P-Box: Preventing Unwanted Data Flows using Permission Sandboxes on Android

Authors: Lucas Becker (TU Darmstadt), David Breuer (TU Darmstadt), Matthias Hollick (TU Darmstadt)

Volume: 2026
Issue: 4
Pages: 232–247
DOI: https://doi.org/10.56553/popets-2026-0118

Artifact: Available, Functional, Reproduced

Download PDF

Abstract: One of the core privacy features of smartphone operating systems is a permission framework that requires explicit user consent before granting apps access to private data. Such systems are deeply integrated into Google's Android and Apple's iOS, which together account for the majority of the smartphone operating system market. While permission systems can be seen as milestones in user empowerment and privacy protection, they offer users only a binary choice: whether an app can access a specific resource or not. As soon as an app is allowed to read a resource, the operating system loses control over its further use. Most apps have Internet access and can send permission-protected data, like a user's location, over the Internet, which can harm user privacy. To solve this problem, we present an addition to current permission systems that splits apps into multiple sandboxed processes to enforce fine-grained privacy and data-flow controls on smartphones. By default, our design forces apps to process permission-protected data locally on the device, thereby eliminating the need for apps to request runtime permissions for local-only use cases. We implement a proof-of-concept based on the Android Open Source Project code base. We showcase our framework's practicability by adapting multiple app use cases to our system, benchmarking its computational overhead, and discussing the implications for platform operators, developers, and users.

Keywords: Android, AOSP, privacy, sandbox, permission system

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.