Paranoid Android - protecting smartphones in the cloud

Project summary:

  • start date: December 2007
  • status: working implementation
  • sponsored by: EU FP7 Wombat project


    Smartphones have come to resemble PCs in software complexity. Moreover, as they are often used for privacy-sensitive tasks, they are becoming attractive targets for attackers. Unfortunately, they are quite different from PCs in terms of resources, so that PC-oriented security solutions are not always applicable. Worse, common security solutions (such as on-access file scanners, system call profilers, etc.) protect against a very limited set of attacks. Comprehensive measures require a far wider and more expensive set of checks - some of which are much beyond the capacity of a phone.

    Figure 1: decoupling security checks from the phone

    In the Paranoid Android project, we propose an alternative solution (shown in Figure 1, where security checks are applied on remote security servers which host exact replicas of the phones in virtual environments. The servers are not subject to the same constraints, allowing us to apply multiple detection techniques simultaneously (including ones that are very heavy-weight).

    Moreover, as the full execution trace is preserved on the security server, attackers cannot hide their traces. This property ensures that attacks for which a detection method exists at the security server - even if the detection method is installed at a later time - are detectable eventually. This is a stronger guarantee than existing solutions can give. It allows administrators to trade server resources for security by specifying how far back in time they want to be able to start looking for intrusions with a new detection method. We implemented the security model for Android phones and show that it is both practical and scalable: we generate about 2KiB/s and 64B/s of trace data under high-load and idle operation respectively, and are able to support more than a hundred replicas on a single server.