Regulating Access to System Sensors in Cooperating Programs

Modern operating systems such as Android, iOS, Windows Phone, and Chrome OS support a cooperating program abstraction. Instead of placing all functionality into a single program, programs cooperate to complete tasks requested by users. However, untrusted programs may exploit interactions with other programs to obtain unauthorized access to system sensors either directly or through privileged services. Researchers have proposed that programs should only be authorized to access system sensors on a user-approved input event, but these methods do not account for possible delegation done by the program receiving the user input event. Furthermore, proposed delegation methods do not enable users to control the use of their input events accurately. In this paper, we propose ENTRUST, a system that enables users to authorize sensor operations that follow their input events, even if the sensor operation is performed by a program different from the program receiving the input event. ENTRUST tracks user input as well as delegation events and restricts the execution of such events to compute unambiguous delegation paths to enable accurate and reusable authorization of sensor operations. To demonstrate this approach, we implement the ENTRUST authorization system for Android. We find, via a laboratory user study, that attacks can be prevented at a much higher rate (54-64% improvement); and via a field user study, that ENTRUST requires no more than three additional authorizations per program with respect to the first-use approach, while incurring modest performance (<1%) and memory overheads (5.5 KB per program).