Mobile applications are quickly becoming the new Web, assuming many of the tasks that a few short years ago could only be carried out on a desktop or laptop computer. They give people the ability to view a restaurant menu, plan a trip, play a game and even conduct banking transactions from their mobile phones and tablets. According to a comScore survey of US mobile subscribers, people now use apps more than Web browsers on their mobile devices.
Unfortunately, apps are the most common way through which smartphones and the data stored on them are compromised. As people increasingly download these applications and allow access to personal information, ensuring app security is becoming a matter of great urgency. App downloads are not usually associated with malware in the public consciousness, but it is a growing danger across all mobile platforms and devices.
Android is the most popular smartphone platform with a 52% market share, followed by Apple iOS with 33.4%. Even though these platforms scan for known malware, infected apps have slipped past security measures of their official app stores. Furthermore, Android has fewer restrictions on the kinds of apps that developers can publish, as well as allowing users to enable “sideloading”, or the installation of applications from outside the official app market. This flexibility has made it the most popular platform for malware authors. TrendMicro found 25,000 Android malware in July 2012, including fake versions of legitimate apps. These malware send ads as urgent notifications, sign users up for premium services without their permission, steal personal and financial data, and spy on users’ GPS location, messages and call log. In the face of this looming threat, Dr. David Naumann, Professor of Computer Science at Stevens Institute of Technology, has won a grant from the National Science Foundation (NSF) to develop tools that cost-effectively evaluate the trustworthiness of mobile apps on the Android platform.
“Mobile apps are already a massive part of our lives, representing a market worth around $20 billion,” says Dr. Michael Bruno, Dean of the Charles V. Schaefer, Jr. School of Engineering and Science. “Dr. Naumann’s research will ensure that the vast potential of this burgeoning market is not marred by a lack of essential security.”
Android applications are generally built to be isolated from each other, so that code being run by one application cannot access information from another. However, programmers are also trying to write applications that conduct desirable interactions with other apps, for instance accessing information about the music one listens to and sharing it with friends. However, this same desirable capability can open the door to unwanted or even malicious access to personal or financial information. Dr. Naumann is attempting to codify the often subtle requirements for restricting or facilitating the flow of information to and from a mobile app. “Dr. Naumann is creating tools that allow useful interactions in order to expand mobile app functionality and experiences, while at the same time blocking apps that try to access sensitive data without permission,” says Dr. Dan Duchamp, Director of the Department of Computer Science. “This preserves users’ security as well as designers’ freedom to innovate.”
Dr. Naumann’s research focuses on enterprise scenarios, in which personnel at a business or a government agency use work-related apps and access enterprise networks. These settings often involve highly sensitive and valuable information that must be protected, and as mobile applications become highly interwoven in people’s lives, it is increasingly difficult to restrict their use or ban them altogether. These factors provide strong incentives for better evaluation and control of application information flow than are currently available in commodity app marketplaces. Tightening app security is essential to preserving security without encumbering workflow and effective communication. In response, Dr. Naumann will employ static analysis, running programs that analyze other programs—without actually executing them—to detect security flaws. Although fundamental results in computer science research have shown that it is impossible to write a program that is guaranteed to provide comprehensive information about another program, Dr. Naumann is making innovative strides toward techniques that will overcome these challenges and provide more security than is currently available.
“It is easy to look for known viruses or malware, but much more difficult to determine that a given piece of code will at some point violate a system’s security,” says Dr. Naumann. “Simply observing the behavior of an app is not always enough, because sophisticated malware can disguise its behavior and lay dormant before finally compromising a system’s security.”
When users of devices install apps, they are often asked to give broad permission to connect to the internet or access contacts. Meanwhile, the app needs access the internet for a very specific purpose—in the case of a music streaming and sharing app, access might be restricted to communicating with a home server and a specific friend’s device as initiated by the user. Dr. Naumann’s tools will more scrupulously express these information flow requirements, making sure that an app will only access sites permitted by the user.
Dr. Naumann’s information flow techniques allow software designers to precisely specify end-to-end requirements as well as component interfaces. They will be able to test and validate the reliability of a transmission on the sending and receiving hosts, enabling more efficient and effective mobile app services while ensuring a high-quality end-user experience. Moreover, software developers benefit from Dr. Naumann’s static analysis techniques, which help detect design flaws, bugs, malware in third-party software, and unintended functionality.
Although the project is focused on government agencies and the private sector, the results will indirectly benefit the general population by supporting national security and protecting private sector data. At the same time, these tools and techniques could one day be applied more widely to secure the average consumer’s devices. Personal information is increasingly being compromised, bought and sold, raising the importance of app security for the public.