Poster: Fine-Grained Locking System for Data and Applications in Smartphones

Smartphones have become truly ubiquitous devices and it is hard to imagine our daily life without them. Today’s modern smartphones offer a diverse set of services and rich functionalities, which include gaming, web browsing, emails, GPS navigation, voice search and high definition video. Such rich functionalities attracted a large number of smartphone owners (referred to as users), and as a result, smartphones overtook laptops and desktops in terms of the number of sold items per year [1]. Such success, however, made these devices an attractive target by adversaries, and consequently lead to a growth in the number of malware types on smartphones [5]. The number of lost, misused, stolen or damaged smartphones has also increased over the years [2]. Moreover, adoption of smartphones by companies has created new attack vectors on the corporate data, where sensitive and confidential data are at a greater risk due to the higher mobility of smartphones [3]. A lot of attention has been paid from the research community to the malware threats to data in smartphones [7]. Still, there has been little attention paid to the physical threats, such as theft, loss, damage or malicious use of the device by an adversary. The aforementioned threats might lead to the highly probable risks of an unauthorized data access or data loss. Symantec reports that in 96% of cases when a smartphone is lost, a person who finds it tries to access sensitive data such as social networking applications, emails, pictures, passwords, and banking applications [8]. Furthermore, recent research shows that users do store sensitive data, such as personal pictures, passwords (both in clear and in password managers), email and SMS messages. However, around half of them do not use a locking system (with a PIN-code, Draw-a-Secret or a password ) [9]. The participants of the aforementioned study justified their decision not to use a locking system by the necessity to have an instant access to non-sensitive data and applications in their smartphones. Futhermore, results of this study suggest that a locking system should consider sensitivity of separate data items, because sensitivity depends on the content of a data item, which means that an application could contain sensitive and non-sensitive data. Recent studies show that Authentication Methods (AMs) that are based on a PIN-code or Draw-a-Secret (DAS) do not provide an adequate protection against an adversary who has physical access to the device and who can observe smartphone users. For instance, De Luca et al. [6] showed that most of the users do not protect PIN-codes from eavesdroppers when accessing ATM machines, Zakaria et al. [12] showed that one attempt is enough to capture a DAS authentication secret, and Raguram et al. [11] presented surveillance tools that allows an adversary to capture what users type into smartphones from reflections of the smartphone’s display off other objects in the environment, such as sun glasses. Diverse and dynamic environments where smartphones are being used today make the problem of data protection harder. Oulasvirta et al. [10] showed that users’ interactions with smartphones are usually very short in length and users are frequently distracted (every four seconds) from their smartphones by many external factors, e.g., necessity to look where a users is walking or maintaining a conversation with a friend. Lack of attention makes AMs more vulnerable to eavesdropping attacks, because users do not check whether they are being observed. Furthermore, short nature of users’ interactions with smartphones forces security tools to compete for users’ attention with primary tasks on smartphones, such as sending messages or browsing. In this poster, we present the design of the study that aims to address the aforementioned limitations of existing smartphone locking systems. In particular, we aim to design and evaluate a system that allows users to lock data items within applications and applications’ functionalities. We then present the study design that aims to evaluate the efficiency and the effectiveness of the proposed locking system.