Quire: Lightweight Provenance for Smart Phone Operating Systems

Smartphone apps are often granted to privilege to run with access to the network and sensitive local resources. This makes it difficult for remote endpoints to place any trust in the provenance of network connections originating from a user's device. Even on the phone, different apps with distinct privilege sets can communicate with one another. This can allow one app to trick another into improperly exercising its privileges (resulting in a confused deputy attack). In Quire, we engineered two new security mechanisms into Android to address these issues. First, Quire tracks the call chain of on-device IPCs, allowing an app the choice of operating with the reduced privileges of its callers or exercising its full privilege set by acting explicitly on its own behalf. Second, a lightweight signature scheme allows any app to create a signed statement that can be verified by any app on the same phone. Both of these mechanisms are reflected in network RPCs. This allows remote systems visibility into the state of the phone when the RPC was made. We demonstrate the usefulness of Quire with two example applications: an advertising service that runs advertisements separately from their hosting applications, and a remote payment system. We show that Quire's performance overhead is minimal.