SEApp: Bringing Mandatory Access Control to Android Apps


Matthew Rossi, Dario Facchinetti, and Enrico Bacis, Università degli Studi di Bergamo; Marco Rosa, SAP Security Research; Stefano Paraboschi, Università degli Studi di Bergamo


Mandatory Access Control (MAC) has provided a great contribution to the improvement of the security of modern operating systems. A clear demonstration is represented by Android, which has progressively assigned a greater role to SELinux since its introduction in 2013. These benefits have been mostly dedicated to the protection of system components against the behavior of apps and no control is offered to app developers on the use of MAC. Our solution overcomes this limitation, giving developers the power to define ad-hoc MAC policies for their apps, supporting the internal compartmentalization of app components.

This is a natural evolution of the security mechanisms already available in Android, but its realization requires to consider that (i) the security of system components must be maintained, (ii) the solution must be usable by developers, and (iii) the performance impact should be limited. Our proposal meets these three requirements. The proposal is supported by an open-source implementation.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {272302,
author = {Matthew Rossi and Dario Facchinetti and Enrico Bacis and Marco Rosa and Stefano Paraboschi},
title = {{SEApp}: Bringing Mandatory Access Control to Android Apps},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {3613--3630},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video