more articles like this
Can You Trust That App?
updated: Jul 31, 2014, 1:45 PM
By UCSB Public Affairs News
You're on your smartphone, browsing through Facebook. In a fit of productivity, you search for, say, a project management app to help you use your non-Instagram and cat video time more effectively. You download and install the first one you come across … only to find that it doesn't do anything. No reminders, no calendar, no clock, nothing.
Oh, well. You exit the app and go back to Facebook.
Sounds innocuous enough, right? What you might actually have done, however, is give a hacker access to your phone and all the important pieces of information it contains about you, your friends and family. And while the thief's initial take can be relatively small compared to the kind of money he or she can make from hacking into your computer, over time, you could be leaking a lot of money without knowing it.
"The victims of these types of malware and scams could be counted in the hundreds of millions," said Giovanni Vigna, a UC Santa Barbara professor of computer science who specializes in cybersecurity.
Smartphone hacking is one of the fastest-growing issues in terms of cybersecurity, he said, especially with the advent of cloud storage. In Europe, and increasingly in the United States, hackers are able to bypass two-stage identification, whereby a text message is sent to one's smartphone bearing a private code for entry into account websites.
It is a problem that Vigna, UCSB computer science professor Christopher Kruegel and researchers from Northwestern University are getting ready to tackle with funding from a $1.4 million grant from the National Science Foundation.
"The thing we'll be seeing more and more are attempts to violate trust assumptions," said Vigna, who is a member of UCSB's Computer Security Group.
And what are these "trust assumptions"?
"Trust is the assurance that a certain application or platform will act as expected," Vigna said. These are the cues, he said, that prompt the user to drop their guard and volunteer sensitive information. These cues can range from icons on pages that proclaim the authenticity of the site or the security of the download to the very recognizable logos of certain sites and apps.
"People use their phones to click on the Facebook icon, for instance, and the Facebook application starts, and they inherently assume that it's Facebook running on their phone," Vigna said. However, he and his team have found that users are also likely to click on a familiar icon that leads to a faux application.
The goal of these stealth attacks is to steal either your money or your information. Money is an obvious motivation, but personal information can be used to steal one's identity or log in and exploit email or social media. Hackers leverage the trust between accounts in social networks to get the victim's friends and contacts to click on malicious links.
There is some comprehension of the issues, according to Vigna, but there is also a demand for more scientific modeling of these relationships and understanding of what their implications are. That way, flaws can be identified and fixed.
While the issues being studied are applicable to all smartphones, the group will examine trust in the Android world in particular.
The researchers hope to identify not only flaws in the system but also mechanisms to fix or avoid them. Though it's not guaranteed, they may even develop their own app that can be used to analyze other apps' behaviors for flaws or potential untrustworthiness.
In the meantime, smartphone users can defend themselves by becoming more mindful of the apps they install, said Vigna. One way to do this is by choosing the better-known app markets and avoiding less reputable third-party sites.
Additionally, the number of downloads can be an indicator of an app's legitimacy. If something has millions of downloads, it's likely to be more trustworthy than a similar app with only a few thousand.
And application hygiene is also important, according to Vigna. Often, a user will download an app that promises great things only to be disappointed when it doesn't work. However, it might be a malicious bit of code that captures user information, so if an app isn't working as promised, uninstall it.
Of course, to bypass the entire issue of trust altogether, one can simply go low-tech with a cellphone that handles only the basics.
- See more at: news.uceb.edu
20 comments on this article. Read/Add
# # # #