multi-user environments.
To attend this master’s thesis presentation in person, please go to DC 3317. You can also attend virtually using Zoom.