Novel Physical Protection of Personal Mobile Assets

个人移动资产的新颖物理保护

• 批准号: RGPIN-2020-06647
• 负责人: Beznosov, Konstantin
• 金额: $ 2.99万
• 依托单位: University of British Columbia
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=718408
• 关键词: Novel; Physical; Protection; Personal; Mobile

The design of physical security for smartphones and other mobile devices dates back to the first smartphones introduced more than 12 years ago, when they were intended to be little more than music players with calling capabilities and a more usable user interface. At that time, just a PIN (now known more generally as “passcode”) was good enough to play music and make phone calls. Smartphones and other mobile devices are used these days for much more than that. A growing body of empirical evidence suggests that the physical security and privacy of mobile devices is not good enough any more. Smartphone apps have widely varying levels of sensitivity, yet unlocking the device is still necessary and sufficient for launching most of the apps. This all-or-nothing role of unlocking results in unnecessarily high overhead for accessing low-sensitivity apps (e.g., public information retrieval apps, such as weather, Wikipedia, IMDB) on the one hand, and insufficient security of high-sensitivity apps (e.g., financial, dating, medical, messaging) on the other hand. Smartphones and other mobile devices are commonly shared with others, yet the access control mechanisms support only single-user model, in which whoever unlocks the phone has access to its apps, data, and services. Snooping on mobile device by social insiders has been established as a real threat, which cannot be ignored. Yet, passcode (easily shoulder-surfed by social insiders) remains the primary authentication mechanism, knowledge of which is sufficient not only to unlock the device but also to change any settings on it. It's prime time to rethink physical security for mobile devices, particularly smartphones. I propose to explore the design space for improving physical security and privacy of mobile devices. My proposed research program for the next five years comprises investigation in systems design as well as human and social aspects of privacy and security. Together with the graduate students from my research group as well as my industry and academic collaborators, I will explore and evaluate alternative designs that support secure and usable device sharing, optimize usability and security in the context of apps and services of varying degrees of sensitivity, and address the threat of social insider.

智能手机和其他移动的设备的物理安全设计可以追溯到12年前推出的第一批智能手机，当时它们的目的只是具有呼叫功能和更可用的用户界面的音乐播放器。当时，只要一个PIN（现在更普遍地称为“密码”）就足以播放音乐和打电话。如今，智能手机和其他移动的设备的用途远不止这些。 越来越多的经验证据表明，移动的设备的物理安全和隐私已经不够好了。智能手机应用程序的敏感度有很大的不同，但解锁设备仍然是必要的，足以启动大多数应用程序。解锁的这种全有或全无的角色导致用于访问低敏感度应用的不必要的高开销（例如，公共信息检索应用程序，如天气，维基百科，IMDB），以及高敏感性应用程序的安全性不足（例如，金融，约会，医疗，消息）另一方面。智能手机和其他移动的设备通常与其他人共享，但访问控制机制仅支持单用户模型，其中无论谁解锁手机都可以访问其应用程序，数据和服务。社会内部人士对移动终端的窥探已被确立为一种真实的威胁，不容忽视。然而，密码（社交圈内人士很容易使用）仍然是主要的身份验证机制，了解密码不仅可以解锁设备，还可以更改设备上的任何设置。现在是重新考虑移动的设备，特别是智能手机的物理安全的黄金时间。 我建议探索设计空间，以提高移动的设备的物理安全和隐私。我提出的未来五年的研究计划包括系统设计以及隐私和安全的人类和社会方面的调查。我将与我的研究小组的研究生以及我的行业和学术合作者一起，探索和评估支持安全和可用设备共享的替代设计，在不同敏感度的应用程序和服务的背景下优化可用性和安全性，并解决社交内幕的威胁。