Rene Mayrhofer
René Mayrhofer was heading the Android Platform Security team and is currently acting both in an academic role at the Institute of Networks and Security at Johannes Kepler University Linz (JKU), Austria, and in an advisory role to Android Platform Security. He tries to make recent advances in usable, mobile security research available to the Billions of Android users. Previously, he held a full professorship for Mobile Computing at Upper Austria University of Applied Sciences, Campus Hagenberg, a guest professorship for Mobile Computing at University of Vienna, and a Marie Curie Fellowship at Lancaster University, UK.
His research interests include computer security, mobile devices, network communication, and machine learning, which he currently brings together in his research on securing mobile devices. Within the scope of u'smile, the Josef Ressel Center for User-friendly Secure Mobile Environments, his research group looked into full-stack security of mobile devices from hardware through firmware up to user interaction aspect. One particular outcome was a prototype for a privacy conscious Austrian mobile Driving License (AmDL) on Android smartphones supported by tamper-resistant hardware.
René has contributed to over 80 peer-reviewed publications and is a reviewer for numerous journals and conferences. He received Dipl.-Ing. (MSc) and Dr. techn. (PhD) degrees from Johannes Kepler University Linz, Austria and his Venia Docendi for Applied Computer Science from University of Vienna, Austria. His full publication list can be found on his personal page.
Authored Publications
Sort By
The Android Platform Security Model (2023)
Jeff Vander Stoep
Chad Brubaker
Dianne Hackborn
Roger Piqueras Jover
Michael Specter
Arxiv, Cornell University (2023)
Preview abstract
Android is the most widely deployed end-user focused operating system. With its growing set of use cases
encompassing communication, navigation, media consumption, entertainment, finance, health, and access to
sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical
threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility,
Android’s security model must strike a difficult balance between security, privacy, and usability for end users;
provide assurances for app developers; and maintain system performance under tight hardware constraints.
This paper aims to both document the assumed threat model and discuss its implications, with a focus on
the ecosystem context in which Android exists. We analyze how different security measures in past and
current Android implementations work together to mitigate these threats, and, where there are special cases
in applying the security model in practice; we discuss these deliberate deviations and examine their impact.
View details
Insider Attack Resistance in the Android Ecosystem
USENIX Association, Burlingame, CA (2019)
Preview abstract
The threat model for a mobile device ecosystem is complex. In addition to the obvious physical attacks on lost or stolen devices and malicious code threats, typical mobile devices integrate a significant amount of code from different organizations into their system images, which are in turn executed on an increasingly complex hardware infrastructure. Both benign mistakes as well as malicious attacks could happen on any of these layers, by any of these organizations. Therefore, users as well as app developers and service providers currently have to trust every single one of these organizations. Note that OEMs (original device manufacturers) in their role as integrators typically verify their supply chain and components they integrate. However, there are also other parties in the full chain that can tamper with devices after they leave an OEM and before they are in the hands of users. Summarizing, many people could - by honest mistake or malicious intent - tamper with components of a modern smart phone to compromise user security. We call such attacks insider attacks, independently of the motivation or association of these insiders. The basic threat is that insiders have privileged access to some components during the manufacturing or update chain that would allow them to make modifications that third parties could not. This talk will introduce the complexity of the insider attack problem (which is not unique to Android) and introduce some defenses that have already been put in place. In Android, we counter such insider attacks on multiple levels and aim to remove or limit the capability of insiders to harm users, which implies the limiting required trust in many of the involved parties. At the secure hardware level, Android Pie introduced insider attack resistance (IAR) for updates to tamper resistant hardware such as secure elements that is used to validate the user knowledge factor in authentication and for deriving, storing, and using cryptographic key material. Even Google and the respective OEM are technically incapable of distributing modified firmware to such tamper resistant hardware to exfiltrate user keys without their cooperation. On the system software level, some devices make the hash of their currently running firmware available for (anonymous) local and remote verification. The combination of these features already provide transparency on the system software level and severely limit the possibility for targeted attacks on firmware and system software levels. We continue to work on this problem, and this talk is partially a call to action for the security community to devise additional novel methods to mitigate against insider attacks on components in the mobile device landscape.
View details
Preview abstract
Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This paper aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.
View details