Artifact Appendix

Paper title: P-Box: Preventing Unwanted Data Flows using Permission Sandboxes on Android

Requested Badge(s):

• Available
• Functional
• Reproduced

Description

Artifact for the paper P-Box: Preventing Unwanted Data Flows using Permission Sandboxes on Android by Lucas Becker, David Breuer, and Matthias Hollick, to appear in the Proceedings on Privacy Enhancing Technologies 2026(4).

This artifact includes our complete AOSP-based P-Box implementation, a test suite, and several example apps running on our system.

Security/Privacy Issues and Ethical Concerns

Our Android emulator uses the host's network stack to sidestep potential NAT issues and binds to all interfaces by default. We therefore recommend to either firewall the host or operate it within a trusted network.

To the best of our knowledge, there are no ethical concerns.

Basic Requirements

Hardware Requirements

Can run on a x86_64 laptop, but we recommend at least 32GB of RAM with roughly the same amount of swap to avoid OOM issues.

Software Requirements

OS Version: Any recent Linux. We tested everything on Ubuntu 24.04.4 LTS running Linux kernel 6.17.0-35.

Needed OS Packages:

• git (tested on version 2.43.0)
• git-lfs (tested on version 3.4.1)
• docker-ce (Version 29.5.2)
• Kernel modules: vhci_hcd, vhost_net, vhost_vsock (should be present on Ubuntu 24.04.4 by default)
• Google Chrome (tested on version 149.0.7827.53) (or compatible browser)

Estimated Time and Storage Consumption

• Overall human time: 30-45 minutes
• Overall compute time: ~3 hours (with 24 CPU cores and 64 GB RAM)
• Overall disk space: ~600 GB

Environment

In the following, we describe the environment setup for using this artifact.

Accessibility

• Source Code Repository: Github.

Set up the environment

• Time: 15 human minutes + 2h 30min compute time.
• Storage: ~550 GB

1. Install git (with git-lfs), docker-ce, and Google Chrome according to your OS's instructions.

2. Install cuttlefish support files and reboot to apply udev rules & kernel modules.

# prepare emulator support files
sudo curl -fsSL https://us-apt.pkg.dev/doc/repo-signing-key.gpg \
    -o /etc/apt/trusted.gpg.d/artifact-registry.asc
sudo chmod a+r /etc/apt/trusted.gpg.d/artifact-registry.asc
echo "deb https://us-apt.pkg.dev/projects/android-cuttlefish-artifacts android-cuttlefish main" \
    |  sudo tee -a /etc/apt/sources.list.d/artifact-registry.list
sudo apt-get update -y
sudo apt-get install -y cuttlefish-base cuttlefish-user cuttlefish-orchestration
reboot

2. Load the required kernel modules (needed for the emulator):

sudo modprobe vhci_hcd
sudo modprobe vhost_net
sudo modprobe vhost_vsock

# and check their presence:
lsmod | grep -E '(vhci_hcd|vhost_net|vhost_vsock)'

3. Checkout the repository

git clone https://github.com/seemoo-lab/p-box.git
cd p-box

4. Create and start an emulator image of P-Box:

docker build -t pbox-eval aosp-image
docker run -it --rm  -v"$(pwd)/aosp-image/out:/data" --privileged --device /dev/vhost-vsock --device /dev/vhost-net --device /dev/kvm --net host pbox-eval:latest

This process takes some time, it is finished when you see a line with (connection reset messages might follow it, which is normal behavior):

Virtual device booted successfully

Keep this container running for all subsequent experiments.

5. Extract P-Box AOSP SDK and check if it is properly extracted.

unzip -q aosp-image/out/out/host/linux-x86/sdk/aosp_cf_x86_64_only_phone/android-sdk_linux-x86.zip
ls android-sdk_linux-x86/

Expected output:

add-ons  docs  documentation.html  platforms  RELEASE_NOTES.html  samples

6. Open the emulator by the following domain in Chrome: https://localhost:8443/. If you are working on a remote machine you can first forward the respective port to your computer that is running the browser with the following command: ssh -L 8443:localhost:8443 <remote-host>. Depending on your browser, you may have to ignore the https/certificate warning. You have to click connect and may have to refresh the page until the complete emulator screen is shown. It should look like the following screenshot:

.

Testing the Environment

• Time: 1 human minute + ~5 compute minutes
• Storage: <10 GB

To execute our test suite on the running emulator, execute the following command:

docker buildx build --build-context androidsdk=android-sdk_linux-x86 -t p-box-test-suite test-suite
docker run --rm --network=host p-box-test-suite

Expected output:

OK (32 tests)

Artifact Evaluation

Main Results and Claims

Main Result 1: Example Apps

In our paper we discuss several example apps, running on our prototype. These include:

• Permission Flow Example App
• Sandboxed Map SDK Example App
• Migrated Voice Recorder App
• PocketMaps App using our Compat Library

Main Result 2: Performance Estimate Plots

In Section 6.5, we estimate P-Box's performance impact on real-world apps. This results in Figures 6a, 6b, and 6c. As explained in the paper, it is not within the scope of this paper to migrate multiple (closed-source) apps to P-Box. To estimate the potential performance overhead, we recorded how often those apps requested permission-protected data on a normal system, and spawned a permission sandbox on our system each time this happened. We recorded system traces of the sandbox execution on our system and used these to plot the (worst-case) memory and cpu overhead.

Experiments

Experiment 1: Example Apps

• Time: 15 human minutes + 10 compute minutes
• Storage: <40GB

Build and install the permission flow example app:

docker buildx build --build-context androidsdk=android-sdk_linux-x86 -t p-box-sample-app-flow sample-app-flow
docker run --rm --network=host p-box-sample-app-flow

The example app starts within the emulator. Please consent to the permission request on app start. It resembles Figure 4b of our paper and is discussed in Section 6.1.

Build and install the map example app:

docker buildx build --build-context androidsdk=android-sdk_linux-x86 -t p-box-sample-app-map sample-app-map
docker run --rm --network=host p-box-sample-app-map

The example app starts within the emulator. It resembles Figure 4a of our paper and is discussed in Section 6.1. You can interact with the map.

Build and install the migrated voice recorder app:

docker buildx build --build-context androidsdk=android-sdk_linux-x86 -t p-box-recorder-app recorder-app
docker run --rm --network=host p-box-recorder-app

The example app starts within the emulator. Please consent to the permission flow on app start and select a folder to store the recording. We verified that the DCIM folder works (Do NOT use the Downloads folder, this does not work in AOSP). You can record voice in the left tab and playback the recording in the middle tab. If the recording is not shown in the recording tab, please click the screen to refresh it. Please be aware that the emulators microphone only works in Google Chrome and you may need to hold the emulator's microphone button while inputting audio. You have to activate the emulator sound output on the left bar (icon is highlighted red). This is the example discussed in Section 6.2 of the paper.

Build and install the PocketMaps app using the P-Box compatibility layer:

docker buildx build --build-context androidsdk=android-sdk_linux-x86 --target export -o p-box-compat/out -t p-box-compat p-box-compat
docker buildx build --build-context androidsdk=android-sdk_linux-x86 --build-context compatlib=p-box-compat/out -t p-box-pocket-maps-compat sample-app-pocket-maps-compat/PocketMaps
docker run --rm --network=host p-box-pocket-maps-compat

The PocketMaps app starts within the emulator using our compatibility layer. This is the example discussed in Section 6.3 of the paper.

Experiment 2: Performance Estimate Plots

• Time: 2 human-minutes + 5 compute minutes
• Storage: <10GB

This example experiment reproduces Main Result 2: Performance Estimate. The following Docker image runs code to generate the performance plots in our paper from pre-recorded traces and permission logs, using the parameters specified in the paper.

docker build -t p-box-plots plots
docker run --rm -v ./plots/out:/app/out p-box-plots

Figures 6a, 6b, and 6c of our paper will be generated and placed in the plots/out directory as png files.

Limitations

For Experiment 2, we use the pre-recorded permission logs and system traces for the artifact evaluation. These traces depend largely on the device's performance while running our AOSP version. For the artifact evaluation, we provide an emulator image and an emulator, which again depend on the underlying hardware. In our paper, we used a Google Pixel 9 for the evaluation, which is noticeably faster than the emulator. Therefore, we exclude the recording of permission logs and system traces from this artifact evaluation, as it would differ from the plots in our paper.

Notes on Reusability

This artifact can act as a basis of further Android permission system enhancements. Researchers can draw inspiration from our implementation, compare it against their own systems, or extent it.