VirtualPatch: fixing Android security vulnerabilities with app-level virtualization

Since its first release, the Android OS has been affected by a significant issue: the existence of multiple customized versions, handled by different mobile device vendors. One of the main consequences of the Android fragmentation issue regards the distribution of security updates to end-user devices. In particular, I have focused on the time required by Google and other mobile vendors to send security updates. I have found that, on average, Google takes more than 84 days to send an update, after its development is already complete, while Samsung takes, on average, over 39 days to integrate a Google security patch in its custom Android OS. During this time window, end-users are left exposed to attackers. In this thesis, I propose VirtualPatch, a solution aimed at allowing the immediate distribution of Android security patches after their development, thus shrinking the aforementioned time window. VirtualPatch is a virtualization-based approach that protects apps by loading security patches targeting different Android architecture layers and, being executed at the application-layer, it does not require an update of the underlying Android OS. I chose seven Common Vulnerabilities and Exposures from the Android Security Bulletins and managed to successfully implement and deploy the associated security patches through my solution. Moreover, while the state-of-art already proved the runtime overhead introduced by the virtualization technique to be negligible, I measured also the average time required to load the security patches, which I found to be less than 60 milliseconds. Overall, VirtualPatch is an effective and efficient solution addressing the issue of the security patch distribution for Android users. Given the significance of the issue, I really hope to make a contribution to the whole Android community.