Free Apps with follow-up costs
RUB researchers develop tools to boost Smartphone security
by Julia Weiler
May 19, 2014
Just like desktop computers, Smartphones also have security vulnerabilities which criminals can use to access the devices. Dr Christopher Wolf (fig. 1), Head of the Emmy Noether Group for Long-Term Security, looks into security vulnerabilities of the Android operating system and develops tools which can help users to detect security risks. One of his team’s crucial objectives is to make the solutions easy to use. “Experience shows that users will deactivate a seemingly complicated security application rather than attempting to understand it,” says Wolf.
Together with his team, Dr Christopher Wolf studies the security vulnerabilities associated with Smartphone technology. © RUBIN, photo: Nelle
Together with his group, he has created the “Permission Watcher”, an application that scans all Apps installed on a Smartphone for potential security risks. An App’s risk potential is assessed on the basis of 20 rule sets drawn up by the researchers. “An App that is able to activate pay services is generally problematic; in Germany that might include calling 0190 numbers,” explains Christopher Wolf. Accessing the address book or determining the exact locations are functions that not many Apps require. Why, then, are they granted those rights? “A torch App may be ad-funded. Knowing the user’s exact location helps selling a larger number of ads at a much higher price. It tells the user, for example: there’s a restaurant down the road, how about you go in there?” elaborates Wolf. “Or an App might simply harvest the entire address book and sell personal data.”
Criminal energy is not the only reason why rights may be obtained, though. Some programmers simply do not take the trouble to modify the standard setting for the requested rights. However, the user has no way of knowing the App developer’s intentions. Therefore, Christopher Wolf recommends general caution.
Users who run the “Permission Watcher” are presented a list of all Apps installed on their device, sorted by their hazard potential. Wolf’s team collected information regarding which of the “Permission Watcher’s” functions were useful and which were not from the tool’s first 100 users – with the users’ permission, naturally. His conclusion: “We have definitely gone overboard. We gave users the option of monitoring the way our App works step by step. Nobody ever checked it out!” Rather, the users were interested to see if the “Permission Watcher” displayed a sad or a happy emoticon after completing its analysis. Ten per cent of the users would uninstall potentially hazardous Apps when confronted with the sad emoticon. “In the field of usability engineering, this is quite a lot,” says Christopher Wolf. “Usually, a user is likely to uninstall a programme if it tells him: ‘You’re doing something wrong’, rather than following the programme’s commands.” If, for example, the antivirus software recommends uninstalling a potentially high-risk programme, many users prefer to deactivate the antivirus software itself.
Pattern login: Android users can unlock their mobile phone using a pattern instead of a PIN. © RUBIN, photo: Nelle
Protecting the Smartphone against security vulnerabilities in Apps is only one of many important aspects, however. Users must ensure that the device is disabled if it gets lost or stolen. The work group Long-Term Security has tested to what extent the so-called pattern login feature can be relied on (fig. 2). Android users can protect their device from unwanted access not only through a PIN, but they can also lock the display with a pattern that they enter into a nine-point square.
“It was suspected that the pattern login feature was not quite as secure as one would hope,” says Wolf. This has turned out to be true. The IT researchers from Bochum collected data from 584 Android users, mainly in the Ruhr-Universität Mensa. They divided up the participants' responses into “attacks” and “defences”. The defenders’ task was to come up with as secure a login pattern as possible. Once they had chosen their pattern, they went for a meal. Subsequently, they could pick up their dessert from the IT researchers – but only if their pattern had not been cracked in the meantime. The attackers had five attempts to guess their opponents’ patterns. If they succeeded, the dessert went to them, and the defenders had to go without.
Thus, the researchers motivated the defenders to come up with as secure a pattern as possible. Still: “The pattern login feature is more or less as secure as a three-digit PIN. That’s fine, but not great,” concludes Wolf. Many patterns came up quite frequently, especially those which run along the edges of the three-times-three square, creating, for example, an L-shape. Only a few people use the centre. Some fields were particular favourites, for example the starting point on the top left (fig. 3).
In the traditional three-times-three matrix used for pattern login, 43 per cent of the users chose the top left corner as the starting point for their login pattern. © RUBIN
The study has even put a positive spin on the results. The experiment’s set-up motivated the defenders to come up with as secure a pattern as possible. A survey among 100 students at the Ruhr-Universität has shown that the login patterns actually used in real life are one or two steps shorter than those that the participants in the Mensa came up with.
In a randomised arrangement, no such distinct starting point is apparent. The problem here: the users find it difficult to remember their pattern. © RUBIN
Wolf’s team also tested if security levels improved when the fields were arranged in a circular shape or randomised, rather than following the typical three-times-three matrix (fig. 4). The circle shape alone proved more effective. An even better solution would be if every user could arrange the fields for the pattern login as they like. Then, some users would use a square, others a rectangle or a circle, and yet others a randomised pattern. Thus, the number of possible login patterns would increase considerably. Even then, however, a problem would still remain, known in tech speak as “smudger tag”. Generally, the login pattern may be guessed from the user’s fingerprints that are visible on the display. An even better solution therefore would be if, in order to unlock his or her mobile, the user had to touch symbols in a particular order, for example blue square, red rectangle, green circle. The symbols could be rearranged on the display after each attempt to unlock it, so that no conclusions could be drawn from the fingerprints.
Just like with desktop computers, it is impossible to guarantee absolute safety for Smartphones. Accordingly, it is immensely important for users to think things through and to monitor what, exactly, is happening on their devices.
How the Smartphone recognises its user
In order to protect Smartphones in case of, for example, theft, Christopher Wolf's team tested if a mobile phone is able to recognise its user. When typing on a Smartphone, every person has a slightly different rhythm, types with different and with a different number of fingers and is holding the phone in a certain way. Can the Smartphone read these features to recognise if the device is being operated by the usual user or by a stranger? The IT researchers from Bochum have identified 1,000 features based on which a Smartphone user can be described, for example the typing speed for certain combinations of letters, the pressure applied to the display, the angle in which someone is holding the device. The necessary sensors are already integrated in every Smartphone. The result: 80 per cent of the users can be identified without fail based on those features. The remaining 20 per cent, however, cannot. This is not enough, concluded the researchers. If that method is to be deployed for protecting mobile phones from unauthorised access, the recognition quota has to be almost 100 per cent. Otherwise, it cannot be used for a large percentage of potential users and would therefore not gain general acceptance.