Secure IPC To Enable Highly Sensitive Communication In A Smartphone Environment With A BYOD Setup

Sammanfattning: The constantly increasing amount of shared data worldwide demands a continuously improved understanding of current smartphone security vulnerabilities and limitations to ensure secure communication. Securing sensitive enterprise data on a Bring Your Own Device (BYOD) setup can be quite challenging. Allowing multiple applications to communicate through Inter-process Communication (IPC) in a shared environment can induce a wide range of security vulnerabilities if not implemented adequately. In this thesis, multiple different IPC mechanisms have been investigated and applied with respect to confidentiality, integrity, and availability (CIA-triad) of a system including an Android application and a server, to enable a secure Single Sign-On (SSO) solution. Relevant threats were identified that could highlight vulnerabilities related to the use of IPC mechanisms provided by the Android OS such as AIDL, Messenger, Content Provider, and Broadcast Receiver. A Proof-of-Concept (POC) system for each IPC mechanism was developed and implemented with targeted mitigation techniques (MT) and best practices to ensure a high level of conformity with the CIA-triad. Additionally, each IPC mechanism was evaluated through a set of functional tests, a Grey-box penetration testing approach, and a performance analysis of the execution time and the total Lines-of-Code (LOC) required. The results shows that there are indeed different ways of achieving secure communication on the Android OS and thereby enabling a secure SSO solution by ensuring the inclusion of related MTs to prevent critical security vulnerabilities. Also, the IPC mechanism with the highest performance in relation to execution time and LOC is shown to be AIDL.