Skip to main content

Über dieses Buch

This book constitutes the thoroughly refereed post-conference proceedings of the Third International ICST Conference on Security and Privacy in Mobile Information and Communication Systems (MOBISEC 2011) held in Aalborg, Denmark, in May 2011. The 15 revised full papers were carefully selected from numerous submissions and cover the most active areas of research in mobile security with its 3 focus areas machine-to-machine communication security, policies for mobile environments, and mobile user authentication and authorization.



Conference Papers

Android Market Analysis with Activation Patterns

The increasing market share of the Android platform is partly caused by a growing number of applications (apps) available on the Android market: by now (January 2011) roughly 200.000. This popularity in combination with the lax market approval process attracts the injection of malicious apps into the market. Android features a fine-grained permission system allowing the user to review the permissions an app requests and grant or deny access to resources prior to installation. In this paper, we extract these security permissions along other metadata of 130.211 apps and apply a new analysis method called Activation Patterns. Thereby, we are able to gain a new understanding of the apps through extracting knowledge about security permissions, their relations and possible anomalies, executing semantic search queries, finding relations between the description and the employed security permissions, or identifying clusters of similar apps. The paper describes the employed method and highlights its benefits in several analysis examples – e.g. screening the market for possible malicious apps that should be further investigated.
Peter Teufl, Stefan Kraxberger, Clemens Orthacker, Günther Lackner, Michael Gissing, Alexander Marsalek, Johannes Leibetseder, Oliver Prevenhueber

Gesture Authentication with Touch Input for Mobile Devices

The convergence of our increasing reliance on mobile devices to access online services and the increasing number of online services bring to light usability and security problems in password entry. We propose using gestures with taps to the screen as an alternative to passwords. We test the recall and forgery of gesture authentication and show, using dynamic time warping, that even simple gestures are repeatable by their creators yet hard to forge by attackers when taps are added.
Yuan Niu, Hao Chen

A Context-Aware Privacy Policy Language for Controlling Access to Context Information of Mobile Users

This paper introduces a Context-aware Privacy Policy Language (CPPL) that enables mobile users to control who can access their context information, at what detail, and in which situation by specifying their context-aware privacy rules. Context-aware privacy rules map a set of privacy rules to one or more user’s situations, in which these rules are valid. Each time a user’s situation changes, a list of valid rules is updated, leaving only a subset of the specified rules to be evaluated by a privacy framework upon arrival of a context query. In the existing context-dependent privacy policy languages a user’s context is used as an additional condition parameter in a privacy rule, thus all the specified privacy rules have to be evaluated when a request to access a user’s context arrives. Keeping the number of rules that need to be evaluated small is important because evaluation of a large number of privacy rules can potentially increase the response time to a context query. CPPL also enables rules to be defined based on a user’s social relationship with a context requestor, which reduces the number of rules that need to be defined by a user and that consequently need to be evaluated by a privacy mechanism. This paper shows that when compared to the existing context-dependent privacy policy languages, this number of rules (that are encoded using CPPL) decreases with an increasing number of user-defined situations and requestors that are represented by a small number of social relationship groups.
Alireza Behrooz, Alisa Devlic

Android Security Permissions – Can We Trust Them?

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.
Clemens Orthacker, Peter Teufl, Stefan Kraxberger, Günther Lackner, Michael Gissing, Alexander Marsalek, Johannes Leibetseder, Oliver Prevenhueber

Private Pooling: A Privacy-Preserving Approach for Mobile Collaborative Sensing

Due to the emergence of embedded sensors in many mobile devices, mobile and people-centric sensing has become an interesting research field. A major aspect in this field is that quality and reliability of measurements highly depend on the device’s position and sensing context. A sound level measurement, for instance, delivers highly differing values whether sensed from inside a pocket or while carried in a user’s hand. Mobile collaborative sensing approaches try to overcome this problem by integrating several mobile devices as information sources in order to increase sensing accuracy. However, sharing data with other devices for collaborative sensing in return raises privacy concerns. By exchanging sensed values and context events, users might give away sensitive data, which should not be linkable to them. In this paper, we present a new mobile collaborative sensing protocol, Private Pooling, which protects the users’ privacy by decoupling the data from its contributors in order to allow for anonymous aggregation of sensing information.
Kevin Wiesner, Michael Dürr, Markus Duchon

Agent Based Middleware for Maintaining User Privacy in IPTV Recommender Services

Recommender services that are currently used by IPTV providers help customers to find suitable content according to their preferences and increase overall content sales. Such systems provide competitive advantage over other IPTV providers and improve the overall performance of the current systems by building up an overlay that increases content availability, prioritization and distribution that is based on users’ interests. Current implementations are mostly centralized recommender service (CRS) where the information about the users’ profiles is stored in a single server. This type of design poses a severe privacy hazard, since the users’ profiles are fully under the control of the CRS and the users have to fully trust the CRS to keep their profiles private. In this paper, we present our approach to build a private centralized recommender service (PCRS) using collaborative filtering techniques and an agent based middleware for private recommendations (AMPR). The AMPR ensures user profile privacy in the recommendation process. We introduce two obfuscation algorithms embedded in the AMPR that protect users’ profile privacy as well as preserve the aggregates in the dataset in order to maximize the usability of information for accurate recommendations. Using these algorithms provides the user complete control on the privacy of his personal profile. We also provide an IPTV network scenario that uses AMPR and its evaluations.
Ahmed M. Elmisery, Dmitri Botvich

Privacy Enhanced Device Access

In this paper we present the case for a device authentication protocol that authenticates a device/service class rather than an individual device. The devices in question are providing services available to the public. The proposed protocol is an online protocol and it uses a pseudo-random temporary identity scheme to provide user privacy.
Geir M. Køien

Energy Efficiency Measurements of Mobile Virtualization Systems

The energy efficiency has become an important aspect in data centers and large server systems, including the ones used in infrastructure for mobile applications service providers. Virtualization is one of the main research directions for both large scale data centers and applications servers. Furthermore, virtualization is also popular on desktop systems and is now considered in embedded systems. The next step will be to use virtualization on battery powered systems or mobile devices, where power consumption is an important aspect. This paper explores how virtualization influences the power consumption of both physical systems and virtual systems and which is the most efficient way to implement virtualized applications. The paper proposes a test bench and a set of test cases which can be further used to evaluate and compare different virtualization solutions together with several power management mechanisms using specific energy efficiency metrics.
Marius Marcu, Dacian Tudor

Digital Holography for Security Applications

A survey of Digital Holography (DH) and its employment in different application fields is provided. This paper reviews the main principles of the DH focusing on the optical techniques for security purposes. Recording and processing of three dimensional data, secured storage data, the use of Multimedia Sensor Network (MSN) for encrypted data transmission, and thus remote reconstruction of 3D images, are relevant examples in which DH represents an attractive solution. In this work, the state of art and major research challenges for this type of applications are shown and at the end fundamental open issue are discussed in order to outline the future research trends in this topic.
Roberto Maurizio Pellegrini, Samuela Persia, Silvello Betti

Formal Security Analysis of OpenID with GBA Protocol

The paper presents the formal security analysis of 3GPP standardized OpenID with Generic Bootstrapping Architecture protocol which allows phone users to use OpenID services based on SIM credentials. We have used an automatic protocol analyzer to prove key security properties of the protocol. Additionally, we have analyzed robustness of the protocol under several network attacks and different threat models (e.g., compromised OP, user entity). The result shows the protocol is secure against key security properties under specific security settings and trust assumptions.
Abu Shohel Ahmed, Peeter Laud

Can a Mobile Cloud Be More Trustworthy than a Traditional Cloud?

Cloud computing is deemed to be the next big trend nebulous. Various sectors have expressed interest in its adoption, including banking, the government, education, manufacturing and telecommunication. With the promise of cost saving and flexibility also comes the greater challenge of security in-particularly "trust". One of the common questions asked by many users is "Can the cloud be trusted?" Telecommunication service providers have been trusted for many years, and have been adopted my millions of users world wide. With the emerging vision of new mobile cloud providers, the ultimate question lies in asking, can a mobile cloud provider be a more trustworthy provider than the traditional ones?
Mufajjul Ali

Fingerprint Recognition with Embedded Cameras on Mobile Phones

Mobile phones with a camera function are capable of capturing image and processing tasks. Fingerprint recognition has been used in many different applications where high security is required. A first step towards a novel biometric authentication approach applying cell phone cameras capturing fingerprint images as biometric traits is proposed. The proposed method is evaluated using 1320 fingerprint images from each embedded capturing device. Fingerprints are collected by a Nokia N95 and a HTC Desire. The overall results of this approach show a biometric performance with an Equal Error Rate (EER) of 4.5% by applying a commercial extractor/comparator and without any preproccesing on the images.
Mohammad Omar Derawi, Bian Yang, Christoph Busch

Policy Driven Remote Attestation

Increasingly organisations need to exchange and share data amongst their employees as well as with other organisations. This data is often sensitive and/or confidential, and access to it needs to be protected. Architectures to protect disseminated data have been proposed earlier, but absence of a trusted enforcement point on the end-user machine undermines the system security. The reason being, that an adversary can modify critical software components. In this paper, we present a policy-driven approach that allows us to prove the integrity of a system and which decouples authorisation logic from remote attestation.
Anandha Gopalan, Vaibhav Gowadia, Enrico Scalavino, Emil Lupu

ID-Based Deniable Authentication Protocol Suitable for Mobile Devices

This paper describes a secure identity based deniable authentication protocol whose security is based on difficulty of breaking Diffie-Hellman Problem on Elliptic Curve (ECDHP) and hash function. Elliptic curve cryptosystem (ECC) has significant advantages like smaller key sizes, faster computations compared with other public-key cryptography. Since it is an ECC based authentication protocol, it can be implimented in mobile devices such as smart card, PDA etc. Deniable authentication protocol enables a receiver to identify the true source of a given message, but not to prove the identity of the sender to a third party. This property is very useful for providing secure negotiation over the Internet.
Jayaprakash Kar

Mobile Security with Location-Aware Role-Based Access Control

This paper describes how location-aware Role-Based Access Control (RBAC) can be implemented on top of the Geographically eXtensible Access Control Markup Language (GeoXACML). It furthermore sketches how spatial separation of duty constraints (both static and dynamic) can be implemented using GeoXACML on top of the XACML RBAC profile. The solution uses physical addressing of geographical locations which facilitates easy deployment of authorisation profiles to the mobile device. Location-aware RBAC can be used to implement location dependent access control and also other security enhancing solutions on mobile devices, like location dependent device locking, firewall, intrusion prevention or payment anti-fraud systems.
Nils Ulltveit-Moe, Vladimir Oleshchuk


Weitere Informationen

Premium Partner

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.



Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!