Smartphone Security

Smartphones are the prevalent platform for handling all kinds of daily digital tasks, from web-browsing and emailing, to multimedia and entertainment, to all kind of apps for communication, information, productivity and so on. However, the popularity of smartphones has made these platforms also very attractive targets to attackers. 

Trusted Password Wallet on Mobile Phones

The protection of login credentials when accessing web services becomes crucial under phishing and malware attacks. While many modern mobile phones provide hardware-supported security mechanisms, they have been (and still are) not fully utilized by most phone operating systems. The iPhone operating system iOS has made significant progress with this respect in recent years, in particular the usage of the Secure Enclave and the integration of the password wallet ("Keychain" called there). Back in the early days of smartphones, such features were broadly missing. That brought me to the research idea of integrating the TruWallet secure password manager from the security kernel operating system on the PC to the mobile platform and utilizing the ARM Trusted Execution Environment (TrEE). Moreover, in our research, called TruWalletM (the mobile version of TruWallet), show how to use these mechanisms, in particular the TrEE, to protect the user's login credentials. We designed and implemented our prototype based on a Nokia N900 mobile platform. The key design solution, which allows us to meet these requirements, is to split a single SSL/TLS connection between the user device and the server into two logically separated channels, where one is protected by TrEE and is used to transmit passwords, and another one is intended for conventional data. 


Privilege Escalation Attacks on Android

Various forms of malware exists, in particular for the Android platform. Interestingly, Android came from the very beginning with some advanced operating system security concepts and controls. One key security feature of Android was and is the app sandboxing and the definition of different app privileges that the Android OS controls and enforced. Back in 2010, we showed that this concept had some conceptual weaknesses though, and we were also able to demonstrate the attack in practice, namely that apps could escalate their defined privileges and gain control to resources they were not allowed to.

Research Works

Evaluating Analysis Tools for Android Apps: Status Quo and Robustness Against Obfuscation
Johannes Hoffmann, Teemu Rytilahti, Davide Maiorca, Marcel Winandy, Giorgio Giacinto, Thorsten Holz
Technical Report TR-HGI-2016-003, Ruhr-University Bochum, August 2016.
Adobe Acrobat Document 519.2 KB
Privilege Escalation Attacks on Android
Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Marcel Winandy.
Information Security, 13th International Conference, ISC 2010, LNCS 6531/2011, pp. 346-360, Springer 2011.
Adobe Acrobat Document 415.3 KB
TruWalletM: Secure Web Authentication on Mobile Platforms
Sven Bugiel, Alexandra Dmitrienko, Kari Kostiainen, Ahmad-Reza Sadeghi, Marcel Winandy.
Trusted Systems, Second International Conference, INTRUST 2010, LNCS 6802/2011, Springer, 2011.
Adobe Acrobat Document 692.1 KB