Android oS Security: riSkS And LimitAtionS A PrActicAL evALuAtion

The number of Android-based smartphones is growing rapidly. They are increasingly used for security-critical private and business applications, such as online banking or to access corporate networks. This makes them a very valuable target for an adversary. Up to date, significant or large-scale attacks have failed, but attacks are becoming more sophisticated and successful. Thus, security is of paramount importance for both private and corporate users. In this paper, we give an overview of the current state of the art of Android security and present our extensible automated exploit execution framework. First, we provide a summary of the Android platform, current attack techniques, and publicly known exploits. Then, we introduce our extensible exploit execution framework which is capable of performing automated vulnerability tests of Android smartphones. It incorporates currently known exploits, but can be easily extended to integrate future exploits. Finally, we discuss how malware can propagate to Android smartphones today and in the future, and which possible threats arise. For example, device-to-device infections are possible if physical access is given. NES Research Department at Fraunhofer AISEC The Fraunhofer Research Institution for Applied and Integrated Security AISEC1 is one leading expert for applied IT security and develops solutions for immediate use, tailored to the customer’s needs. Over 80 highly qualified employees covering all areas of IT security make such customized services possible. Fraunhofer AISEC is organized into three different research and development divisions. They focus on hardware security as well as the protection of complex services and networks. Clients of Fraunhofer AISEC operate in a variety of industrial sectors, such as the chip card industry, telecommunications, the automotive industry, and mechanical engineering, as well as the software and healthcare industries. Fraunhofer AISEC was founded in 2009 as an independent research organization within the Fraunhofer-Gesellschaft. 1http://www.aisec.fraunhofer.de/ Fraunhofer AISEC Android OS Security: Risks and Limitations 3