Show your face, not your life

Most of us have a cell phone these days. Most of them are “smart”

But as they get even smarter, turning into not just our date­books and GPS devices but also our wal­lets and who knows what else, are we com­pro­mising our own secu­rity for the sake of con­ve­nience? I think smart phones should be smart enough to keep our lives pri­vate, don’t you? Nobody wants to run around looking like the girl in that photo there, but until our phones are secure, we might as well be doing just that.

Pro­fes­sors Engin Kirda and William Robertson both began their com­puter sci­ence careers “attacking stuff,” as they put it. Now they spend their days trying to think like attackers in order to develop better defense tools. “To under­stand how you can even begin to defend against these attacks you have to know what the attacks are,” said Robertson. “You have to be able to look into your crystal ball, look five years in the future or ten years in the future, and say what are the pos­sible attacks that could be coming down the pipeline. Our research focuses not only on defending but also on proposing new attacks that we can take into consideration.”

In Feb­ruary, Kirda, Robertson and their col­lab­o­ra­tors at UCSB, were awarded a $2Million grant from the Defense Advanced Research Projects Agency (DARPA) to spend 42 months building pro­grams that ana­lyze Android-​​based mobile phone apps for secu­rity vul­ner­a­bil­i­ties. At the end of the grant period, their pro­grams will be com­pared with those of other “teams” based at MIT and Stan­ford. DARPA can use these pro­grams to ensure that fed­eral offi­cials’ mobile devices are as secure as possible.

So, what dis­tin­guishes the Northeastern/​UCSB approach from the other teams’? According to Robertson and Kirda, everyone else assumes that the people writing new apps aren’t them­selves adver­sarial and that they will pro­vide as much devel­op­ment and design info as nec­es­sary. “We take the view, which we think is the cor­rect one, that the people writing the apps could very well be mali­cious. They could be our adver­saries. So we take an adver­sarial approach where we don’t assume we’ll have access to source code. We won’t assume any­thing about the design of the pro­gram. We won’t assume there will be pro­gram anno­ta­tions to make our lives easier. We assume it’s going to be a hard problem.”

At the moment, cell phones aren’t as valu­able resources as desktop com­puters, said Kirda. So it’s not worth a hacker’s time to break into it. But as we become more and more depen­dent on our phones for increas­ingly sen­si­tive infor­ma­tion, the oppor­tu­ni­ties for attackers are expanding as well.

There’s a lot of interest in making new devices robust and secure against attacks,” said Robertson. “And because they’re new devices, they’re not run­ning the Win­dows OS for instance, there’s a lot of oppor­tu­nity to do things better this time around. There’s a lot of interest in, on the one hand how to detect and pre­vent attacks, but also make the plat­form stronger from the beginning.”

With these kinds of pro­grams, our smart phones might just be smart enough to keep our pri­vate lives private.