Smartphones and tablets are being used widely, and with such a pervasive use, protecting mobile systems is of critical importance. One of the unique features in mobile systems is that many applications incorporate third-party components, such as advertisement, social-network APIs, and the WebView component (that runs third-party JavaScript code). With third-party components, the code developed by application developers and the code from third parties are executed within the same context and with the same privilege. No access control system is developed to separate the privilege of the first-party application code from that of third-party components. This has resulted in over-privilege issues. The objective of this project is to develop adequate access control systems to remedy the risks introduced by third-party components. The development is based on a systematic study of various third-party components, how they interact with applications, what features are desirable, and what their protection needs are. The project meets this objective using a three-pronged approach: (1) add new access controls to WebView to control the interactions with third-party code; (2) add package-level access controls within apps to prevent over-privilege; and (3) isolate third-party components with visual elements. This project can offer mobile system developers a deeper understanding of the security problems in the systems, suggest to them how better to design into mobile systems desired security properties, and eventually improve the security of mobile systems.
TWC: Small: Develop Fine-Grained Access Control for Third-Party Components in Mobile Systems