Mobile Security       

links

 Luciano Bello photo Palanivel A Kodeswaran photoLarry Koved photoMarco Pistoia photoKapil Singh photo Calvin B. (Cal) Swart photoShari Trewin photo

Mobile Security - overview


The future of end-user computing lies with mobile devices, including smartphones and tablets. According to a 2010 whitepaper, "Smartphone sales have exceeded PC sales for the first time. This was not a fluke, but one indication that we are entering a “Post-PC”-era that will be dominated by highly-mobile, instant-on, and always connected, smartphones and tablets as the platform of choice to access network-based services. The impact of this on the enterprise is both inevitable and profound."

Current generation mobile devices are attractively priced, often due to subsidies from the mobile telecom providers, making them quite affordable to a very broad population. Both the functionality at a fixed price, and the price for a fixed function point, keep dropping. As a result, we have reached the crossover point where smartphones sales are exceeding the less functional feature phones.

Just as the PC had profound effects on mainframe, minicomputer and distributed computing, mobile computing is reshaping the computing landscape. Mobile device form factor, functional capabilities, ubiquitous presence, instant-on capabilities, multi-network connectivity, device interaction and usability expectations are transforming the marketplace. Whereas we have seen earlier waves of mobile devices, from pagers up through tablet computers, the emerging computing market is being shaped by new business models and relatively new players in the mobile marketplace. The most rapidly growing part of the current market for devices and software, from smart phones to tablet computers, have emerged from the low-end of the market (e.g., Apple, Android), not trickling down from desktop / laptop computers (e.g., MS Windows). Entrenched players are seeing their market share stagnating or decline (i.e.., Blackberry, Nokia).

These new mobile devices have multiple sensors, are typically networked via at least one, and often several, networking interfaces such as 802.11, Bluetooth, near field communication, and 3G/4G. These devices are typically more connected, with more input sensors / output channels than current generation laptops. Smartphones include multi-touch screens, gyroscope, accelerometers, GPS, microphones (often more than one), one or more multi-megapixel cameras capable of still and video image capture, and capable of having auxiliary devices attached as well. These new capabilities are changing the way people authenticate to both the device and have the potential for altering how authentication and authorization is provided locally to the device as well as to networked applications and services.

The operating systems in mobile devices are often highly functional (e.g., Linux-based), while others retain some vestiges of their low-end heritage. Irrespective of their heritage, all of these devices are power sensitive due to limited available power. Security services that we find on laptops, desktops and servers are rarely feasible due to limited storage, processing power, limited memory bandwidth (e.g., flash storage), in addition to power limitations. While well connected via multiple networking technologies, the networks are not always available, often with limited bandwidth and/or congestion. Also, networking is a significant drain on the device's battery.

The core security requirements remain the same as for desktops and laptops: confidentiality, integrity, identity and non-repudiation. However, technology trends outlined above create new challenges and opportunities and will result in a redefinition of security for personal computing devices. Achieving security requirements needs to be reconsidered in light of device capabilities and changing user expectations for device interaction – e.g., new interaction paradigms based on touch, audio and video – device form factor, advances in security technologies, and rapidly evolving threat vectors.

Research Agenda

Our current research is primarily focused on identity, non-repudiation and data protection. We are looking at the use of biometric authentication, risk-based authorization, and advanced data protection techniques.