Protecting mobile phone data against malicious apps
This commentary is part of a series in TODAY’s Science section, in collaboration with the National University of Singapore’s (NUS) School of Computing, that explores computer science research projects conducted here.
As mobile phones are increasingly used for a wide range of services beyond phone calls, such as banking and health data storage, hackers are seeking new ways to exploit the data in mobile devices. The decentralised access control in the cloud-based applications and malware on mobile devices have made data protection in the cloud/mobile environment a daunting task.
Attacks can come in a variety of ways: SMS, WhatsApp, or email, luring the user to open a link that will install malware. Once the user clicks on the link, the malware app will be installed in the mobile phone, intercepting and stealing personal data, such as SMS messages, emails, and contact information. On a “rooted” Android device, which has been modified by users to gain more privilege, malware apps can intercept all data and user behaviour on the device.
Attackers can even use SMS to remotely control the infected mobile devices. As SMS is now increasingly being used to receive one-time passwords in financial services such as online banking, malware enables the attackers to steal the one-time password from the victim. Recently in China, there was a surge of incidents involving unauthorised banking transfers using intercepted SMS authorisation messages from banks.
Since existing Android devices rely on the Android system to protect user data, all users’ data may fall into the hands of attackers when the Android system is compromised by malware. At the NUS School of Computing, my colleague Assistant Professor Prateek Saxena and I started a project two years ago, aiming to enable mobile devices to offer strong data protection independent of their Android system, so that user data will not be affected by the most dangerous type of Android malware.
Our solution is based on a security feature of the ARM CPU, called TrustZone, which is being adopted in mobile phones these days. It allows a mobile device to operate in two domains, the Normal Domain and the Secure Domain.
In our solution, the Android system runs in the Normal Domain, while in the Secure Domain, we build a data safe, where information can be locked in and is accessible only to the user. As a result, the malware on the Android device cannot access data protected in the data safe without a user’s permission.
This data safe provides only four interfaces: Secure input and output, secure network communication, secure data storage, and secure data processing. As such, they form a tightly controlled channel for data access. Even when the Android system in the Normal Domain has malware or is fully compromised, attackers cannot directly access data in the Secure Domain. The user can still guarantee the security of his information in the data safe guarded by the interface.
This solution is currently in the prototype stage, and is the first step of our plan to offer strong data protection in the cloud/mobile environment. At the moment, there is no solution like this on the market. Our research will create solutions that enable users to take back control over their data, while enjoying convenience and productivity brought forward by such environments.
ABOUT THE AUTHOR
Dr Liang Zhenkai is an Associate Professor at the School of Computing, National University of Singapore. He is also a member of the Cyber-Security Research Group.