User-friendly Secure Mobile Environments (Final Report for JRC u’smile)

TitleUser-friendly Secure Mobile Environments (Final Report for JRC u’smile)
Publication TypeReport
Year of Publication2017
AuthorsMayrhofer, R, Weippl, ER, Buhov, D, Findling, RD, Hintze, D, Hölzl, M, Merzdovnik, G, Muaaz, M, Roland, M
Date Published10/2017
InstitutionUniversity of Applied Sciences Upper Austria and SBA Research, JR-Center u'smile
CityHagenberg
TypeFinal Report
Abstract

The mission of this Josef Ressel Center for User-friendly Secure Mobile Environments (u'smile) was the analysis of security issues in current and future mobile applications; the design, development, and evaluation of concepts, methods, protocols, and prototypical implementations for addressing them; and communication and co-ordination with industry partners and standardization organizations towards establishing globally accepted standards for secure, interoperable, mobile services. Broadly summarizing, JRC u'smile succeeded with many specific contributions towards this vision, and in producing a final prototype of the Austrian mobile driving license on Android smartphones, which brings together the lines of research pursued within the 5 years. In the following report, we summarize these research directions by work packages, focusing on innovations since the two-term evaluation report. Detailed research results have been presented in peer-reviewed publications as well as technical reports, which form an appendix to this summary report.

Over the last 5 years we published 18 journal articles, 61 papers in conference proceedings, 5 PhD theses, 2 books, and 22 technical reports and specification documents summarizing our findings and introducing new concepts, methods, and protocols to overcome security issues in mobile devices and applications, and to improve usability of security mechanisms on mobile devices both for end-users and developers. Further, a total number of 24 master's and 14 bachelor's theses have been completed within the scope of the JRC u'smile. Moreover, we were able to present the project and its results to a broad audience by organizing the Android Security Symposium in 2015 and 2017. Additional indicators of success are numerous invitations to talks -- including keynote speeches at academic conferences and other events as well as TEDxLinz --, media articles, invitations to participate in discussions with policy makers, and an increased international recognition of Austrian research contributions in the area of mobile device security.

JRC u'smile was split into two modules:

  • Module 1 (Hardware, Platform, and Protocol Security Support for Mobile Devices) aimed to analyze and improve the current state-of-the-art of security in mobile devices specifically on the hardware, middleware, API, network protocol, and user interaction levels. Major contributions within all 5 years include significant advances in biometric, token, and multi-device based authentication methods for smart phones, a comprehensive analysis and protocol design towards an open ecosystem for tamper-resistant hardware in mobile devices, high-level results on securing mobile user interactions, and the integrative research on digital identities for real-world interaction, demonstrated in the Austrian mobile Driving License (AmDL) system.
  • Module 2 (Security Support for Mobile Services, Libraries and Applications) aimed to improve application security on the higher layers of the smartphone stack, complementing module 1 in tackling the whole stack across the JRC. The work in this module resulted in improvements to users security and privacy, enhancements for secure network communications of applications, self-defense of users concerning security and privacy issues in applicatins and the creation of analysis tools to detect implementation flaws as well as malicious applications.

As predicted in the original project proposal, the mobile landscape is changing rapidly and mobile device security has experienced significant developments beyond the JRC u'smile over the last few years. While the initial motivations and visions remained valid and continued to drive the overall focus of the JRC u'smile, new fields -- particularly in the areas of user and cross-device authentication as well as network level privacy implications -- have opened, public interest in certain areas -- such as digital identities -- has dramatically increased, and requirements have changed. At the same time, some of the initially proposed research areas -- most prominently virtualization on smart phones -- had to be abandoned due to the shift of resources into new directions and due to unforeseen inaccessibility of proprietary technologies based on competitive market forces.

We are happy to report that most milestones were met and that the critical path of our planned research has been fulfilled despite these rapid and often unpredictable developments in the mobile domain. Nevertheless, several changes to the original project plan proposed in the project application were necessary:

  • Some work packages in both modules were merged in order to account for tight relationships and to benefit from improved outcomes through a holistic approach.
  • A new industry partner -- Österreichische Staatsdruckerei GmbH -- could be acquired in the area of digital identity use-cases. This allowed us to install a new work package 1.9 focusing on providing digital identity documents and services on/with mobile devices.
  • The original concept of virtualization on smart phones to compartmentalize single devices into multiple 'security zones' was successfully prototyped and evaluated on the user interaction level to give guidance on future products, but could unfortunately not be implemented in a full-stack prototype due to unavailable low-level access to the boot loader and TrustZone layers.

The addition of the new work package on digital identities also resulted in an additional project outcome: the Austrian Mobile Driving License (AmDL), a prototype of a privacy-preserving mobile driving license. This shared demonstrator successfully integrates and show-cases results spanning across all work packages and across both modules of the JRC u'smile. Moreover, with this demonstrator we achieved the goal of the initial motivating vision of the JRC u'smile: to -- globally, securely, and intuitively usably -- substitute current wallets and key chains by suitable services and applications on mobile phones.

Finally, specific follow-up projects with partners from the JRC u'smile include the proposal for a new Christian Doppler Laboratory 'Digidow' to extend the JRC vision of digital identities far beyond mobile devices and into cloud services, and the extension of the JRC TARGET with a third module to transfer our collected knowledge on application analysis and system security improvements.