But as they get even smarter, turning into not just our datebooks and GPS devices but also our wallets and who knows what else, are we compromising our own security for the sake of convenience? I think smart phones should be smart enough to keep our lives private, don’t you? Nobody wants to run around looking like the girl in that photo there, but until our phones are secure, we might as well be doing just that.
Professors Engin Kirda and William Robertson both began their computer science careers “attacking stuff,” as they put it. Now they spend their days trying to think like attackers in order to develop better defense tools. “To understand how you can even begin to defend against these attacks you have to know what the attacks are,” said Robertson. “You have to be able to look into your crystal ball, look five years in the future or ten years in the future, and say what are the possible attacks that could be coming down the pipeline. Our research focuses not only on defending but also on proposing new attacks that we can take into consideration.”
In February, Kirda, Robertson and their collaborators at UCSB, were awarded a $2Million grant from the Defense Advanced Research Projects Agency (DARPA) to spend 42 months building programs that analyze Android-based mobile phone apps for security vulnerabilities. At the end of the grant period, their programs will be compared with those of other “teams” based at MIT and Stanford. DARPA can use these programs to ensure that federal officials’ mobile devices are as secure as possible.
So, what distinguishes the Northeastern/UCSB approach from the other teams’? According to Robertson and Kirda, everyone else assumes that the people writing new apps aren’t themselves adversarial and that they will provide as much development and design info as necessary. “We take the view, which we think is the correct one, that the people writing the apps could very well be malicious. They could be our adversaries. So we take an adversarial approach where we don’t assume we’ll have access to source code. We won’t assume anything about the design of the program. We won’t assume there will be program annotations to make our lives easier. We assume it’s going to be a hard problem.”
At the moment, cell phones aren’t as valuable resources as desktop computers, said Kirda. So it’s not worth a hacker’s time to break into it. But as we become more and more dependent on our phones for increasingly sensitive information, the opportunities for attackers are expanding as well.
“There’s a lot of interest in making new devices robust and secure against attacks,” said Robertson. “And because they’re new devices, they’re not running the Windows OS for instance, there’s a lot of opportunity to do things better this time around. There’s a lot of interest in, on the one hand how to detect and prevent attacks, but also make the platform stronger from the beginning.”
With these kinds of programs, our smart phones might just be smart enough to keep our private lives private.