Privacy in Modern Smartphones

Status

This project started in autumn 2011 and was closed at the end of 2014.

Researchers

Prof. Srdjan Capkun
Dr. Aurélien Francillon
Claudio Marforio

Description

Today, smartphone operating systems allow users to install third-party applications directly from on-line applications markets. In order to perform their functions, applications typically need specific permissions such as network access or access to user’s personal data. However, given a large number of independent developers, applications cannot be trusted to behave according to their declared purpose. Furthermore, applications might leave traces of users’ personal information in different parts of the system and expose them to malicious applications that normally would not have access to such information.
This can lead to privacy breaches in which applications leak information about the user to third parties. Some types of such behaviors can be detected by application inspection and testing.
However, not all such behaviors can be detected and malicious applications can therefore find their way to the application markets.

In the context of this project, we address privacy issues related to untrusted applications on modern smartphones. In particular, the following points are being considered:
Propose advanced permission/access control models for smartphones that address application collusion, among other privacy threats. Propose advanced information flow analysis techniques that complement tainting and/or detect information leakage more comprehensively than tainting.

Publications

Claudio Marforio, Nikolaos Karapanos, Claudio Soriente, Kari Kostiainen, and Srdjan Capkun
Smartphones as Practical and Secure Location Verification Tokens for Payments
In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014

Claudio Marforio, Nikolaos Karapanos, Claudio Soriente, Kari Kostiainen, and Srdjan Capkun
Secure Enrollment and Practical Migration for Mobile Trusted Execution Environments
In Proceedings of the third ACM workshop on Security and privacy in smartphones and mobile devices (SPSM), 2013

Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun
Analysis of the Communication between Colluding Applications on Modern Smartphones
In Proceedings of 28th Annual Computer Security Applications Conference (ACSAC), 2012

Claudio Marforio, Aurelién Francillon, Srdjan Capkun
Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems
Technical Report 724, ETH Zürich, System Security Group, April 2011.