Ildar Muslukhov
Konstantin Beznosov
ABSTRACT
Smartphones store large amounts of sensitive data, such as SMS messages, photos, or email. In this paper, we report the results of a study investigating users' concerns about unauthorized data access on their smartphones (22 interviewed and 724 surveyed subjects). We found that users are generally concerned about insiders (e.g., friends) accessing their data on smartphones. Furthermore, we present the first evidence that the insider threat is a real problem impacting smartphone users. In particular, 12% of subjects reported a negative experience with unauthorized access. We also found that younger users are at higher risk of experiencing unauthorized access. Based on our results, we propose a stronger adversarial model that incorporates the insider threat. To better reflect users' concerns and risks, a stronger adversarial model must be considered during the design and evaluation of data protection systems and authentication methods for smartphones.
- Lost and found: The challenges of finding your lost or stolen phone. http://www.mylookout.com/. last accessed August 18, 2011.Google Scholar
- Google dashboards - android developers. http://developer.android.com/about/dashboards/index.html, 2012. Accessed July 18, 2012..Google Scholar
- Symantec smartphone honey stick project. http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=symantec-smartphone-honey-stick-project, 2012.Google Scholar
- Number of Smartphones Around the World Top 1 Billion - Projected to Double by 2015. http://finance.yahoo.com/news/number-smartphones-around-world-top-122000896.html, 2013. Accessed March 12, 2013.Google Scholar
- Banks, L. Mobile devices pose security dilemma for CIOs. http://www.cio.com.au/article/346474/mobile_devices_pose_security_dilemma_cios/, 2010.Google Scholar
- Barr, K., Bungale, P., Deasy, S., Gyuris, V., Hung, P., Newell, C., Tuch, H., and Zoppis, B. The vmware mobile virtualization platform: is that a hypervisor in your pocket? SIGOPS Oper. Syst. Rev. 44 (December 2010), 124--135. Google ScholarDigital Library
- Ben-Asher, N., Kirschnick, N., Sieger, H., Meyer, J., Ben-Oved, A., and Möller, S. On the need for different security methods on mobile phones. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services, MobileHCI '11, ACM (New York, NY, USA, 2011), 465--473. Google ScholarDigital Library
- Bugiel, S., Davi, L., Dmitrienko, A., Heuser, S., Sadeghi, A.-R., and Shastry, B. Practical and lightweight domain isolation on android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, ACM (New York, NY, USA, 2011), 51--62. Google ScholarDigital Library
- Chaugule, A., Xu, Z., and Zhu, S. A specification based intrusion detection framework for mobile phones. In Proceedings of the 9th international conference on Applied cryptography and network security, ACNS'11, Springer-Verlag (Berlin, Heidelberg, 2011), 19--37. Google ScholarDigital Library
- Chin, E., Felt, A. P., Sekar, V., and Wagner, D. Measuring user confidence in smartphone security and privacy. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS '12, ACM (New York, NY, USA, 2012), 1:1--1:16. Google ScholarDigital Library
- Conti, M., Nguyen, V. T. N., and Crispo, B. Crepe: context-related policy enforcement for android. In Proceedings of the 13th international conference on Information security, ISC'10, Springer-Verlag (Berlin, Heidelberg, 2011), 331--345. Google ScholarDigital Library
- De Luca, A., Hang, A., Brudy, F., Lindner, C., and Hussmann, H. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM annual conference on Human Factors in Computing Systems, CHI '12, ACM (New York, NY, USA, 2012), 987--996. Google ScholarDigital Library
- De Luca, A., Langheinrich, M., and Hussmann, H. Towards understanding atm security: a field study of real world atm use. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, ACM (New York, NY, USA, 2010), 16:1--16:10. Google ScholarDigital Library
- Dorflinger, T., Voth, A., Kramer, J., and Fromm, R. "My Smartphone is a Safe!" The User's Point of View Regarding Novel Authentication Methods and Gradual Security Levels on Smartphones. In SECRYPT 2010 Proceedings of the International Conference on Security and Cryptography, Athens, Greece, July 26-28, 2010, SECRYPT is part of ICETE The International Joint Conference on e-Business and Telecommunications, SciTePress (2010), 155--164.Google Scholar
- Dunphy, P., Heiner, A. P., and Asokan, N. A closer look at recognition-based graphical passwords on mobile devices. In Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS '10, ACM (New York, NY, USA, 2010), 3:1--3:12. Google ScholarDigital Library
- Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, USENIX Association (Berkeley, CA, USA, 2010), 1--6. Google ScholarDigital Library
- Enck, W., Ongtang, M., and McDaniel, P. On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security, CCS '09, ACM (New York, NY, USA, 2009), 235--245. Google ScholarDigital Library
- Farago, P. iOS and Android Adoption Explodes Internationally. http://blog.flurry.com/bid/88867/iOS-and-Android-Adoption-Explodes-Internationally. Accessed January 15, 2013.Google Scholar
- Glen, K. iOS 5.1 Reaches 61% Adoption in Just 15 Days. http://www.mactrast.com/2012/03/ios-5-1-reaches-61-adoption-in-just-15-days/, 2012. Accessed July 18, 2012.Google Scholar
- Hayashi, E., Hong, J., and Christin, N. Security through a different kind of obscurity: evaluating distortion in graphical authentication schemes. In Proceedings of the 2011 annual conference on Human factors in computing systems, CHI '11, ACM (New York, NY, USA, 2011), 2055--2064. Google ScholarDigital Library
- Hayashi, E., Riva, O., Strauss, K., Brush, A. J. B., and Schechter, S. Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS '12, ACM (New York, NY, USA, 2012), 2:1--2:11. Google ScholarDigital Library
- Landman, M. Managing smart phone security risks. In 2010 Information Security Curriculum Development Conference, InfoSecCD '10, ACM (New York, NY, USA, 2010), 145--155. Google ScholarDigital Library
- Muslukhov, I., Boshmaf, Y., Kuo, C., Lester, J., and Beznosov, K. Understanding users' requirements for data protection in smartphones. In Workshop on Secure Data Management on Smartphones and Mobiles (2012). Google ScholarDigital Library
- Ongtang, M., McLaughlin, S., Enck, W., and McDaniel, P. Semantically rich application-centric security in android. In Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC '09, IEEE Computer Society (Washington, DC, USA, 2009), 340--349. Google ScholarDigital Library
- Paolacci, G., Chandler, J., and Ipeirotis, P. G. Running experiments on amazon mechanical turk. Judgment and Decision Making 5, 5 (2010), 411--419.Google ScholarCross Ref
- Raguram, R., White, A. M., Goswami, D., Monrose, F., and Frahm, J.-M. iSpy: automatic reconstruction of typed input from compromising reflections. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, ACM (New York, NY, USA, 2011), 527--536. Google ScholarDigital Library
- Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. Progressive authentication: deciding when to authenticate on mobile phones. In Proceedings of the 21st USENIX Security Symposium, Usenix Security '12, USENIX Association (Berkeley, CA, USA, 2012), 301--316. Google ScholarDigital Library
- Shi, E., Niu, Y., Jakobsson, M., and Chow, R. Implicit authentication through learning user behavior. In Information Security, M. Burmester, G. Tsudik, S. Magliveras, and I. Ilic, Eds., vol. 6531 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2011, 99--113. Google ScholarDigital Library
- Smith, A. Nearly half of american adults are smartphone owners. http://pewinternet.org/Reports/2012/Smartphone-Update-2012.aspx. Accessed March 5, 2012.Google Scholar
- Security Threat Report 2013. http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report.aspx. Accessed January 15, 2013.Google Scholar
- Tey Chee Meng, P. G., and Gao, D. I can be you: Questioning the use of keystroke dynamics as biometrics. In Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS Symposium'13 (San Diego, CA, USA, 2013).Google Scholar
- Zakaria, N. H., Griffiths, D., Brostoff, S., and Yan, J. Shoulder surfing defence for recall-based graphical passwords. In Proceedings of the Seventh Symposium on Usable Privacy and Security, SOUPS '11, ACM (New York, NY, USA, 2011), 6:1--6:12. Google ScholarDigital Library
Index Terms
- Know your enemy: the risk of unauthorized access in smartphones by insiders
Recommendations
Towards a Realistic Risk Assessment Methodology for Insider Threats of Information Misuse
FIT '14: Proceedings of the 2014 12th International Conference on Frontiers of Information TechnologyThe problem of insider threats is not new to organizations and research community. Organization cannot afford any kinds of attacks on their confidential information and resources either from insiders or out-siders. The damage done by insiders is more ...
Adversarial machine learning in IoT from an insider point of view
AbstractWith the rapid progress and significant successes in various applications, machine learning has been considered a crucial component in the Internet of Things ecosystem. However, machine learning models have recently been vulnerable to ...
PRAETORIAN: A Framework for the Protection of Critical Infrastructures from advanced Combined Cyber and Physical Threats
ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and SecurityCombined cyber and physical attacks on Critical Infrastructures have disastrous consequences on economies and in social well-being. Protection and resilience of CIs under combined attacks is challenging due to their complexity, reliance on ICT systems ...
Comments