Nowadays, SEAndroid has been widely deployed in Android devices to enforce security policies and provide flexible mandatory access control (MAC), for the purpose of narrowing down attack surfaces and restricting risky operations (e.g., privilege escalation). Mobile device manufacturers have to customize policy rules and add their own rules to satisfy their functionality extensions. Ideally, these policy rules in SEAndroid should be carefully written, verified and maintained. However, many security issues have been found during the course of SEAndroid policy customization. Even worse, it is challenging to identify these issues due to the large and ever-increasing number of policy rules, as well as the complexity of policy semantics. To investigate the status quo of SEAndroid policy customization, we propose SEPAL, a universal tool to automatically retrieve and examine the customized policy rules. We perform a light-weight static analysis to extract atomic rules and runtime permission from Android firmware. Then, we employ natural language processing to construct a variety of features from both policy rules and their comments. A wide & deep model is trained to predict whether one rule is unregulated or not. SEPAL is evaluated to be effective in the classification on AOSP policy rules, and outperforms EASEAndroid by 15% accuracy rate on average. To evaluate its practicality, we collect 774 Android firmware images from 70 distinct manufacturers and extract 595,236 customized rules. SEPAL identifies 7,111 unregulated rules with a low false positive rate. With the help of SEPAL, we study the distribution of the unregulated rules. It shows that thanks to Google’s efforts, the security issues proposed in earlier studies have been significantly fixed in Android 7 era. However, after Android 8, the policy customization problem is getting worse again with the growing complexity of the policy – nearly 20% of the customized atomic rules in Android 9 are unregulated ones, while the percentage in Android 7 is less than 8%. We then summarized four common reasons why the unregulated rules are introduced by policy developers and how the rules compromise ALL categories of defenses provided by original SEAndroid. We further conduct two proof-of-concept attacks to validate their severity. Last, we report some unregulated rules to seven vendors and four of them confirm our findings.

The Web Conference is announcing latest news and developments biweekly or on a monthly basis. We respect The General Data Protection Regulation 2016/679.