Singapore Academic Cybersecurity R&D

Harnessing R&D to Secure our Nation

Building Next-generation Secure Environments on Smartphones for Critical Mobile Applications
 

• Lead PIs : Albert Ching, i-Sprint Innovations and Yingjiu Li, Associate Professor, SMU ( yjli@smu.edu.sg )
• Host Institution : i-Sprint Innovations
• Partner Institution : School of Information Systems, SMU

I. Goal

Most smartphone attacks originate from malicious apps, while smartphone operating systems have numerous vulnerabilities.

• Dramatic increase in mobile malware with 37M malware detected over 6 months (McAfee 2016)
• SMU team discovered hundreds of un-protected APIs in Android OS that can be exploited by malicious apps (acknowledged by Google and Huawei in 2016)
• It is impossible to make commodity OS vulnerability-free (Virgil Gligor 2014)

Existing solutions isolate apps and data in a secure environment to mitigate potential attacks

• Samsung Knox container relies TrustZone to separate a secure environment from other environments
• i-Sprint’s YESsafe AppPortal+ relies a security sandbox at OS level to protect app data and code execution in a secure environment
• Boxify is a secure sandbox at application level to encapsulate apps

Existing solutions let multiple environments share computing resources (OS, CPU/GPU, memory, storage) at the same time

• Security problems: it is highly challenging to protect all possible app-to-OS, and app-to-app interactions (too many, too complicated)
• Performance problems: too many/complicated security checking incurs a high overhead, and thus lowers smartphone performance

Our proposed solution makes full use of computing resources for any single environment, and enables secure and fast switch among multiple environments

• Security benefits: we can isolate different types of benign apps (e.g., smart nation, mobile banking, IoT, BYOD) in different secure environments from most malware in a personal environment, leading to much simpler security checking in each secure environment.
• Performance benefits: smartphone performance in secure environments can be significantly improved due to (i) making full use of computing resources for any single environment, and (ii) simplified security checking within each secure environment.

We aim to build Next-Generation Secure Environments on Smartphones for Critical Applications with aims to implement a secure mobile multi-environment switching system to help users isolate sensitive/critical apps. Key focuses of this project are:

• Security
  • Eliminate potential attacks to a secure environment from apps in other environment.
  • Avoid information leakage in switching
  • Complete suite of security ranging from authentication, access control, policy control, data protection, single sign-on and more
• High-performance
  • Full use of computing resource for a single environment.
  • Simplified security check within each secure environment.
• High scalability
  • Storage space can support many secure environments
• Fast-switching
  • Use screen lock instead of rebooting to switch environment.
  • Reduce switching time from over 1 min to a few sec
• Easy to deploy and use
  • Support any block file systems for mainstream mobile phones
  • Use secure NFC to activate or switch to secure environment.

II. Technologies