LayerCake is a version of Android that supports embedded applications. It allows one application's Activity to embed another application's Activity (similar to iframes on the Web). We built LayerCake to explore what it would take to modify a real system to securely embed one application's user interface within another application.
Securing Embedded User Interfaces: Android and Beyond
Franziska Roesner and Tadayoshi Kohno, University of Washington
Proceedings of the 22nd USENIX Security Symposium (2013)
Web and smartphone applications commonly embed third-party user interfaces like advertisements and social media widgets. However, this capability comes with security implications, both for the embedded interfaces and the host page or application. While browsers have evolved over time to address many of these issues, mobile systems like Android -- which do not yet support true cross-application interface embedding -- present an opportunity to redesign support for secure embedded user interfaces from scratch. In this paper, we explore the requirements for a system to support secure embedded user interfaces by systematically analyzing existing systems like browsers, smartphones, and research systems. We describe our experience modifying Android to support secure interface embedding and evaluate our implementation using case studies that rely on embedded interfaces, such as advertisement libraries, Facebook social plugins (e.g., the "Like" button), and access control gadgets. We provide concrete techniques and reflect on lessons learned for secure embedded user interfaces.
LayerCake is based in part on our recent related work:
User Interface Toolkit Mechanisms for Securing Interface Elements
Franziska Roesner, James Fogarty, and Tadayoshi Kohno, University of Washington
Proceedings of the 25th ACM Symposium on User Interface Software and Technology (UIST 2012)
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
Franziska Roesner and Tadayoshi Kohno (University of Washington),
Alexander Moshchuk, Bryan Parno, and Helen J. Wang (Microsoft Research), and Crispin Cowan (Microsoft)
Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012)