Breach of privacy? There’s an app for that. Identity theft? There’s one for that, too. In fact, viruses, spyware and worms are proliferating on smartphones. On Android phones alone, the number of known malicious programs jumped from 400 to more than 13,000 over the space of six months in 2011. These nasty bits of code can do anything from monitor and report on your web browsing habits, to allow complete remote control of your phone.
“Smartphones are vulnerable to the same security risks as a laptop,” says David Lie, a professor of electrical and computer engineering, whose lab is studying smartphone security and working to find improvements. “But you always take your mobile phone with you. It knows all the people you talk to, all the places you go.” It has far more information about you than a laptop, which raises the stakes of a security breach.
Yet, while most people would never buy a computer without virus protection, they are much less likely to protect their smartphones – in part because existing virus protection programs are less effective or often don’t work on smartphones.
Many mobile operating systems address security issues by allowing users to set “permissions” that determine whether apps can do things such as connect to the Internet, identify a phone’s location, or access certain files. Lie says that’s a good start, but far from foolproof.
“A lot of smartphone privacy has been about restricting access to information. But current tools don’t look at what is done with information,” he says. “It tells you, for example ‘This app can access your contacts and access the Internet,’ but what you really want to know is whether it is going to send your contacts to some stranger online.”
Smartphone apps seem safer because they usually come from a single source – an app store. But these online stores are not invulnerable. A powerful “remote monitoring solution” known as FinFisher, for example, has been found to worm its way into phones through a bogus upgrade to an otherwise benign app. (Repressive governments have been using the program to spy on dissidents, according to recent news reports.)
Because smartphones are becoming more central to commerce, social interaction and health services, Lie’s lab is working on smartphone security systems that provide more complete control over what apps can do with your information. “Banking and health data are sensitive things you don’t want to inadvertently share,” he notes.
While Lie acknowledges that user education can address some privacy issues, he also believes that software can help mitigate the risks. The challenge for his lab, though, is to create a security system that’s simple enough for inexperienced users, but flexible enough to suit those with very different privacy thresholds.
One simple-yet-flexible solution he is investigating would allow a prompt such as: “Don’t let any app share photos of my children with any computer other than my own laptop.” The phone would use facial recognition software and other smart tools to intelligently identify any attempts to breach this rule.
While all software solutions necessarily rely on user-awareness of security issues, Lie believes that a new generation of flexible, intelligent, plain-language security software can go a long way toward enabling smartphone users to protect themselves.