Hagenberg University researching smartphone security

Josef Ressel is credited with inventing the screw propeller. His idea revolutionized modern shipping at the beginning of the 19th century. In the spirit of this important figure, applied research is being conducted at a total of six Josef Ressel centers in Austria.

Security in mobile communications
The Josef Ressel Center for User-friendly Secure Mobile Environments (or u`smile for short), which is part of the Mobile Computing program at the Upper Austrian University of Applied Sciences in Hagenberg, was recently unveiled. Its goal is to make mobile applications and platforms more secure and also easier to operate in cooperation with partners from the private sector. It has currently been allocated funding in the amount of EUR 1.43 million. Half of this is being provided by the Ministry of the Economy, and the other half by the business partners NXP Semiconductors Austria, A1, Drei-Banken-EDV and LG Nexera Business Solutions.

Research focus
Smartphones and tablets have become a constant companion almost everywhere in recent years. The mobile devices are to replace everyday items like the keychain, passport, wallet and credit card. For this, the devices constantly access extremely sensitive information, and different applications save, send and access this information.

The most difficult thing in this is striking the right balance between data protection on the one hand and user friendliness on the other. "Right now, such sensitive applications are either easy to use or secure, but not both," explained René Mayrhofer, director of the Josef Ressel Center for User-friendly Secure Mobile Environments. "With our research, we hope to make applications and services on mobile devices secure and also easy to use for the majority of the population." Mayrhofer also noted that the publication of research results is subject to strict scientific criteria, and that such results will be made available under an open source license if possible.

Smartcard technologies
In the first two years, the 21 researchers will focus on how it can be ensured that sensitive apps communicate with the correct device components within an Android environment. "For example, a person who installs games from third-party programmers and also completes banking transactions on the same device runs the risk that the third-party apps run in the background and record and send the entered passwords. Smartcard technology could ensure that sensitive data like passwords and PIN codes cannot be read or transmitted by Trojan horses," René Mayrhofer said. To this end, the smartcard is permanently integrated into the device, and offers storage space for sensitive data and also includes a small co-processor with an encryption function. Newer smartphones are already equipped with smartcards. Otherwise, smartcards can be retrofitted in the form of Micro SD cards or extended SIM cards.

Secure authentication
In order to ensure secure access to the smartcard, researchers at the Josef Ressel Center for User-friendly Secure Mobile Environments are working on user-friendly, biometric authentication models. "IT security requirements are especially high in the banking industry, so when a choice has to be made between secure and user friendly, secure usually wins out," explained Alexander Wiesinger from Drei-Banken-EDV, one of the funding business partners of the Josef Ressel Center. A prototype for a 3D facial recognition system is to be developed in the coming six months. 3D facial recognition only works with real people, and is therefore considered to be especially secure. Because 2D facial recognition systems can be tricked and circumvented with a printed photograph.

Another idea for secure and user-friendly authentication models is gait recognition. In this case, the smartphone would record and compare the gait of the person carrying the phone. As soon as the user takes the smartphone out of his pocket, the device would know if the correct owner is using it.

The applied research into secure authentication models is especially likely to yield promising results for banking services, according to Mr. Wiesinger from Drei-Banken-EDV: "Secure and simple authentication models would allow banking customers to complete transactions via their smartphones that still have to be completed in a bank branch today. Secure authentication methods for mobile devices could allow the smartphone to entirely replace the customer card and customer signature combination."

Virtualization
Another way to make mobile devices more secure is the virtualization of a second Android instance that runs on the same device in parallel with the first instance. This would allow two separate zones on the smartphone: one where third-party games can be installed, and another that is used solely for mobile banking and similar purposes. This would prevent questionable applications from accessing the sensitive data in the second instance, even if they had extended root privileges.

Bring your own device
Virtualization would also open up new possibilities for the bring your own device policy in companies. The different Android instances on a smartphone would make it possible to create a separate area that is used solely for business purposes.

And to make the use of two different instances on the same device as intuitive as possible, a usability study that has garnered international attention is already being completed at the Hagenberg University of Applied Sciences. "One option is to mark the different zones with differently colored borders. Another that we are experimenting with is a separate display in the Notification Bar. The broad-based study will show which of the variants makes it the easiest for users to differentiate between the different instances," explained René Mayrhofer, head of the Josef Ressel Center for User-friendly Secure Mobile Environments.

Professor René Mayrhofer is the head of the new Josef Ressel Center for User-friendly Secure Mobile Environments at the Hagenberg University of Applied Sciences