Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnerabilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the manufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this talk we present PatchDroid, a system to distribute and apply third-party security patches for Android. Our system is designed for device-independent patch creation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can efficiently patch security vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
Collin Mulliner is a postdoctoral researcher in the Systems Security Lab at Northeastern University. Collin’s main interest is the security and privacy of mobile and embedded systems with an emphasis on mobile and smart phones. Since 1997 Collin worked on all kinds of mobile devices and touched most of the mobile platforms for either software development or security work. Collin received a Ph.D. from the Technische Universitaet Berlin in 2011, and a M.S. and B.S. in computer science from UC Santa Barbara and FH-Darmstadt, respectively. Collin has a broad interest in systems security that is somehow connected to mobile devices and cellular infrastructure. He has a specific interest in vulnerability analysis and offensive security but recently switched his focus to the defensive side to work on mitigations and countermeasures.