Ariadne: Navigating through the Labyrinth of Data-Driven Customization Inconsistencies in Android
Parjanya Vyas
34th USENIX Security Symposium (USENIX Security '25) · Day 2 · System Security 3: Mobile Platforms
The Android ecosystem, characterized by its open-source nature, allows device manufacturers (OEMs) to extensively customize the core operating system (OS) to differentiate their products. While this **data-driven customization** fosters innovation and unique user experiences, it inadvertently introduces a complex challenge: **access control inconsistencies**. These inconsistencies arise when OEM-specific modifications to the Android Framework, particularly those interacting with shared global state variables, fail to implement appropriate security checks, leading to potential vulnerabilities. The talk introduces **Ariadne**, a novel static analysis and graph theory-based tool designed to systematically identify these elusive access control flaws within customized Android **ROMs**.
AI review
Solid systems-security research with a clear novel contribution: modeling access control implications through data-holder relationship graphs rather than just API-level permission checks. Finds real bugs across real shipping ROMs, builds PoCs, gets vendor acks — the work is done, not just proposed.