ScopeVerif: Analyzing the Security of Android’s Scoped Storage via Differential Analysis
Zeyu Lei
Network and Distributed System Security (NDSS) Symposium 2025 · Day 3 · Android Security 2
This talk introduces **ScopeVerif**, a novel dynamic analysis framework designed to rigorously evaluate the security, correctness, and consistency of Android's **Scoped Storage** model. Presented by Zeyu Lei, this research addresses critical concerns surrounding the implementation of Scoped Storage, a fundamental security redesign introduced in Android 10 to enhance user privacy and data isolation. The talk highlights how the inherent complexity and fragmentation of the Android ecosystem lead to vulnerabilities and inconsistent security enforcement across different Android versions and device manufacturers (OEMs).
AI review
Competent, methodical systems security research that systematically audits Android Scoped Storage via differential analysis, surfaces 9 previously unknown issues, and earns bug bounties from Google and Huawei. The methodology is sound and the metadata leak finding is genuinely elegant, but the overall novelty ceiling is modest — differential analysis applied to permission model verification is an established pattern, and the headline findings don't reshape how defenders or researchers think about Android storage security.