Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:Syracuse University
  • Wenliang Du
  • (315) 443-9180
Award Date:06/28/2013
Estimated Total Award Amount: $ 499,962
Funds Obligated to Date: $ 532,362
  • FY 2014=$21,600
  • FY 2013=$499,962
  • FY 2015=$10,800
Start Date:08/01/2013
End Date:07/31/2017
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TWC: Small: Develop Fine-Grained Access Control for Third-Party Components in Mobile Systems
Federal Award ID Number:1318814
DUNS ID:002257350
Parent DUNS ID:002257350
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Fen Zhao
  • (703) 292-0000

Awardee Location

Awardee Cong. District:24

Primary Place of Performance

Organization Name:Syracuse University
Cong. District:24

Abstract at Time of Award

Smartphones and tablets are being used widely, and with such a pervasive use, protecting mobile systems is of critical importance. One of the unique features in mobile systems is that many applications incorporate third-party components, such as advertisement, social-network APIs, and the WebView component (that runs third-party JavaScript code). With third-party components, the code developed by application developers and the code from third parties are executed within the same context and with the same privilege. No access control system is developed to separate the privilege of the first-party application code from that of third-party components. This has resulted in over-privilege issues. The objective of this project is to develop adequate access control systems to remedy the risks introduced by third-party components. The development is based on a systematic study of various third-party components, how they interact with applications, what features are desirable, and what their protection needs are. The project meets this objective using a three-pronged approach: (1) add new access controls to WebView to control the interactions with third-party code; (2) add package-level access controls within apps to prevent over-privilege; and (3) isolate third-party components with visual elements. This project can offer mobile system developers a deeper understanding of the security problems in the systems, suggest to them how better to design into mobile systems desired security properties, and eventually improve the security of mobile systems.

Project Outcomes Report


This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

The main objectives of this project are two-fold: (1) study the new security problems in mobile operating system, with a special focus on Android OS, and (2) develop fine-grained access control for the Android operating system. 

We have discovered two new types of security problems in Android. First, Android customization offers substantially different experiences and rich functionalities to users. Every party in the customization chain, such as vendors and carriers, modify the OS and the pre-installed apps to tailor their devices for a variety of models, regions, and custom services. However, these modifications come with security consequences. In this project, we have developed a methodology to systematically analyze the security consequence of vendor customizaiton. Our study has revealed many security problems caused by vendor customization. Our tools can be used by vendors to improve the security of their customzed Android operating systems. Second, we reported the first security analysis of Android’s data clean up mechanism after app removal, which reveals the pervasiveness of subtle yet significant security flaws in them, leading to various data residue instances. Results of this research were reported to and adopted by Google and smartphone companies.

We have developed several fine-grained access control mechanisms for Android. First, we have developed a mechanism called AFrame, which allows app developers to run a portion of their UIs in an isoated environment (running in a different process with different privileges). Second, we have developed a system called Compac, which provides component-level access control for Android apps. The system allows app developers to assign permissions at the component level, instead of only at the app level. Third, we have developed PINPOINT, a resource isolation strategy that forgoes general-purpose solutions in favor of a "building block" approach that addresses specific end-user security goals. PINPOINT embodies the concept of Linux Namespace lightweight isolation, but does so in the Android Framework by guiding the security designer towards isolation points that are contextually close to the resource(s) that need to be isolated. Fourth, we have developed Intentio Ex Machina1 (IEM), an access control solution for Android intent security. IEM creates a new genre of security application for Android systems allowing for creative and interactive approaches to active IPC defense.

Three students received their Ph.D. degrees by working on this project. Moreover, a number of undergraduate students participated in this project as REU students. Some of them went on to pursue MS and PhD degrees after their graduation.

The work produced by this research has been integrated to the Computer Security course that the PI has been teaching, potentially benefiting many students in the years to come. The PI also developed hands-on lab exercises based on the work from this project, and these labs are being used by many institutes worldwide.


Last Modified: 10/29/2017
Modified by: Wenliang Du

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.