Android and iOS Encryption

 

 
Image removed.

Android and iOS Encryption

Mobile telephone operating systems present interesting security challenges.  The research cited here addresses encryption solutions for the two most currently popular systems, iOS and Android.  Of the articles here, only three address iOS; the rest address problems with Android, perhaps due to its easier access since it is open source-based.  One article also includes QNX, the Blackberry operating system.  The work presented here was published in 2014.  

 

Teufl, P.; Fitzek, A.; Hein, D.; Marsalek, A.; Oprisnik, A.; Zefferer, T., "Android Encryption Systems," Privacy and Security in Mobile Systems (PRISMS), 2014 International Conference on, pp. 1, 8, 11-14 May 2014. doi: 10.1109/PRISMS.2014.6970599 The high usability of smartphones and tablets is embraced by consumers as well as the corporate and public sector. However, especially in the non-consumer area the factor security plays a decisive role for the platform-selection process. All of the current companies within the mobile device sector added a wide range of security features to the initially consumer-oriented devices (Apple, Google, Microsoft), or have dealt with security as a core feature from the beginning (RIM, now Blackberry). One of the key security features for protecting data on the device or in device backups are encryption systems, which are available in the majority of current devices. However, even under the assumption that the systems are implemented correctly, there is a wide range of parameters, specific use cases, and weaknesses that need to be considered when deploying mobile devices in security-critical environments. As the second part in a series of papers (the first part was on iOS), this work analyzes the deployment of the Android platform and the usage of its encryption systems within a security-critical context. For this purpose, Android's different encryption systems are assessed and their susceptibility to different attacks is analyzed in detail. Based on these results a workflow is presented, which supports deployment of the Android platform and usage of its encryption systems within security-critical application scenarios.

Keywords: Android (operating system); cryptography; data protection; smart phones; Android encryption systems; Android platform deployment analysis; Apple; Blackerry; Google; Microsoft; RIM; attack susceptibility; consumer-oriented devices; data protection; device backups; IOS; mobile device sector; mobile devices; nonconsumer area; platform-selection process; security features; security-critical application scenarios; security-critical context; security-critical environments; smart phones; tablets; Androids; Encryption; Humanoid robots; Smart phones (ID#:15-3733)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6970599&isnumber=6970591

 

Verma, S.; Pal, S.K.; Muttoo, S.K., "A New Tool For Lightweight Encryption On Android," Advance Computing Conference (IACC), 2014 IEEE International, pp. 306, 311, 21-22 Feb. 2014. doi: 10.1109/IAdCC.2014.6779339 Theft or loss of a mobile device could be an information security risk as it can result in loss of con fidential personal data. Traditional cryptographic algorithms are not suitable for resource constrained and handheld devices. In this paper, we have developed an efficient and user friendly tool called “NCRYPT” on Android platform. “NCRYPT” application is used to secure the data at rest on Android thus making it inaccessible to unauthorized users. It is based on lightweight encryption scheme i.e. Hummingbird-2. The application provides secure storage by making use of password based authentication so that an adversary cannot access the confidential data stored on the mobile device. The cryptographic key is derived through the password based key generation method PBKDF2 from the standard SUN JCE cryptographic provider. Various tools for encryption are available in the market which are based on AES or DES encryption schemes. The reported tool is based on Hummingbird-2 and is faster than most of the other existing schemes. It is also resistant to most of attacks applicable to Block and Stream Ciphers. Hummingbird-2 has been coded in C language and embedded in Android platform with the help of JNI (Java Native Interface) for faster execution. This application provides choices for encrypting the entire data on SD card or selective files on the smart phone and protect personal or confidential information available in such devices.

Keywords: C language; cryptography; smart phones; AES encryption scheme; Android platform; C language; DES encryption scheme; Hummingbird-2 scheme; JNI; Java native interface; NCRYPT application; PBKDF2 password based key generation method; SUN JCE cryptographic provider; block ciphers; confidential data; cryptographic algorithms; cryptographic key; information security risk; lightweight encryption scheme; mobile device; password based authentication; stream ciphers; Ciphers; Encryption; Smart phones; Standards; Throughput; Android; HummingBird2; Information Security; Lightweight Encryption;PBKDF2 (ID#:15-3734)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779339&isnumber=6779283

 

Patil, M.; Sahu, V.; Jain, A., "SMS text Compression and Encryption on Android O.S," Computer Communication and Informatics (ICCCI), 2014 International Conference on, pp.1 ,6, 3-5 Jan. 2014. doi: 10.1109/ICCCI.2014.6921767 Today in the world of globalization mobile communication is one of the fastest growing medium though which one sender can interact with other in short time. During the transmission of data from sender to receiver, size of data is important, since more data takes more time. But one of the limitations of sending data through mobile devices is limited use of bandwidth and number of packets transmitted. Also the security of these data is important. Hence various protocols are implemented which not only provides security to the data but also utilizes bandwidth. Here we proposed an efficient technique of sending SMS text using combination of compression and encryption. The data to be send is first encrypted using Elliptic curve Cryptographic technique, but encryption increases the size of the text data, hence compression is applied to this encrypted data so the data gets compressed and is send in short time. The Compression technique implemented here is an efficient one since it includes an algorithm which compresses the text by 99.9%, hence a great amount of bandwidth gets saved. The hybrid technique of Compression-Encryption of SMS text message is implemented for Android Operating Systems.

Keywords: Android (operating system);cryptographic protocols; data communication; data compression; electronic messaging; public key cryptography; smart phones; Android OS; SMS text encryption-compression technique; data security; data transmission; elliptic curve cryptographic technique; mobile communication; mobile devices; security protocols; Algorithm design and analysis; Bandwidth; Computers; Encryption; Mobile communication; Mobile handsets; ECDSA; Look ahead buffer; PDA; SMS; lossless compression (ID#:15-3735)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6921767&isnumber=6921705

 

Ma Licui; Li Meihong; Li Lun; Du Ye; Zhang Dawei, "A SDKEY-Based Secure Storage and Transmission Approach for Android Phone," Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2014 International Conference on, pp.1,6, 13-15 Oct. 2014. doi: 10.1109/CyberC.2014.10 To resolve the more and more serious problems of sensitive data leakage from Android systems, a kind of method of data protection on encryption storage and encryption transmission is presented in this paper by adopting secure computation environment of SDKEY device. Firstly, a dual-authentication scheme for login using SDKEY and PIN is designed. It is used for login on system boot and lock screen. Secondly, an approach on SDKEY-based transparent encryption storage for different kinds of data files is presented, and a more fine-grained encryption scheme for different file types is proposed. Finally, a method of encryption transmission between Android phones is presented, and two kinds of key exchange mechanisms are designed for next encryption and decryption operation in the following. One is a zero-key exchange and another is a public key exchange. In this paper, a prototype system based on the above solution has been developed, and its security and performance are both analyzed and verified from several aspects.

Keywords: Android (operating system); message authentication; public key cryptography; storage management; Android phones; Android system; PIN; SDKEY device; SDKEY-based secure storage; SDKEY-based transparent encryption storage; data files; data protection; decryption operation ;dual-authentication scheme; encryption operation; encryption transmission; fine-grained encryption scheme; key exchange mechanisms; lock screen; prototype system; public key exchange; secure computation environment; sensitive data leakage; system boot; transmission approach; zero-key exchange; Authentication; Ciphers; Encryption; Receivers; Smart phones; Authentication; Encryption Storage; Encryption Transmission; Key exchange; SDKEY (ID#:15-3736)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6984271&isnumber=6984259

 

Skillen, A.; Mannan, M., "Mobiflage: Deniable Storage Encryption for Mobile Devices," Dependable and Secure Computing, IEEE Transactions on, vol. 11, no. 3, pp. 224, 237, May-June 2014. doi: 10.1109/TDSC.2013.56 Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. Steganographic techniques and deniable encryption algorithms have been devised to hide the very existence of encrypted data. We examine the feasibility and efficacy of deniable encryption for mobile devices. To address obstacles that can compromise plausibly deniable encryption (PDE) in a mobile environment, we design a system called Mobiflage. Mobiflage enables PDE on mobile devices by hiding encrypted volumes within random data in a devices free storage space. We leverage lessons learned from deniable encryption in the desktop environment, and design new countermeasures for threats specific to mobile systems. We provide two implementations for the Android OS, to assess the feasibility and performance of Mobiflage on different hardware profiles. MF-SD is designed for use on devices with FAT32 removable SD cards. Our MF-MTP variant supports devices that instead share a single internal partition for both apps and user accessible data. MF-MTP leverages certain Ext4 file system mechanisms and uses an adjusted data-block allocator. These new techniques for soring hidden volumes in Ext4 file systems can also be applied to other file systems to enable deniable encryption for desktop OSes and other mobile platforms.

Keywords: Android (operating system);cryptography; mobile computing; steganography; Android OS;Ext4 file system mechanisms;FAT32 removable SD cards; MF-MTP variant; MF-SD; Mobiflage; PDE; data confidentiality; data-block allocator; decryption keys; deniable storage encryption; desktop OS; desktop environment; mobile devices; mobile environment; plausibly deniable encryption; steganographic techniques; Androids; Encryption; Humanoid robots; Law; Mobile communication; Mobile handsets; File system security; deniable encryption; mobile platform security; storage encryption (ID#:15-3737)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6682886&isnumber=6813632

 

Hilgers, C.; Macht, H.; Muller, T.; Spreitzenbarth, M., "Post-Mortem Memory Analysis of Cold-Booted Android Devices," IT Security Incident Management & IT Forensics (IMF), 2014 Eighth International Conference on, pp.62,75, 12-14 May 2014. doi: 10.1109/IMF.2014.8 As recently shown in 2013, Android-driven smartphones and tablet PCs are vulnerable to so-called cold boot attacks. With physical access to an Android device, forensic memory dumps can be acquired with tools like FROST that exploit the remanence effect of DRAM to read out what is left in memory after a short reboot. While FROST can in some configurations be deployed to break full disk encryption, encrypted user partitions are usually wiped during a cold boot attack, such that a post-mortem analysis of main memory remains the only source of digital evidence. Therefore, we provide an in-depth analysis of Android's memory structures for system and application level memory. To leverage FROST in the digital investigation process of Android cases, we provide open-source Volatility plugins to support an automated analysis and extraction of selected Dalvik VM memory structures.

Keywords: DRAM chips; cryptography; digital forensics; mobile computing; smart phones; Android memory structures; Android-driven smartphones; DRAM remanence effect; Dalvik VM memory structures; FROST tool; application level memory; cold boot attacks; cold-booted Android devices; digital investigation process; forensic memory dumps; full disk encryption; open-source volatility plugins; post-mortem memory analysis; tablet PCs; Androids; Cryptography; Forensics; Kernel; Linux; Random access memory; Smart phones; Android Forensics; Cold Boot Attack; Dalvik VM; Memory Analysis; Post-mortem Analysis; Volatility Plugins (ID#:15-3738)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6824082&isnumber=6824069

 

Sriborrirux, W.; Promsiri, P.; Limmanee, A., "Multiple Secret Key Sharing Based on the Network Coding Technique for an Open Cloud DRM Service Provider," Computational Science and Engineering (CSE), 2014 IEEE 17th International Conference on, pp. 953, 959, 19-21 Dec. 2014. doi: 10.1109/CSE.2014.191 In this paper, we present an open cloud DRM service provider to protect the digital content's copyright. The proposed architecture enables the service providers to use an on-the fly DRM technique with digital signature and symmetric-key encryption. Unlike other similar works, our system does not keep the encrypted digital content but lets the content creators do so in their own cloud storage. Moreover, the key used for symmetric encryption are managed in an extremely secure way by means of the key fission engine and the key fusion engine. The ideas behind the two engines are taken from the works in secure network coding and secret sharing. Although the use of secret sharing and secure network coding for the storage of digital content is proposed in some other works, this paper is the first one employing those ideas only for key management while letting the content be stored in the owner's cloud storage. In addition, we implement an Android SDK for e-Book readers to be compatible with our proposed open cloud DRM service provider. The experimental results demonstrate that our proposal is feasible for the real e-Book market, especially for individual businesses.

Keywords: cloud computing; copyright; cryptography; digital signatures; network coding; Android SDK; cloud storage; digital content copyright; digital signature; e-Book market; e-Book readers; encrypted digital content; key fission engine; key management; multiple secret key sharing; open cloud DRM service provider; secret sharing; secure network coding technique; symmetric encryption; symmetric-key encryption; Cloud computing; Electronic publishing; Encryption; Engines; Licenses; Servers; Digital Rights Management; Key Management; Network Coding; Open Cloud; Secret Sharing (ID#:15-3739)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7023701&isnumber=7023510

 

Haciosman, M.; Bin Ye; Howells, G., "Protecting and Identifying Smartphone Apps Using Icmetrics," Emerging Security Technologies (EST), 2014 Fifth International Conference on, pp. 94, 98, 10-12 Sept. 2014. doi: 10.1109/EST.2014.28 As web-server spoofing is increasing, we investigate a novel technology termed ICmetrics, used to identify fraud for given software/hardware programs based on measurable quantities/features. ICmetrics technology is based on extracting features from digital systems' operation that may be integrated together to generate unique identifiers for each of the systems or create unique profiles that describe the systems' actual behavior. This paper looks at the properties of the several behaviors as a potential ICmetrics features to identify android apps, it presents several quality features which meet the ICmetrics requirements and can be used for encryption key generation. Finally, the paper identifies four android apps and verifies the use of ICmetrics by identifying a spoofed app as a different app altogether.

Keywords: cryptography; smart phones; Android apps; ICmetrics; Web-server spoofing; encryption key generation; fraud identification; hardware programs; identifier generation; smartphone application identification; smartphone application protection; software programs; Androids; Feature extraction; Hardware; Humanoid robots; Security; Smart phones; Software; Android security; ICmetrics; biometrics; encryption; mobile security; security (ID#:15-3740)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6982782&isnumber=6982753

 

Ziegler, D.; Rauter, M.; Stromberger, C.; Teufl, P.; Hein, D., "Do You Think Your Passwords Are Secure?," Privacy and Security in Mobile Systems (PRISMS), 2014 International Conference on, pp. 1, 8, 11-14 May 2014. doi: 10.1109/PRISMS.2014.6970600 Many systems rely on passwords for authentication. Due to numerous accounts for different services, users have to choose and remember a significant number of passwords. Password-Manager applications address this issue by storing the user's passwords. They are especially useful on mobile devices, because of the ubiquitous access to the account passwords. Password-Managers often use key derivation functions to convert a master password into a cryptographic key suitable for encrypting the list of passwords, thus protecting the passwords against unauthorized, off-line access. Therefore, design and implementation flaws in the key derivation function impact password security significantly. Design and implementation problems in the key derivation function can render the encryption on the password list useless, by for example allowing efficient bruteforce attacks, or - even worse - direct decryption of the stored passwords. In this paper, we analyze the key derivation functions of popular Android Password-Managers with often startling results. With this analysis, we want to raise the awareness of developers of security critical apps for security, and provide an overview about the current state of implementation security of security-critical applications.

Keywords: authorisation; cryptography; message authentication; ubiquitous computing; Android password-manager; authentication; bruteforce attack; cryptographic key; direct decryption; encryption; key derivation function; mobile device; password security; security-critical application; ubiquitous access; Androids; Databases; Encryption; Humanoid robots; Usability (ID#:15-3741)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6970600&isnumber=6970591

 

Azfar, A.; Choo, K.-K.R.; Lin Liu, "A Study of Ten Popular Android Mobile VoIP Applications: Are the Communications Encrypted?," System Sciences (HICSS), 2014 47th Hawaii International Conference on, pp. 4858, 4867, 6-9 Jan. 2014. doi: 10.1109/HICSS.2014.596 Mobile Voice over Internet Protocol (mVoIP) applications have gained increasing popularity in the last few years, with millions of users communicating using such applications (e.g. Skype). Similar to other forms of Internet and telecommunications, mVoIP communications are vulnerable to both lawful and unauthorized interceptions. Encryption is a common way of ensuring the privacy of mVoIP users. To the best of our knowledge, there has been no academic study to determine whether mVoIP applications provide encrypted communications. In this paper, we examine Skype and nine other popular mVoIP applications for Android mobile devices, and analyze the intercepted communications to determine whether the captured voice and text communications are encrypted (or not). The results indicate that most of the applications encrypt text communications. However, voice communications may not be encrypted in six of the ten applications examined.

Keywords: Internet telephony; cryptography; data privacy; mobile computing; smart phones; telecommunication security; Android mobile VoIP applications; Android mobile devices; Internet; Skype; lawful interceptions; mVoIP communications; mobile voice-over-Internet protocol; text communication encryption; unauthorized interceptions; user privacy; Cryptography; Entropy; Google; Mobile communication; Protocols; Smart phones (ID#:15-3742)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759199&isnumber=6758592

 

Lopes, H.; Chatterjee, M., "Application H-Secure for Mobile Security," Circuits, Systems, Communication and Information Technology Applications (CSCITA), 2014 International Conference on, pp. 370, 374, 4-5 April 2014. doi: 10.1109/CSCITA.2014.6839289 Mobile security is as critical as the PIN number on our ATM card or the lock on our front door. More than our phone itself, the information inside needs safeguarding as well. Not necessarily for scams, but just peace of mind. Android seems to have attracted the most attention from malicious code writers due to its popularity. The flexibility to freely download apps and content has fueled the explosive growth of smart phones and mobile applications but it has also introduced a new risk factor. Malware can mimic popular applications and transfer contacts, photos and documents to unknown destination servers. There is no way to disable the application stores on mobile operating systems. Fortunately for end-users, our smart phones are fundamentally open devices however they can quite easily be hacked. Enterprises now provide business applications on these devices. As a result, confidential business information resides on employee-owned device. Once an employee quits, the mobile operating system wipe-out is not an optimal solution as it will delete both business and personal data. Here we propose H-Secure application for mobile security where one can store their confidential data and files in encrypted form. The encrypted file and encryption key are stored on a Web server so that unauthorized person cannot access the data. If user loses the mobile then he can login into Web and can delete the file and key to stop further decryption process.

Keywords: Android (operating system); authorisation; graphical user interfaces; invasive software; mobile computing; private key cryptography; smart phones; Android smart phones; H-Secure application; Web server; application stores; business applications; business data; confidential business information; confidential data storage; confidential file storage; data access; decryption process; destination servers; employee-owned device; encrypted file; encryption key; free-download apps; free-download content; malicious code; malware; mobile operating system; mobile operating systems; mobile security applications; open devices; personal data; unauthorized person; Authentication; Encryption; Mobile communication; Mobile handsets; Servers; AES Encryption and Decryption; Graphical Password (ID#:15-3743)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6839289&isnumber=6839219

 

Novak, E.; Qun Li, "Near-pri: Private, Proximity Based Location Sharing," INFOCOM, 2014 Proceedings IEEE, pp.37,45, April 27 2014-May 2 2014. doi: 10.1109/INFOCOM.2014.6847922 As the ubiquity of smartphones increases we see an increase in the popularity of location based services. Specifically, online social networks provide services such as alerting the user of friend co-location, and finding a user's k nearest neighbors. Location information is sensitive, which makes privacy a strong concern for location based systems like these. We have built one such service that allows two parties to share location information privately and securely. Our system allows every user to maintain and enforce their own policy. When one party, (Alice), queries the location of another party, (Bob), our system uses homomorphic encryption to test if Alice is within Bob's policy. If she is, Bob's location is shared with Alice only. If she is not, no user location information is shared with anyone. Due to the importance and sensitivity of location information, and the easily deployable design of our system, we offer a useful, practical, and important system to users. Our main contribution is a flexible, practical protocol for private proximity testing, a useful and efficient technique for representing location values, and a working implementation of the system we design in this paper. It is implemented as an Android application with the Facebook online social network used for communication between users.

Keywords: cryptography; mobile computing; smart phones; social networking (online); Android application; Facebook online social network; Near-Pri; homomorphic encryption; location based services; location based systems; location information sensitivity; location value representation; private proximity based location sharing; private proximity testing; smartphone ubiquity; user location information privacy; Cryptography; Facebook; Lead; Polynomials; Privacy; Protocols; Vegetation (ID#:15-3744)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6847922&isnumber=6847911

 

Naito, K.; Mori, K.; Kobayashi, H.; Kamienoo, K.; Suzuki, H.; Watanabe, A., "End-to-end IP Mobility Platform In Application Layer for iOS and Android OS," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp. 92, 97, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866554 Smartphones are a new type of mobile devices that users can install additional mobile software easily. In the almost all smartphone applications, client-server model is used because end-to-end communication is prevented by NAT routers. Recently, some smartphone applications provide real time services such as voice and video communication, online games etc. In these applications, end-to-end communication is suitable to reduce transmission delay and achieve efficient network usage. Also, IP mobility and security are important matters. However, the conventional IP mobility mechanisms are not suitable for these applications because most mechanisms are assumed to be installed in OS kernel. We have developed a novel IP mobility mechanism called NTMobile (Network Traversal with Mobility). NTMobile supports end-to-end IP mobility in IPv4 and IPv6 networks, however, it is assumed to be installed in Linux kernel as with other technologies. In this paper, we propose a new type of end-to-end mobility platform that provides end-to-end communication, mobility, and also secure data exchange functions in the application layer for smartphone applications. In the platform, we use NTMobile, which is ported as the application program. Then, we extend NTMobile to be suitable for smartphone devices and to provide secure data exchange. Client applications can achieve secure end-to-end communication and secure data exchange by sharing an encryption key between clients. Users also enjoy IP mobility which is the main function of NTMobile in each application. Finally, we confirmed that the developed module can work on Android system and iOS system.

Keywords: Android (operating system);IP networks; client-server systems; cryptography; electronic data interchange; iOS (operating system);real-time systems; smart phones; Android OS;IPv4 networks;IPv6 networks; Linux kernel; NAT routers; NTMobile; OS kernel; application layer; client-server model; encryption key; end-to-end IP mobility platform; end-to-end communication; iOS system; network traversal with mobility; network usage; real time services; secure data exchange; smartphones; transmission delay; Authentication; Encryption; IP networks; Manganese; Relays; Servers (ID#:15-3745)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6866554&isnumber=6866537

 

Swati, K.; Patankar, A.J., "Effective Personalized Mobile Search Using KNN," Data Science & Engineering (ICDSE), 2014 International Conference on,  pp. 157, 160, 26-28 Aug. 2014. doi: 10.1109/ICDSE.2014.6974629 Effective Personalized Mobile Search Using KNN, implements an architecture to improve user's personalization effectiveness over large set of data maintaining security of the data. User preferences are gathered through clickthrough data. Clickthrough data obtained is sent to the server in encrypted form. Clickthrough data obtained is classified into content concepts and location concepts. To improve classification and minimize processing time, KNN(K Nearest Neighborhood) algorithm is used. Preferences identified(location and content) are merged to provide effective preferences to the user. System make use of four entropies to balance weight between content concepts and location concepts. System implements client server architecture. Role of client is to collect user queries and to maintain them in files for future reference. User preference privacy is ensured through privacy parameters and also through encryption techniques. Server is responsible to carry out the tasks like training, reranking of the search results obtained and the concept extraction. Experiments are carried out on Android based mobile. Results obtained through experiments show that system significantly gives improved results over previous algorithm for the large set of data maintaining security.

Keywords: client-server systems; cryptography; data privacy; information retrieval; mobile computing; pattern classification; Android based mobile; KNN; classification; clickthrough data; client-server architecture; concept extraction; data maintaining security; encryption techniques; k nearest neighborhood; personalized mobile search; user preference privacy; Androids; Classification algorithms; Mobile communication; Ontologies; Search engines; Servers; Vectors; Clickthrough data; concept; location search; mobile search engine; ontology; personalization; user preferences (ID#:15-3746)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6974629&isnumber=6974596

 

Bheemeswara Rao, K.V.; Ravi, N.; Phani Bhushan, R.; Pramod Kumar, K.; Venkataraman, S., "Bluetooth Technology: ApXLglevel End-To-End Security," Communications and Signal Processing (ICCSP), 2014 International Conference on, pp.340,344, 3-5 April 2014. doi: 10.1109/ICCSP.2014.6949858 The innovations in communication and computing technologies are changing the way we carry-out the tasks in our daily lives. These revolutionary and disrupting technologies are available to the users in various hardware form-factors like Smart Phones, Embedded Appliances, Configurable or Customizable add-on devices, etc. One such technology is Bluetooth [1], which enables the users to communicate and exchange various kinds of information like messages, audio, streaming music and file transfer in a Personal Area Network (PAN). Though it enables the user to carry-out these kinds of tasks without much effort and infrastructure requirements, they inherently bring with them the security and privacy concerns, which need to be addressed at different levels. In this paper, we present an application-layer framework, which provides strong mutual authentication of applications, data confidentiality and data integrity independent of underlying operating system. It can make use of the services of different Cryptographic Service Providers (CSP) on different operating systems and in different programming languages. This framework has been successfully implemented and tested on Android Operating System on one end (using Java language) and MS-Windows 7 Operating System on the other end (using ANSI C language), to prove the framework's reliability/compatibility across OS, Programming Language and CSP. This framework also satisfies the three essential requirements of Security, i.e. Confidentiality, Integrity and Availability, as per the NIST Guide to Bluetooth Security specification and enables the developers to suitably adapt it for different kinds of applications based on Bluetooth Technology.

Keywords: Bluetooth; C language; Java; audio streaming; authorisation; computer network reliability; computer network security; cryptography; operating systems (computers);personal area networks; smart phones; ANSI C language; Android operating system; ApXLglevel end-to-end security; Bluetooth security specification; Bluetooth technology; Java language; MS-Windows 7 operating system; NIST Guide; PAN; application-layer framework; audio streaming; communication technologies; computing technologies; configurable add-on devices; cryptographic service providers; customizable add-on devices; data confidentiality; data integrity; embedded appliances; file transfer; framework compatibility; framework reliability; music streaming; operating system; personal area network; privacy concern; programming languages; security concern; smart phones; strong mutual authentication; Encryption; Indexes; Mobile communication; Satellites; Authentication; Binary Payload; Bluetooth; Confidentiality; Mobile Phone; Security (ID#:15-3747)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6949858&isnumber=6949766

 

Hong Li; Limin Sun; Haojin Zhu; Xiang Lu; Xiuzhen Cheng, "Achieving Privacy Preservation In Wi-Fi Fingerprint-Based Localization," INFOCOM, 2014 Proceedings IEEE, pp. 2337, 2345, April 27 2014-May 2 2014. doi: 10.1109/INFOCOM.2014.6848178 WiFi fingerprint-based localization is regarded as one of the most promising techniques for indoor localization. The location of a to-be-localized client is estimated by mapping the measured fingerprint (WiFi signal strengths) against a database owned by the localization service provider. A common concern of this approach that has never been addressed in literature is that it may leak the client's location information or disclose the service provider's data privacy. In this paper, we first analyze the privacy issues of WiFi fingerprint-based localization and then propose a Privacy-Preserving WiFi Fingerprint Localization scheme (PriWFL) that can protect both the client's location privacy and the service provider's data privacy. To reduce the computational overhead at the client side, we also present a performance enhancement algorithm by exploiting the indoor mobility prediction. Theoretical performance analysis and experimental study are carried out to validate the effectiveness of PriWFL. Our implementation of PriWFL in a typical Android smartphone and experimental results demonstrate the practicality and efficiency of PriWFL in real-world environments.

Keywords: computer network security; data privacy; mobile computing; smart phones; wireless LAN; Android smartphone; PriWFL; computational overhead reduction; data privacy ;indoor localization; indoor mobility prediction; localization service provider; performance enhancement algorithm; privacy-preserving WiFi fingerprint localization scheme; real-world environments; signal strengths; Accuracy; Cryptography; Data privacy; Databases; IEEE 802.11 Standards; Privacy; Servers; WiFi fingerprint-based localization; data privacy; homomorphic encryption ;location privacy (ID#:15-3748)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6848178&isnumber=6847911

 

Putra, Made Sumarsana Adi; Budiman, Gelar; Novamizanti, Ledya, "Implementation of Steganography Using LSB With Encrypted And Compressed Text Using TEA-LZW on Android," Computer, Control, Informatics and Its Applications (IC3INA), 2014 International Conference on, pp. 93, 98, 21-23 Oct. 2014. doi: 10.1109/IC3INA.2014.7042607 The development of data communications enabling the exchange of information via mobile devices more easily. Security in the exchange of information on mobile devices is very important. One of the weaknesses in steganography is the capacity of data that can be inserted. With compression, the size of the data will be reduced. In this paper, designed a system application on the Android platform with the implementation of LSB steganography and cryptography using TEA to the security of a text message. The size of this text message may be reduced by performing lossless compression technique using LZW method. The advantages of this method is can provide double security and more messages to be inserted, so it is expected be a good way to exchange information data. The system is able to perform the compression process with an average ratio of 67.42 %. Modified TEA algorithm resulting average value of avalanche effect 53.8%. Average result PSNR of stego image 70.44 dB. As well as average MOS values is 4.8.

Keywords: Android; Compression; Encryption; LSB; LZW; Steganography; TEA (ID#:15-3749)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7042607&isnumber=7042583

 

Shao Shuai; Dong Guowei; Guo Tao; Yang Tianchang; Shi Chenjie, "Analysis on Password Protection in Android Applications," P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2014 Ninth International Conference on, pp.504,507, 8-10 Nov. 2014. doi: 10.1109/3PGCIC.2014.102 Although there has been much research on the leakage of sensitive data in Android applications, most of the existing research focus on how to detect the malware or adware that are intentionally collecting user privacy. There are not much research on analyzing the vulnerabilities of apps that may cause the leakage of privacy. In this paper, we present a vulnerability analyzing method which combines taint analysis and cryptography misuse detection. The four steps of this method are decompile, taint analysis, API call record, cryptography misuse analysis, all of which steps except taint analysis can be executed by the existing tools. We develop a prototype tool PW Exam to analysis how the passwords are handled and if the app is vulnerable to password leakage. Our experiment shows that a third of apps are vulnerable to leak the users' passwords.

Keywords: cryptography; data privacy; mobile computing; smart phones; API call record; Android applications; PW Exam; cryptography misuse analysis; cryptography misuse detection; decompile step; password leakage; password protection; taint analysis; user privacy; vulnerability analyzing method; Androids; Encryption; Humanoid robots; Privacy; Smart phones; Android apps; leakage; password; vulnerability (ID#:15-3750)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7024636&isnumber=7024297

 

Rastogi, V.; Yan Chen; Xuxian Jiang, "Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks," Information Forensics and Security, IEEE Transactions on, vol. 9, no. 1, pp. 99, 108, Jan. 2014. doi: 10.1109/TIFS.2013.2290431 Mobile malware threats (e.g., on Android) have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile anti-malware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats, but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various transformation techniques, and used it for our study. Our results on 10 popular commercial anti-malware applications for Android are worrisome: none of these tools is resistant against common malware transformation techniques. In addition, a majority of them can be trivially defeated by applying slight transformation over known malware with little effort for malware authors. Finally, in light of our results, we propose possible remedies for improving the current state of malware detection on mobile devices.

Keywords: invasive software; mobile computing; mobile handsets; operating systems (computers);Android antimalware; DroidChameleon; commercial mobile antimalware products; malware authors; malware detection; malware transformation; mobile devices; mobile malware threats; next-generation solutions; obfuscation techniques; transformation attacks; Androids; Encryption; Humanoid robots; Malware; Mobile communication; Android; Mobile; anti-malware; malware (ID#:15-3751)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6661334&isnumber=6684617

 

Adibi, S., "Comparative Mobile Platforms Security Solutions," Electrical and Computer Engineering (CCECE), 2014 IEEE 27th Canadian Conference on, pp.1,6, 4-7 May 2014. doi: 10.1109/CCECE.2014.6900963 Mobile platform security solution has become especially important for mobile computing paradigms, due to the fact that increasing amounts of private and sensitive information are being stored on the smartphones' on-device memory or MicroSD/SD cards. This paper aims to consider a comparative approach to the security aspects of the current smartphone systems, including: iOS, Android, BlackBerry (QNX), and Windows Phone.

Keywords: mobile computing; security of data; Android; BlackBerry; QNX; Windows Phone; comparative mobile platforms; iOS; mobile computing paradigm; mobile platform security solution; private information; sensitive information; smart phone; Androids; Encryption; Kernel; Mobile communication; Smart phones (ID#:15-3752)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6900963&isnumber=6900900

 

Shao Shuai; Dong Guowei; Guo Tao; Yang Tianchang; Shi Chenjie, "Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications," Dependable, Autonomic and Secure Computing (DASC), 2014 IEEE 12th International Conference on, pp. 75, 80, 24-27 Aug. 2014

doi: 10.1109/DASC.2014.22 Cryptographic misuse affects a sizeable portion of Android applications. However, there is only an empirical study that has been made about this problem. In this paper, we perform a systematic analysis on the cryptographic misuse, build the cryptographic misuse vulnerability model and implement a prototype tool Crypto Misuse Analyser (CMA). The CMA can perform static analysis on Android apps and select the branches that invoke the cryptographic API. Then it runs the app following the target branch and records the cryptographic API calls. At last, the CMA identifies the cryptographic API misuse vulnerabilities from the records based on the pre-defined model. We also analyze dozens of Android apps with the help of CMA and find that more than a half of apps are affected by such vulnerabilities.

Keywords: Android (operating system);application program interfaces; cryptography; program diagnostics; Android application; CMA; cryptographic API; cryptographic misuse autodetection; cryptographic misuse vulnerability model; prototype tool crypto misuse analyser; static analysis; Analytical models; Androids; Encryption; Humanoid robots; Runtime; Android; Cryptographic Misuse; Modelling Analysis; Vulnerability (ID#:15-3753)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6945307&isnumber=6945641

 

Marghescu, A.; Teseleanu, G.; Svasta, P., "Cryptographic Key Generator Candidates Based On Smartphone Built-In Sensors," Design and Technology in Electronic Packaging (SIITME), 2014 IEEE 20th International Symposium for , vol., no., pp.239,243, 23-26 Oct. 2014. doi: 10.1109/SIITME.2014.6967037 Random numbers represent one of the most sensible part of a cryptographic system, since the cryptographic keys must be entirely based on them. The security of a communication relies on the key that had been established between two users. If an attacker is able to deduce that key, the communication is compromised. This is why key generation must completely rely on random number generators, so that nobody can deduce the. This paper will describe a set of public and free Random Number Generators (RNG) within Android-based Smartphones by exploiting different sensors, along with the way of achieving this scope. Moreover, this paper will present some conclusive tests and results over them.

Keywords: Android (operating system);cryptography; random number generation; smart phones; Android-based smartphones; RNG; cryptographic key generator candidates; cryptographic system; random number generators; smartphone built-in sensors; Ciphers; Encryption; Generators; Random sequences; Sensors; Cryptography; RNG; Random Number Generators; Sensors; Smartphone (ID#:15-3754)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6967037&isnumber=6966980

 

Luchian, E.; Terebes, R.; Cremene, M., "Design and implementation of a mobile VoIP system on Android," Electronics and Telecommunications (ISETC), 2014 11th International Symposium on , vol., no., pp.1,4, 14-15 Nov. 2014. doi: 10.1109/ISETC.2014.7010772 The paper presents a secure solution that provides VoIP service for mobile users, handling both pre-call and mid-call mobility. Pre-call mobility is implemented using a presence server that acts as a DNS for the moving users. Our approach also detects any change in the attachment point of the moving users and transmits it to the peer entity by in band signaling using socket communications. For true mid-call mobility we also employ buffering techniques that store packets for the duration of the signaling procedure. The solution was implemented for Android devices and it uses ASP technology for the server part.

Keywords: {Android (operating system);Internet telephony; mobility management (mobile radio);peer-to-peer computing; ASP technology; Android devices; DNS; VoIP service; buffering techniques; in band signaling; mobile VoIP system; mobile users; moving users; peer entity; pre-call mobility; signaling procedure; socket communications; true mid-call mobility; Androids; Cryptography; Graphical user interfaces; IP networks; Protocols; Servers; Smart phones; Android; VoIP; encryption; mobility; sockets (ID#:15-3755)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7010772&isnumber=7010721

 

 

Naito, K.; Mori, K.; Kobayashi, H.; Kamienoo, K.; Suzuki, H.; Watanabe, A., "End-to-End IP Mobility Platform In Application Layer for iOS and Android OS," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, pp.92,97, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866554 Smartphones are a new type of mobile devices that users can install additional mobile software easily. In the almost all smartphone applications, client-server model is used because end-to-end communication is prevented by NAT routers. Recently, some smartphone applications provide real time services such as voice and video communication, online games etc. In these applications, end-to-end communication is suitable to reduce transmission delay and achieve efficient network usage. Also, IP mobility and security are important matters. However, the conventional IP mobility mechanisms are not suitable for these applications because most mechanisms are assumed to be installed in OS kernel. We have developed a novel IP mobility mechanism called NTMobile (Network Traversal with Mobility). NTMobile supports end-to-end IP mobility in IPv4 and IPv6 networks, however, it is assumed to be installed in Linux kernel as with other technologies. In this paper, we propose a new type of end-to-end mobility platform that provides end-to-end communication, mobility, and also secure data exchange functions in the application layer for smartphone applications. In the platform, we use NTMobile, which is ported as the application program. Then, we extend NTMobile to be suitable for smartphone devices and to provide secure data exchange. Client applications can achieve secure end-to-end communication and secure data exchange by sharing an encryption key between clients. Users also enjoy IP mobility which is the main function of NTMobile in each application. Finally, we confirmed that the developed module can work on Android system and iOS system.

Keywords: Android (operating system);IP networks; client-server systems; cryptography; electronic data interchange; iOS (operating system);real-time systems; smart phones; Android OS;IPv4 networks; IPv6 networks; Linux kernel; NAT routers; NTMobile; OS kernel; application layer; client-server model; encryption key; end-to-end IP mobility platform; end-to-end communication; iOS system; network traversal with mobility; network usage; real time services; secure data exchange; smartphones; transmission delay; Authentication; Encryption; IP networks; Manganese; Relays; Servers (ID#:15-3756)

URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6866554&isnumber=6866537

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.