Posts Tagged: Smartphone

SMDSP Last day

Posted by Lorenz Cuno Klopfenstein
Tag: / / / / /

Torre Archimede sign, University of Padua

Like all beautiful things, the International Summer School on Smart & Mobile Device Security and Privacy is also approaching to its end.

For the last two days of lectures, the floor was given directly to the attending students. During this Ph.D. Forum, promisingly nicknamed “The Grill”, everybody was given the chance of presenting their own research work by giving a ten minutes presentation and exposing themselves to the comments and (thorough and well-meant) critique. Most of the students have been talking about issues related with mobile security, addressed at different levels: starting from hardware, malicious software detection (through static or dynamic means), using machine learning techniques to detect malicious activity, to the analysis of permissions in order to detect possible attacks.

To conclude with the lecturers, prof. Prakash from University of Michigan gave us a general overview of the Android security model, showing us the most known attacking strategies, such as exploiting communication channels established by applications, or using side channels. He concluded by depicting some of the most used defence strategies.

On Friday, prof. Poovendran from University of Washington moved to a slightly different topic, talking about control-theoretic modelling and mitigation of cyberattacks. He showed us some techniques to detect compromised nodes in networks, meaning some nodes are physically captured by an adversary that wants to inject false messages in the network, thus compromising the good behaviour of the system.  In order to defend the network from such attacks, different possibilities exist, based on so called “witnesses”: periodically all nodes of a network send broadcast messages containing their ID and location and their neighbours act as witnesses, understanding if the sender is a cloned node or a safe one.

Finally, the works have been concluded by prof. Prakash, giving us a very interesting talk about a new solution to avoid app phishing attacks on smartphones, called TIVO “Trusted Visual I7O Paths for Android”. When enabled, TIVO allows users to associate a secret image to each installed application. Then, each time the application is running and displays a keyboard (possibly to input sensitive data, like username and password), TIVO displays the application’s icon, the application’s name and, if set, the secret image picked by the user itself. This should make it much harder for malicious apps to intercept login screens and do phishing attacks.

Group picture of participants of SMDSP

The participant of the summer school at Palazzo Bo, in Padua.

And that’s all from Padua and from SMDSP, folks! A special thank goes out to the University of Padua, to the organizers and lecturers of this very interesting Summer School and of course to all the participating students for making this a really nice week.
See you next year in Padua!

Silvia Malatini & Lorenz Cuno Klopfenstein

SMDSP Day two

Posted by Lorenz Cuno Klopfenstein
Tag: / / / / /



As reported before, we are now at day three of the International Summer School on Smart & Mobile Device Security and Privacy, after lots of lectures, a tiny bit of sightseeing, not much sleep and — unfortunately — some bad weather.

Dr. Ivan Martinovic from the University of Oxford gave us an overview about his research about secure key exchange on wireless networks, avoiding the widely used Diffie-Hellman method and exploiting inherent characteristics of the wireless channel between the two parties trying to exchange key (specifically: how the signal between the parties is influenced by the physical room between them as a unique signature). Moreover, he gave us an outline of his work on face and daze detection.

Getting back to the Android platform, prof. Sadeghi continued his outline of the large attack surface that a mobile device (and its OS) represent. Attacks to Android can be performed at various levels, starting from the applications installed, the Android middleware and getting as low as the underlying Linux kernel. Applications can perform many malicious actions even without particular effort, by exploiting the access permissions that users often unknowingly grant during installation. Otherwise, they can try to “collude” with other malicious or unsafe applications in order to perform actions without the user’s consent. Some apps can exploit bugs in system apps or in the middleware to get  higher privileges (or even gain root access to the phone). It was interesting to see many of such attacks live during a short lab session.

Lucas Davi, from University Darmstadt, gave a basic overview of how return-oriented attacks are performed and how ASLR, DEP and similar techniques help preventing such attacks (and how they can be circumvented).



Matthias Schunter, from the Intel Collaborative Research Institute for Secure Computing (ICRI-SC), talked about the evolution of pervasive computing and the so-called Internet of Things, which presents a scenario with a huge number of devices performing privacy-sensitive operations and thus requiring a well thought approach to security. Intel cooperates closely with academic researchers in order to ensure that even smallest devices (as Intel Galileo, for instance) get sufficient security features and can be trusted. Long running devices also face the issue of staying secure through an operating period measured in decades.

Having reached the half of the summer school, we’re now signing off for a (rainy) visit of Padua, including the world-famous Cappella degli Scrovegni painted by Giotto himself and Palazzo Bo, the original seat of the university at the time of its founding in the XIII century, when security could still be ensured by a mechanical lock…

Silvia Malatini & Lorenz Cuno Klopfenstein

SMDSP Day one!

Posted by Lorenz Cuno Klopfenstein
Tag: / / / / /


Summer is running out, but to keep our feelings high we could not miss this great summer school about Security and Privacy on Smart and Mobile devices. The SMDSP summer school just started on Monday, September 1st, in the beautiful city of Padua. It is organized by some of actual main experts in the field, like professor Mauro Conti, from the University of Padua, the director of the school, professor Asokan from Aalto University and professor Ahmad-Reza Sadeghi from TU Darmstadt.

In fact, the school is co-orgnaized by the University of Padua, particularly the Department of Mathematics, the Aalto University, the Center for Advanced Security Research Darmstadt, and the Intel Collaborative Research Institute for Secure Computing.

The University of Padua is a long tradition University (among the earliest Universities of the world, founded in 1222 as the second one in Italy, just after Bologna; it also hosted people like Galileo Galilei and Nicolaus Copernicus).

The main focus of this summer school is to bring together members from the international security research community to debate contemporary issues in the area of smartphone security and privacy, which is becoming more and more important in the era of Internet of Things.

25 students and 15 organizers, between scientific and operational committees are going to work together for one week, to discuss their works and ideas about this interesting fields.

On Monday works have been opened by the Chancellor’s delegate, Ms. Lucia Regolin and by the Director of the Department of Mathematics, Mr. Bruno Viscolani, explaining us how this school reflects the motto of Padua University “Universa Universis Patavina Libertas“, which aims to give always more freedom of thoughts to teachers and students, along all its long history.

Later, prof. Asokan has introduced us in the world of Trusted Execution Environments (TEE), where Trusted means that the environment is isolated from the “normal” execution environment (where OS and “normal” applications run), so that integrity is protected. He showed us what constitutes a TEE environment and some used architectures, and which are the state of the art being developed nowadays. He showed us the ongoing work on TPM (Trusted Platform Module) 2.0 and its differences with the past one, 1.2.


Professor Ahmad-Reza Sadeghi gave us a very interesting lecture about the security of mobile platforms in general, going deeper on Android security framework and showing us which are the most problematic attacks one has generally to fight and how doing security is hard work and very difficult to do thoroughly even it things appear to be correct.
As prof. Sadeghi put it: “never trust a working thing“.

To conclude the day, professor Mauro Conti showed us their ongoing works in this matter and the latest issues they are concerned about. And then he also promised to show us why exactly his department’s acronym is SPRITZ

Silvia Malatini & Lorenz Cuno Klopfenstein

Is There Anything More Wearable Than Your Smartphone?

Posted by Alessandro Bogliolo
Tag: / / / / / /

Technology scaling has fueled the myth of wearable computing since long time ago. The many challenges hidden behind the idea of wearable computing have engaged researchers and companies for many years, leading to extraordinary results that have overcome the imagination of sci-fi writers and have brought huge changes in our everyday lives. Representative recent examples include general purpose smart watches (e.g., Samsung Gear Live, Moto 360, LG G Watch), smart glasses (e.g., Google Glass), and many domain-specific wearable devices mainly used in health care and sports (e.g., metabolic holter, activity monitor, vital signals tracker). Many more wearables are expected to be marketed in the next months thanks to the boost provided by Android Wear, just launched by Google.

In spite of the large number of amazing new gadgets with unprecedented ergonomic design, my smartphone is by far the most wearable device I use every day. Technically speaking, I’m not exactly wearing it, in that I need either to keep it in hand, or to put it in a pocket or in a bag. But I feel more comfortable with my all-in-one mobile than with any other wearable device, including my mechanical wrist watch.

So my first question is:

1. Do smartphones belong to the category of wearable devices?

To provide a tentative answer to this question I need to go back to the first time I encountered the myth of wearable computing in my professional life (trying not to consider the time spent watching Star Trek as part of it). At that time (the early 90’s) the Internet was in its infancy, Wi-Fi was still WaveLAN, laptops were hardly portable, and I had no cellular phones. To me, wearable computing was just an enabling technology to achieve the goal of ubiquitous/mobile computing. Wearing a computer has never been a big dream of mine, but I’ve always desired to be able to compute and communicate anywhere and at anytime.

The difference between a portable device and a wearable device is that the former is so cumbersome that I decide to bring it with me if and only if I know for sure that I’m going to need it during the day and that its utility will compensate the discomfort that it will cause to me in my daily routine (laptops belong to this category, although they have become much thinner and lighter than in the early 90’s) the latter is so handy and useful that I know for sure that I’ll need it during the day and that I won’t be limited in all other activities because of it, so that I bring it with me without even considering if it is worth or not (I have no doubt that smartphones belong to this category).

This brings to my second question:

2. Is there any device which is more wearable than a smartphone?

According to the definition provided above, I don’t think so. I wear my smartphone more than any other object, clothes included. There is no piece of clothing that I wear for more than 12 hours every day! Even a sweater looks less wearable than a mobile to me, in that I decide to carry it with me when I go out only if I really think I’m going to put it on, or otherwise it will hinder me in my activities.

Going back to wearable electronic devices, smart watches and Google glasses are very good examples of truly wearable gadgets enabling new applications in many relevant fields like augmented reality, accessibility, health care, and gaming. However, they are still not usable enough as general purpose personal devices in order to replace smartphones, while they are more hindering than a smartphone when not used. At the moment, they look more like companion gadgets than like stand-alone devices, and their marketing and usage models rely on the fact that endusers already have their smartphones with them.