Multi-Persona Android

Multi-Persona
Android
Oren Laadan
orenl@cellrox.com
Android Builders 2014
www.cellrox.com
aprilzosia
Mobile devices have multiple uses - the device needs to reflect that.
Security Use Case

Personal Phone
Business Phone
Do People Remember?
Only download apps from trusted sources, such as reputable app
markets. Remember to look at the developer name, reviews, and star
ratings.
Always check the permissions an app requests. Use common sense
to ensure that the permissions an app requests match the features
the app provides.
Be alert for unusual behavior on your phone. Suspicious behavior
could be a sign that your phone is infected. These behaviors may
include unusual SMS or network activity.
Install a mobile security app for your phone that scans every app you
download to ensure its safe.
No, They Dont!

Only download apps from trusted sources, such as reputable app
markets. Remember to look at the developer name, reviews, and star
ratings.
Always check the permissions an app requests. Use common sense
to ensure that the permissions an app requests match the features
the app provides.
Be alert for unusual behavior on your phone. Suspicious behavior
could be a sign that your phone is infected. These behaviors may
include unusual SMS or network activity.
Install a mobile security app for your phone that scans every app you
download to ensure its safe.
More Use Cases

Personal Phone
Business Phone
Children Phone
Privacy Phone
Secure Phone
Even More Use Cases

Personal Phone
Business Phone
Children Phone
Privacy Phone
Secure Phone
Social Phone
Guest Phone
Dev Phone
7
Multi-Persona for Mobile Devices
Mobile Device Virtualization

Typical device
Android
applications
Android
environment
Linux
kernel
Device
hardware
9
Nobody Will Notice?
Performance Transparent
Application Transparent
Platform Transparent
User Transparent
10
Hardware Virtualization
Virtual Phone
Virtual Phone
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Linux
kernel
Linux
kernel
Typical device
Linux
kernel
Hypervisor Type I
Device
hardware
Device
hardware
11
Hardware Virtualization
Suitable for servers
standard hardware
slow server replace rate
strong security model
Sub-optimal for mobile devices
burden to support devices
reduced performance / battery-life
sub-optimal use of resources
12
Operating System Virtualization

Namespaces
provide a group of processes with the
illusion that they are the only processes
on the system.
19
Namespace (r)evolution
Kernel namespaces:
mount-ns:
2.4.19
uts-ns:
2.6.19
ipc-ns:
2.6.19
pid-ns:
2.6.24
net-ns:
2.6.24-2.6.29
user-ns:
2.6.23-3.8
System calls: clone(), unshare(), setns()
20
Operating System Virtualization

Virtual Phone
Virtual Phone
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Typical device
Linux
kernel
Namespaces
Linux
kernel
Device
hardware
21
Device
hardware
Device Diversity
A typical collection of peripherals available
on a modern smartphone or tablet:
22
Headset
Microphone
Speakers
(Touch) Screen
Power
Buttons
Telephony
Bluetooth
GPS
WiFi
Framebuffer
GPU
Compass
Camera(s)
Accelerometer
RTC/Alarms
Device Interactivity
Users interact with a device one application at
a time, expect consistent user experience:
Split the attention of resources between the
multiple persona, depending on context.
23
Android
applications
Android
environment
Framebuf
Linux
kernel
Device hardware
24
Android
applications
Android
applications
Android
environment
Android
environment
Framebuf
Linux
kernel
Device hardware
25
Android
applications
Android
environment
Input
Framebuf
Linux
kernel
Device hardware
26
Android
applications
Android
applications
Android
environment
Android
environment
Input
Framebuf
Linux
kernel
Device hardware
27
Android
applications
Android
applications
Android
environment
Android
environment
Device Namespace
Input
Framebuf
Linux
kernel
Device hardware
28
Android
applications
Android
applications
Android
environment
Android
environment
Device Namespace
Input
Framebuf
Touch
Proximty
Linux
kernel
Device hardware
29
Android
applications
Android
applications
Android
environment
Android
environment
Device Namespace
30
LED
Device hardware
GPS
Input
Framebuf
Touch
Buttons
Proximty
Linux
kernel
Mobile Virtualization Challenges

Challenge 1: device diversity
plethora of peripherals not virtualized
key logical devices not virtualized
virtualize physical & logical devices
32
Mobile Virtualization Challenges

Challenge 1: device diversity
plethora of peripherals not virtualized
key logical devices not virtualized
virtualize physical & logical devices
Challenge 2: interactive usage
users interact with one app at a time
foreground vs. background apps
multiplex access based on context
34
Device Namespaces
Device diversity: traditional virtualization
create the illusion that processes interact
exclusively with a set of devices
hide the fact that other processes interact
with the same set of devices
Device major/minor (e.g. loop, dm), and
device setup and internal state
35
Traditional virtualization
Examples:
36
alarm-dev
binder
logger
wakelocks
Typical driver:
Virtualized driver?
- global driver state

- per open fd state
- open() is special
- read/write/ioctl etc
use per open fd state
(and global state)
37
Typical driver:
Virtualized driver:

- per open fd state
- per-devns state
- open() is special
(and global state)
38
Typical driver:
Virtualized driver:

- per open fd state
- per-devns state
- per open fd state points
to per-devns state
- open() is special
(and global state)
39
Typical driver:
Virtualized driver:

- per open fd state
- open() is special
(and global state)
40
- per-devns state
to per-devns state
- obtain per-devns state
and perform in context
Typical driver:
Virtualized driver:

- per open fd state
- open() is special
(and global state)
41
- per-devns state
to per-devns state
and per-devns state
(and global state)
A peek at the code:
alarm-dev
binder

42
Device Namespaces
Interactivity: context-aware virtualization
concept of an active namespace, with
which the user actually interacts
ability to switch namespaces, to allow
interacting with multi-namespaces
users really interact with one namespace
at a time
43
Device Namespaces
Android
applications
Android
applications
Android
environment
Android
environment
(Device) Namespaces
44
LED
Device
hardware
GPS
Input
Framebuf
Touch
Buttons
Proximty
Linux
kernel
Framebuffer ?
VP
VP
VP
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Framebuffer
Linux kernel
45
Framebuffer: device namespaces

Foreground
Background
Background
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Virtualized Framebuffer
Framebuffer
RAM
Linux kernel
47

Foreground
Background
Background
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Framebuffer
RAM
Linux kernel
48

Background
Foreground
Background
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Framebuffer
RAM
Linux kernel
49
Input ?
VP
VP
VP
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
input
Linux kernel
50
Input: device namespaces

Foreground
Background
Background
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Virtualized Input
Input
Linux kernel
51
Input: device namespaces

Background
Foreground
Background
Android
applications
Android
applications
Android
applications
Android
environment
Android
environment
Android
environment
Virtualized Input
Input
Linux kernel
52
Context-aware virtualization
Typical driver:
53
Virtualized driver:

- per open fd state
- open() is special
(and global state)
- per-devns state
to per-devns state
and per-devns state
(and global state)
Typical driver:
Virtualized driver:

- per open fd state
- open() is special
(and global state)
- per-devns state
to per-devns state
and per-devns state
(and global state)
per devns state:

active flag (foreground/background)
callbacks (create, destroy, switch)
54
A peek at the code:
55
input layer
backlight
LED
Device namespaces in action

A quick hands on with the Android emulator
59
User-experience ?
60
User-experience
Identity
Awareness
Switching
Sharing
64
Unique UX
Background persona tab
Background persona icon
65
Foreground persona tab
Foreground persona icon
Experimental Benchmarks
66
CPU (Linpack)
Graphics (Neocore)
Storage (Quadrant)
Web browsing (SunSpider)
Networking (custom)
Runtime Overhead (Idle)

1.40
Baseline
1-VP
2-VP
3-VP
4-VP
5-VP
1.20
1.00
0.80
0.60
0.40
0.20
0.00
Linpack
67
NeoCore Quadrant
I/O
Sun
Spider
Network
Runtime Overhead (load)

1.40
Baseline
1-VP
2-VP
3-VP
4-VP
5-VP
1.20
1.00
0.80
0.60
0.40
0.20
0.00
Linpack
68
NeoCore Quadrant
I/O
Sun
Spider
Network
Power Consumption Overhead

1.40
1.20
Baseline
2-VP
4-VP
1-VP
3-VP
5-VP
1.00
0.80
0.60
0.40
0.20
0.00
69
After 4hrs
Music
After 12hrs
Idle
Summary
Multi-persona Android
Device namespaces (?!)
More info:
https://github.com/Cellrox/devns-patches/wiki
orenl@cellrox.com
70

Multi-Persona Android

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Multi-Persona Android

Transféré par

Droits d'auteur :

Formats disponibles

Multi-Persona

Android Builders 2014

Security Use Case

Android Builders 2014

Android Builders 2014

No, They Dont!

Android Builders 2014

More Use Cases

Android Builders 2014

Even More Use Cases

Android Builders 2014

Multi-Persona for Mobile Devices

Android Builders 2014

Mobile Device Virtualization

Android Builders 2014

Nobody Will Notice?

Android Builders 2014

Android Builders 2014

Android Builders 2014

Operating System Virtualization

Android Builders 2014

Android Builders 2014

Operating System Virtualization

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Mobile Virtualization Challenges

Android Builders 2014

Mobile Virtualization Challenges

Android Builders 2014

Android Builders 2014

Android Builders 2014

- global driver state

Android Builders 2014

- global driver state

Android Builders 2014

- global driver state

Android Builders 2014

- global driver state

Android Builders 2014

- global driver state

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Android Builders 2014

Framebuffer: device namespaces

Android Builders 2014

Framebuffer: device namespaces

Android Builders 2014

Framebuffer: device namespaces

Android Builders 2014

Android Builders 2014

Input: device namespaces

Android Builders 2014

Input: device namespaces

Android Builders 2014

- global driver state