Per-App Profiles with AppFork: The Security of Two Phones with the Convenience of One

  • Temitope Oluwafemi ,
  • Earlence Fernandes ,
  • Oriana Riva ,
  • Franziska Roesner ,
  • ,
  • Tadayoshi Kohno

MSR-TR-2014-153 |

Employers increasingly allow employees to use their personal smartphones for work, but also impose strict security policies (e.g., wiping the device after a series of failed logins), which on one hand protects the corporation’s data but on the other hand can affect a user’s privacy and control of her own data. To address these issues, recent proposals securely partition work and personal data by means of virtualization techniques. Yet, virtualization comes with limitations. First, unless heavily optimized, it has a significant overhead on resource-constrained phones. Second, it constrains all apps to be in the same partition at a time, while users like having a mix of work and personal apps running on the device simultaneously.

To enable this functionality, we introduce a new point in the design space. We propose AppFork, an Android-based platform which allows users to switch a single app from one active profile (e.g., work) to another without switching the active profile of all other apps. AppFork still achieves the security of virtualization-based approaches, but with a smaller overhead. We built a tool for automatically identifying cross-profile channels in Android apps and applied it to 14,000 apps. Supported by this analysis, we craft the problem of cross-profile isolation for Android and implement our solution to it. AppFork can be used with existing unmodified apps. We evaluate it in depth with 24 Android apps. AppFork was able to successfully run all apps and provide two isolated user profiles within each app.