Smartphone Security


Smartphones are mobile devices carried around by billions of people everyday and used for both personal and business activities, more often than not on the same device. Many people use their smartphones for social-media interaction (e.g., Facebook, Twitter, Instagram), for their day-to-day private life (e.g., making and receiving calls and messages from relatives or friends, taking pictures, accessing their online banking accounts), as well as for their business activities (e.g., receiving and composing e-mails, reading work-related documents, accessing corporate functions or data through a VPN).

The introduction of smartphones followed years of technological advancements in both hardware and software components and, among other aspects, many security concepts introduced for other platforms were ported and refined for this new architecture. Examples are: limiting access to peripherals through a well-defined set of APIs and permission controls, application sandboxing techniques, the permission-based security mechanism used by Android and Windows Phones and the signature-based third-party applications distribution used by iOS and Windows Phones. Over multiple iterations, different hardware and software vendors have borrowed security principles from one another and ended up having similar security guarantees for the applications running on the mobile OS as well as for the data stored by users.

In this project, we focus on smartphone security. In particular, we look at how smartphones can enhance the security of our daily activities as well as how secure is data stored by users on smartphones. Throughout our work we highlight the interaction of security with usability and deployability — two key components that cannot be ignored when designing and analyzing a secure system. We will see how in some cases decreasing or removing the user interaction requirements from a system render it more secure. In other cases, in contrast, it is the user interaction and attentiveness that play an important role in safe-keeping the data stored on a user’s smartphone.

Selected Publications

Luka Malisa, Kari Kostiainen, Michael Och, and Srdjan Capkun
Mobile Application Impersonation Detection Using Dynamic User Interface Extraction
European Symposium on Research in Computer Security (ESORICS), 2016

Claudio Marforio, Ramya Jayaram Masti, Claudio Soriente, Kari Kostiainen, Srdjan Capkun
Evaluation of Personalized Security Indicators as an Anti-Phishing Mechanism for Smartphone Applications
SIGCHI Conference on Human Factors in Computing Systems (CHI), 2016

Luka Malisa, Kari Kostiainen, Srdjan Capkun
Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception
IACR Cryptology ePrint Archive, 2015

Nikolaos Karapanos, Claudio Marforio, Claudio Soriente and Srdjan Capkun
Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound
USENIX Security Symposium, 2015
Sound-Proof is now an active startup:

Claudio Marforio, Nikolaos Karapanos, Claudio Soriente, Kari Kostiainen, and Srdjan Capkun
Smartphones as Practical and Secure Location Verification Tokens for Payments
Network and Distributed System Security Symposium (NDSS), 2014

Jan-Erik Ekberg, Kari Kostiainen and N. Asokan.
The Untapped Potential of Trusted Execution Environments on Mobile Devices
IEEE Security & Privacy Magazine, 2014

N. Asokan, Lucas Davi, Alexandra Dmitrienko, Kari Kostiainen, Elena Reshetova and Ahmad-Reza Sadeghi.
Mobile Platform Security
Synthesis Lectures on Information Security, Privacy and Trust (Morgan & Claypool), 2013

Claudio Marforio, Nikolaos Karapanos, Claudio Soriente, Kari Kostiainen, and Srdjan Capkun
Secure Enrollment and Practical Migration for Mobile Trusted Execution Environments
ACM workshop on Security and privacy in smartphones and mobile devices (SPSM), 2013

Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun
Analysis of the Communication between Colluding Applications on Modern Smartphones
Annual Computer Security Applications Conference (ACSAC), 2012

Joel Reardon, Claudio Marforio, Srdjan Capkun, David Basin
Secure Deletion on Log-structured File Systems
ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2012