INI Students Analyze Smartphone Security

June 21, 2010

With smartphones, you can download and operate thousands of applications that can do just about anything. But with all that cyber traffic, how secure is your device from malicious threats, attacks or information breaches? INI students Alex Qin and Cheng Ye Zhang, both from China, are spending their summer researching that question.

With research advisor Nicolas Christin, Associate Director of the INI and a CyLab Systems Scientist, Qin and Zhang are analyzing the security of Android, Google's open-source operating system that powers a number of smartphones and other mobile devices, including Motorola's popular Droid phone.

Since May, the team has used its collective knowledge of Linux, on which Android is based, and access control systems to break the Android infrastructure and gain access to the phones they are testing. By analyzing different ways to break-in, Qin and Zhang can identify potential security breaches, which Google can then correct to prevent malicious worms or Zombie networks from entering Android. Tight security is necessary because a compromised smartphone could be controlled by an attacker thousands of miles away through the Internet, either to victimize a user or as a tool to launch larger cyber attacks. An information breach, which aids identify theft and fraud, is another major security concern.

"Although it would cause bigger trouble if a VIP's phone was attacked, smartphone security should be the concern of every user," Zhang said. "Google did a good job on its security, but we have found a way to get root access to the phone. It's difficult to do, but once someone has root privileges, it could lead to potential security problems."

Root access grants a user absolute power over an operating system, including the ability to modify or compromise the system. Some users choose to break into their phones themselves because they want more control over the applications they can download or their Internet source. However, while individuals receive more control over their devices, so do third-party users or attackers, according to Qin and Zhang.

"Usability and security are difficult to bring together," Zhang said. "Really tight security leads to less usability and vice versa. There's a definite trade-off to consider."

Christin's team is just one of several research groups on campus investigating Android security using mobile devices donated by Google. Qin and Zhang, both enrolled in the INI's Master of Science in Information Technology – Information Security (MSIT-IS) program based in Kobe, Japan, will continue their research throughout the summer, and possibly into the fall, depending on their progress. They have enjoyed their time attending Carnegie Mellon's main campus, before graduating in December 2010.

"It's been great to have actual contact with the faculty and facilities here," Qin said. "We've made a lot of good connections."

Qin has already secured a full-time position with Facebook in Palo Alto, Calif. upon graduation in December. Zhang is currently applying to full-time jobs in information security among a variety of sectors.