• ucsantabarbara twitter avatar
    A new construction project on campus aims to ‘pave’ the way for updated utilities & better infrastructure at #UCSB. https://t.co/FkRmgpo8LC
    3 hours 51 min ago
  • UCSBgauchos twitter avatar
    WWP: Gauchos End The Day With A Dominate Win And A Close Loss https://t.co/U0mHxrjEPb
    1 day 1 hour ago
  • UCSBgauchos twitter avatar
    WBB: Gauchos Share The Cape In All-Around 74-62 Win Over Hawai'i On Super Hero Night https://t.co/7JozUy4Wi1
    1 day 2 hours ago
  • UCSBgauchos twitter avatar
    Vincent Hits 1,000 Point Mark But UCSB Loses at UC Riverside, 65-55 https://t.co/rvtR2CFZwU
    1 day 3 hours ago
  • ArtsandLectures twitter avatar
    Tune in to @prairie_home to hear @odonovanaoife & pals performing songs from #lalaland! Now on KCLU
    1 day 4 hours ago
  • UCSBgauchos twitter avatar
    WBB: FINAL UCSB 74 - Hawaii 62 Gauchos rack up season-best 4th straight win, improve to 9-9 (4-1). Edelman 19pts 6reb, Toler 17pts off bench
    1 day 4 hours ago
  • UCSBgauchos twitter avatar
    WBB: We're inside the last minute of regulation, Toler with 10 points in the final quarter. 71-60 UCSB 46.1 remaining.
    1 day 4 hours ago
  • UCSBgauchos twitter avatar
    WBB: Gauchos roar off the first 8pts and Hawaii needs to talk about it! 58-45 UCSB 7:54 remaining in the fourth quarter.
    1 day 5 hours ago
  • UCSBgauchos twitter avatar
    WBB: End of Third Quarter UCSB 50 - Hawaii 45 Hernandez goes for 8pts in 3Q. Gaucho pep band is ready for the fourt… https://t.co/VDP5Er1MZ1
    1 day 5 hours ago
  • UCSBgauchos twitter avatar
    WBB: Gauchos respond to a mini Hawaii run with a Durr and-one, and back-to-back 3's from Hernandez. 45-37 UCSB 4:56 left in 3Q.
    1 day 5 hours ago
  • UCSBgauchos twitter avatar
    WBB: Halftime UCSB 31 - Hawaii 26 Edelman with team highs 10pts and 3rebs. Gauchos a 14-8 pts in paint advantage, 11-2 off turnovers.
    1 day 5 hours ago
  • UCSBgauchos twitter avatar
    WBB: Toler with an emphatic chase down block from behind! She has first 2 buckets for UCSB in 2Q. 27-19 Gauchos, 4:21 before halftime.
    1 day 6 hours ago
  • UCSBgauchos twitter avatar
    WBB: End of First Quarter UCSB 23 - Hawaii 15. Porter leads all scorers with 9pts, 3/4 from downtown. Gauchos 11pts from 5 Hawaii turnovers.
    1 day 6 hours ago
  • UCSBgauchos twitter avatar
    WBB: Gauchos sink their first 4 from the field, 3/3 from downtown and lead 18-9 at 1Q media break. Porter 2/2 for trey, Edelman doing work.
    1 day 6 hours ago
  • brenucsb twitter avatar
    Growing an interest in nature: #UCSB students & Edible Campus Project plant seeds of sustainability in preschoolers https://t.co/dyoiFtroWo
    1 day 12 hours ago

Can You Trust That App?

UCSB researchers receive $1 million to study smartphone security issues
Wednesday, July 30, 2014 - 09:30
Santa Barbara, CA

You’re on your smartphone, browsing through Facebook. In a fit of productivity, you search for, say, a project management app to help you use your non-Instagram and cat video time more effectively. You download and install the first one you come across … only to find that it doesn’t do anything. No reminders, no calendar, no clock, nothing.

Oh, well. You exit the app and go back to Facebook.

Sounds innocuous enough, right? What you might actually have done, however, is give a hacker access to your phone and all the important pieces of information it contains about you, your friends and family. And while the thief’s initial take can be relatively small compared to the kind of money he or she can make from hacking into your computer, over time, you could be leaking a lot of money without knowing it.                

“The victims of these types of malware and scams could be counted in the hundreds of millions,” said Giovanni Vigna, a UC Santa Barbara professor of computer science who specializes in cybersecurity.

Smartphone hacking is one of the fastest-growing issues in terms of cybersecurity, he said, especially with the advent of cloud storage. In Europe, and increasingly in the United States, hackers are able to bypass two-stage identification, whereby a text message is sent to one’s smartphone bearing a private code for entry into account websites.

It is a problem that Vigna, UCSB computer science professor Christopher Kruegel and researchers from Northwestern University are getting ready to tackle with funding from a $1.4 million grant from the National Science Foundation.

“The thing we’ll be seeing more and more are attempts to violate trust assumptions,” said Vigna, who is a member of UCSB’s Computer Security Group.

And what are these “trust assumptions”?

“Trust is the assurance that a certain application or platform will act as expected,” Vigna said. These are the cues, he said, that prompt the user to drop their guard and volunteer sensitive information. These cues can range from icons on pages that proclaim the authenticity of the site or the security of the download to the very recognizable logos of certain sites and apps.

“People use their phones to click on the Facebook icon, for instance, and the Facebook application starts, and they inherently assume that it’s Facebook running on their phone,” Vigna said. However, he and his team have found that users are also likely to click on a familiar icon that leads to a faux application.

The goal of these stealth attacks is to steal either your money or your information. Money is an obvious motivation, but personal information can be used to steal one’s identity or log in and exploit email or social media. Hackers leverage the trust between accounts in social networks to get the victim’s friends and contacts to click on malicious links.

Among the topics the researchers intend to study is what Vigna calls an “ecosystem of trust” unique to the smartphone world.

“There’s the guy who writes the application, benign or malicious,” said Vigna. “And then he puts it in an app store, so there’s a relationship of trust between those two. And then there’s you, the user, going to the market and downloading one or more apps, and you have some relationship of trust with those. If I’m a benign application developer and I use a certain ad framework to make money from my application, and then that ad framework starts sending malicious advertisements or links to malware, who’s responsible for this? Where’s the trust there? How do you control this trust? How can you be assured that the ad network is going to perform as stated?”

There is some comprehension of the issues, according to Vigna, but there is also a demand for more scientific modeling of these relationships and understanding of what their implications are. That way, flaws can be identified and fixed.

While the issues being studied are applicable to all smartphones, the group will examine trust in the Android world in particular.

“The main point is the tradeoff between openness and security issues. The fact is that Android is a wonderful open platform that allows anybody to do anything — including hacking the cellphones of unsuspecting Android users,” said Vigna. Android’s popular rival Apple iOS, he added, is less penetrable.

The researchers hope to identify not only flaws in the system but also mechanisms to fix or avoid them. Though it’s not guaranteed, they may even develop their own app that can be used to analyze other apps’ behaviors for flaws or potential untrustworthiness.

In the meantime, smartphone users can defend themselves by becoming more mindful of the apps they install, said Vigna. One way to do this is by choosing the better-known app markets and avoiding less reputable third-party sites.

Additionally, the number of downloads can be an indicator of an app’s legitimacy. If something has millions of downloads, it’s likely to be more trustworthy than a similar app with only a few thousand.

Some shady malware developers use intentional typos to entice people into downloading their app, said Vigna. “Angry Birds” becomes “Angry Bords” or some other variation in spelling. It’s clearly not the superpopular smartphone game, but it’s close enough to fool some users into installing it.

And application hygiene is also important, according to Vigna. Often, a user will download an app that promises great things only to be disappointed when it doesn’t work. However, it might be a malicious bit of code that captures user information, so if an app isn’t working as promised, uninstall it.

Of course, to bypass the entire issue of trust altogether, one can simply go low-tech with a cellphone that handles only the basics.

“But then you would be able to do so much less,” said Vigna. Today’s smartphones allow users to do many things they couldn’t before, such as access the world’s libraries, monitor their fitness and learn a new language.

“Without your smartphone, you wouldn’t have ways to tell your friends where you are all the time and post pictures of embarrassing situations that you would regret later,” he quipped.

Contact Info: 

Sonia Fernandez
(805) 893-4765
sonia.fernandez@ucsb.edu

 

Topics: