Secure Mobile Applications for Corporate Travelers, 10-R8244
Sean C. Mitchem
Sandra G. Dykes
John G. Whipple
Inclusive Dates: 07/11/11 – 10/11/12
Background — Southwest Research Institute and its clients are seeing a surge in employee use of personal mobile devices for company business. Smartphones and tablets raise new security issues because they are often owned by employees and contain a mixture of personal and company information. The prevalence of this trend is illustrated by a new term coined to describe it: BYOD, for bring your own device. Small mobile devices are more likely to be lost or stolen, exposing sensitive company and client data. Malware risks are amplified because mobile devices connect to the Internet directly rather than from behind corporate firewalls and intrusion protection systems. Safeguarding mobile devices will require developing innovative security technologies that address these new usage patterns and device characteristics.
Approach — This project addressed multiple aspects of mobile device security, with a focus on the following areas:
- Malware threats to mobile devices
- Secure coding methodologies for mobile applications
- Data protection and user authentication utilizing device sensors
- Mobile device management systems trade space analysis
- Mobile applications for corporate travelers
This approach combined web research, literature reviews, interviews with
commercial companies, in-house testing of mobile device management systems,
developing internal mobile apps for research and testing purposes, and
experimentation, depending on the task being accomplished.
Accomplishments — The project produced two white papers: "Malware Threats for Mobile Devices" and "Secure Coding for Mobile App Development." The first is a general assessment of malware-related threats to mobile devices and secure protection provided by the iOS and Android® operating systems. The second white paper targets software developers and was intended to provide a primer on best practices for writing secure mobile applications. The research on mobile device management systems leveraged the information from these white papers to assess current solutions. This study produced a technology trade report that describes options and provides recommendations for enterprise organizations. Additionally, the project team produced the article entitled, "Mobile Applications Security: Safeguarding Data in a Mobile Device World," published in the March/April 2012 edition of CrossTalk, The Journal of Defense Software Engineering.
Aspects of this research required developing real applications to test understanding and validate new approaches. The team developed these as deployable apps, useful to SwRI employees while on travel. The mobile traveler apps were developed for iOS and Android and consist of Mobile SwRI WebID, SwRI Traveler, and Group Text Emergency Notification. The most innovative result of this project is in the area of sensor-based authentication. The motivation was to make authentication easier for users without reducing data protection — effectively balancing risk and usability. Sensors on mobile devices provide measurements of device orientation, touch pressure, touch size, and other data. In sensor-based authentication, the project team used machine-learning methods to train a detector on sensor data. The model can then be applied to verify a user's identity and detect imposters.
Data was collected from 15 volunteers who entered practiced text (e.g., a password) and free-form text. In both cases, the average classification accuracies were more than 99 percent. These results are striking for a preliminary study and indicate that the approach should be pursued further. In a related approach called state-based authentication, sensor data was combined with system state to determine the required level of authentication. System state determines how easily sensitive areas of memory can be accessed. Sensors determine whether an attacker may be in possession of the device. For example, sensors can detect whether the device has been laid down since the last password entry. If sensor data guarantees that the owner has maintained possession, then no password is necessary. If not, device state is used to determine whether the user must enter a strong password or simple PIN.
In summary, this project has provided a deep understanding of the security issues unique to mobile devices. The white papers and reports will be made available to all SwRI divisions, improving the Institute's knowledge and capabilities in this area. Research results for user authentication will provide a foundation for pursuing externally funded research.