PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

Android&#x0027;s filesystem access control is its foundation for system integrity. It combines mandatory (e.g., SELinux) and discretionary (e.g., Unix permissions) access control with other specialized access controls (e.g., Android permissions), aiming to protect Android/OEM services from third-party applications. However, OEMs often introduce vulnerabilities when they add market-differentiating features because they fail to correctly reconfigure this complex combination of policies. In this paper, we present the POLYSCOPE tool, which triages the combination of Android filesystem access control policies to find the authorized operations that may be exploited by adversaries to escalate their privileges, called <italic>attack operations</italic>. Critically, POLYSCOPE accounts for how adversaries may modify permissions for themselves and/or their victims to uncover latent attack operations. We demonstrate the effectiveness of POLYSCOPE by assessing the impact of the recently introduced <italic>Scoped Storage</italic> defense for Android, showing that extending POLYSCOPE to analyze a new policy can be done independently if the new policy only restricts permissions, which is the case for Scoped Storage. We apply POLYSCOPE to three Google and five OEM Android releases, finding that Scoped Storage reduces the number of attack operations possible on external storage resources by over 50&#x0025;. However, we also find two previously unknown vulnerabilities because OEMs only adopt Scoped Storage partially, limiting its benefit. Thus, we show how to use POLYSCOPE to assess an ideal scenario where all apps are compliant to Scoped Storage, which can reduce the number of untrusted parties that can access attack operations by over 65&#x0025; on OEM systems. As a result, we find that POLYSCOPE can help Android OEMs triage complex access control policies to identify the specific attack operations worthy of further examination.