Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This article aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model.
People own and carry an increasing number of ubiquitous mobile devices, such as smartphones, tablets, and notebooks. Being small and mobile, those devices have a high propensity to become lost or stolen. Since mobile devices provide access to their owners’ digital lives, strong authentication is vital to protect sensitive information and services against unauthorized access. However, at least one in three devices is unprotected, with inconvenience of traditional authentication being the paramount reason. We present the concept of CORMORANT, an approach to significantly reduce the manual burden of mobile user verification through risk-aware, multi-modal biometric, cross-device authentication. Transparent behavioral and physiological biometrics like gait, voice, face, and keystroke dynamics are used to continuously evaluate the user’s identity without explicit interaction. The required level of confidence in the user’s identity is dynamically adjusted based on the risk of unauthorized access derived from signals like location, time of day and nearby devices. Authentication results are shared securely with trusted devices to facilitate cross-device authentication for co-located devices. Conducting a large-scale agent-based simulation of 4 000 users based on more than 720 000 days of real-world device usage traces and 6.7 million simulated robberies and thefts sourced from police reports, we found the proposed approach is able to reduce the frequency of password entries required on smartphones by 97.82% whilst simultaneously reducing the risk of unauthorized access in the event of a crime by 97.72%, compared to conventional knowledge-based authentication.
Providing methods to anonymously validate user identity is essential in many applications of electronic identity (eID) systems. A feasible approach to realize such a privacy-preserving eID is the usage of group signature protocols or pseudonym-based signatures. However, providing a revocation mechanism that preserves privacy is often the bottleneck for the scalability of such a system. In order to bridge this gap between practicability and privacy, we propose a new pseudonym-based mobile eID signature scheme suitable for smart cards and secure elements that also enables efficient and scalable revocation checks. By using a pseudorandom function, we derive one-time verification tokens used for identity verification as well as revocation checks and generate proofs of validity using a new method referred to as disposable dynamic accumulators. Our scheme preserves unlinkability and anonymity of the eID holder even beyond revocation and does not require online connectivity to a trusted party for verification and revocation checks.
We propose a system for enabling auxiliary communication channels in which a node transmits a millimeter (mm) wave signal which is reflected off a deliberately vibrating surface of a second node and then received by the first node. Data sequences can be encoded in the modulation of the surface, and radar sensing techniques can be used to demodulate the reflected signal. Hence our system enables not only conventional sensing in terms of range, velocity, and orientation estimation but also allows for information to be conveyed by the sensed device. We introduce the design of a metasurface driven by an energy-efficient programmable piezo-electric actuator, detail suitable radar processing, and characterize the link performance of the kinetically induced channel at distances up to five meters. As this metasurface could be used for both mobile devices and infrastructure devices, we describe opportunities for enabling novel capabilities including secure device authentication and extended-range wireless sensing across multiple devices.
In this work we propose a secure communication concept for the protection of critical power supply and distribution infrastructure. Especially, we consider the line current differential protection method for modern smart grid implementations. This protection system operates on critical infrastructure, and it requires a precise time behavior on the communication between devices on both ends of a protected power line. Therefore, the communication has to fulfill deterministic constraints and low-delay requirements and additionally needs to be protected against cyber attacks. Existing systems are often either costly and based on deprecated technology or suffering from maloperations. In order to allow for both, economical and reliable operation, we present the first holistic communication concept capable of using state-of-the-art packet switched networks. Our solution consists of three parts: (i) we develop a list of design requirements for line current differential protection systems communication; (ii) we propose a communication concept obeying these design requirements by combining cryptographical and physical security approaches; and (iii) we evaluate our solution in a practical setup. Our evaluation shows a clock accuracy of 3 µs with a resilience to asymmetric delay attacks down to 8 ns/s. This demonstrates the secure and fault-free operation of a line current differential protection system communicating over a state-of-the-art network.
Biometrics have become important for mobile authentication, e.g. to unlock devices before using them. One way to protect biometric information stored on mobile devices from disclosure is using embedded smart cards (SCs) with biometric match-on-card (MOC) approaches. However, computational restrictions of SCs also limit biometric matching procedures. We present a mobile MOC approach that uses offline training to obtain authentication models with a simplistic internal representation in the final trained state, wherefore we adapt features and model representation to enable their usage on SCs. The pre-trained model can be shipped with SCs on mobile devices without requiring retraining to enroll users. We apply our approach to acceleration based mobile gait authentication as well as face authentication and compare authentication accuracy and computation time of 16 and 32 bit Java Card SCs. Using 16 instead of 32 bit SCs has little impact on authentication performance and is faster due to less data transfer and computations on the SC. Results indicate 11.4% and 2.4-5.4% EER for gait respectively face authentication, with transmission and computation durations on SCs in the range of 2s respectively 1s. To the best of our knowledge this work represents the first practical approach towards acceleration based gait MOC authentication.
This work evaluates the security strength of a smartphone-based gait recognition system against zero-effort and live minimal-effort impersonation attacks under realistic scenarios. For this purpose, we developed an Android application, which uses a smartphone-based accelerometer to capture gait data continuously in the background, but only when an individual walks. Later, it analyzes the recorded gait data and establishes the identity of an individual. At first, we tested the performance of this system against zero-effort attacks by using a dataset of 35 participants. Later, live impersonation attacks were performed by five professional actors who are specialized in mimicking body movements and body language. These attackers were paired with their physiologically close victims, and they were given live audio and visual feedback about their latest impersonation attempt during the whole experiment. No false positives under impersonation attacks, indicate that mimicry does not improve chances of attackers being accepted by our gait authentication system. In 29% of total impersonation attempts, when attackers walked like their chosen victim, they lost regularity between their steps which makes impersonation even harder for attackers.
Today, mobile devices like smartphones and tablets have become an indispensable part of people’s lives, posing many new questions e.g., in terms of interaction methods, but also security. In this paper, we conduct a large scale, long term analysis of mobile device usage characteristics like session length, interaction frequency, and daily usage in locked and unlocked state with respect to location context and diurnal pattern. Based on detailed logs from 29,279 mobile phones and tablets representing a total of 5,811 years of usage time, we identify and analyze 52.2 million usage sessions with some participants providing data for more than four years.Our results show that context has a highly significant effect on both frequency and extent of mobile device usage, with mobile phones being used twice as much at home compared to in the office. Interestingly, devices are unlocked for only 46 % of the interactions. We found that with an average of 60 interactions per day, smartphones are used almost thrice as often as tablet devices (23), while usage sessions on tablets are three times longer, hence are used almost for an equal amount of time throughout the day. We conclude that usage session characteristics differ considerably between tablets and smartphones. These results inform future approaches to mobile interaction as well as security.
In this paper, we study the concept of security zones as an intermediate layer of compartmentalization on mobile devices. Each of these security zones is isolated against the other zones and holds a different set of applications and associated user data and may apply different security policies. From a user point of view, they represent different contexts of use for the device, e.g., to distinguish between gaming (private context), payment transactions (secure context), and company-related email (enterprise context). We propose multiple visualization methods for conveying the current security zone information to the user, and interaction methods for switching between zones. Based on an online and a laboratory user study, we evaluated these concepts from a usability point of view. One important result is that in the tension field between security and usability, additional hardware can support the user’s awareness toward their zone context.
In a wireless world, users can establish ad hoc virtual connections between devices that are unhampered bycables. This process is known as spontaneous device association. A wide range of interactive protocols andtechniques have been demonstrated in both research and practice, predominantly with a focus on securityaspects. In this article, we survey spontaneous device association with respect to the user interaction itinvolves. We use a novel taxonomy to structure the survey with respect to the different conceptual modelsand types of user action employed for device association. Within this framework, we provide an in-depthsurvey of existing techniques discussing their individual characteristics, benefits and issues.
Authenticating spontaneous interactions between devices and usersis challenging for several reasons: the wireless (and therefore invisible)nature of device communication, the heterogeneous nature of devicesand lack of appropriate user interfaces in mobile devices, and therequirement for unobtrusive user interaction. The most promisingapproach that has been proposed in literature involves the exploitationof so-called auxiliary channels for authentication to bridge thegap between usability and security. This concept has spawned theindependent development of various authentication methods and researchprototypes, that, unfortunately, remain hard to compare and interchangeand are rarely available to potential application developers. Wepresent a novel, unified cryptographic authentication protocol framework(UACAP) to unify these approaches and analyze its security properties.This protocol and a selection of auxiliary channels aimed at authenticationof mobile devices has been implemented and released in an open sourceubiquitous authentication toolkit (OpenUAT). We also present an initialuser study evaluating four of these channels.
A challenge in facilitating spontaneous mobile interactions is toprovide pairing methods that are both intuitive and secure. Simultaneousshaking is proposed as a novel and easy-to-use mechanism for pairingof small mobile devices. The underlying principle is to use commonmovement as a secret that the involved devices share for mutual authentication.We present two concrete methods, ShaVe and ShaCK, in which sensingand analysis of shaking movement is combined with cryptographic protocolsfor secure authentication. ShaVe is based on initial key exchangefollowed by exchange and comparison of sensor data for verificationof key authenticity. ShaCK, in contrast, is based on matching featuresextracted from the sensor data to construct a cryptographic key.The classification algorithms used in our approach are shown to robustlyseparate simultaneous shaking of two devices from other concurrentmovement of a pair of devices, with a false negative rate of under12 percent. A user study confirms that the method is intuitive andeasy to use, as users can shake devices in an arbitrary pattern.
Spontaneous interaction is a desirable characteristic associated withmobile and ubiquitous computing. The aim is to enable users to connecttheir personal devices with devices encountered in their environmentin order to take advantage of interaction opportunities in accordancewith their situation. However, it is difficult to secure spontaneousinteraction as this requires authentication of the encountered device,in the absence of any prior knowledge of the device. In this paperwe present a method for establishing and securing spontaneous interactionson the basis of emphspatial references that capture the spatialrelationship of the involved devices. Spatial references are obtainedby accurate sensing of relative device positions, presented to theuser for initiation of interactions, and used in a peer authenticationprotocol that exploits a novel mechanism for message transfer overultrasound to ensures spatial authenticity of the sender.