Smartphones and tablet devices became many people's primary hub to manage their digital life. There is a recent trend to use privately owned mobile devices in corporate environments which poses (BYOD) serious threats on the security of corporate data. Previous research has shown that current mobile operating systems are not secure. However, a secure platform is mandatory for future BYOD and other emerging applications such as micropayment.
Instead of trying to harden Android, we developed a secure system architecture to run trusted and non-trusted software side-by-side. We apply an efficient sandboxing mechanism to the Android software stack that allows us to run multiple instances of Android in strictly isolated partitions. This architecture enables us to introduce powerful security features to Android such as out-of-band security analysis or mandatory transparent data encryption.
In this talk we present our microkernel based security architecture. We will give details on how we sandboxed Android while retaining good performance. Special attention is given on how our architecture enforces strict resource isolation and access control. Finally we will present some examples how this architecture is used to improve Android security.