Plug-and-play Android security layer outlined by NC State researchers

Handy ASM technology to be detailed at USENIX Security Symposium Friday

A modified version of Android uses a system of modularized plugins to help make sure the latest security tools make it into the hands of end users as quickly as possible.

The Android Security Modules framework, as outlined in a paper from researchers North Carolina State University and Germany’s TU Darmstadt, is a programmable interface for deploying security updates in the field, without the need for root access to the Android device.

+ ALSO ON NETWORK WORLD: Munich reverses course, may ditch Linux for Microsoft | 5 Cool Security Breakthroughs at USENIX Security event +

The team studied more than a dozen of the most recent proposals for new security architectures within the Android platform, and identified the specific “hooks” – like file access, network access and phone sensors – that would be required to quickly implement them via a unified structure.

There are several advantages to such a system. NCSU computer science professor William Enck said that the ASM layer can limit the access of third-party apps to personal data.

“For instance consider an app like Whatsapp, which usually copies all your contacts to its server – which is not needed for it to function,” he said in a statement.

ASM could also help implement dual-persona modes for devices being used in both personal and work settings, a major help for businesses trying to cope with the demands of BYOD.

Via email, Enck told Network World that the ASM layer’s impact on device performance should be minimal.

“Adding security modules will result in a small impact for using the hooks, and then whatever overhead is required by the security module to make the security decision,” he said.

Implementing ASM for a large number of users, however, would likely require the participation of either Google itself or one of the major manufacturers of Android devices. Enck said that he has shared ASM with Google and several OEMs, but declined to speculate on generalized uptake of the device.

The paper is scheduled for presentation Friday at the USENIX Security Symposium in San Diego.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022