Presentation Material

Abstract

Android is a pliable environment bent into different shapes by different OEMs. While Android offers several security mechanisms at the framework and at the application levels, there’s little it offers to an OEM that customizes Android. We have seen vulnerabilities in Android stemming out of excess file permissions, processes left running as root or system after a debug cycle, privileged security capabilities in an attempt to avoid setuid files, and so on. While there are tools to run partial checks at either the Android framework level or at the Linux layer, we do not have a powerful tool that can scan for platform level vulnerabilities. We announce our tool called Iron Crow that can greatly benefit Android BSP developers and OEMs to catch vulnerabilities of this nature - thereby protecting end users, improving the security of Android, and also protect themselves from media reprimand.