Novel Physical Protection of Personal Mobile Assets

个人移动资产的新颖物理保护

• 批准号: RGPIN-2020-06647
• 负责人: Beznosov, Konstantin
• 金额: $ 2.99万
• 依托单位: University of British Columbia
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2022
• 资助国家: 加拿大
• 起止时间: 2022-01-01 至 2023-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=752038
• 关键词: Novel; Physical; Protection; Personal; Mobile

The design of physical security for smartphones and other mobile devices dates back to the first smartphones introduced more than 12 years ago, when they were intended to be little more than music players with calling capabilities and a more usable user interface. At that time, just a PIN (now known more generally as "passcode") was good enough to play music and make phone calls. Smartphones and other mobile devices are used these days for much more than that. A growing body of empirical evidence suggests that the physical security and privacy of mobile devices is not good enough any more. Smartphone apps have widely varying levels of sensitivity, yet unlocking the device is still necessary and sufficient for launching most of the apps. This all-or-nothing role of unlocking results in unnecessarily high overhead for accessing low-sensitivity apps (e.g., public information retrieval apps, such as weather, Wikipedia, IMDB) on the one hand, and insufficient security of high-sensitivity apps (e.g., financial, dating, medical, messaging) on the other hand. Smartphones and other mobile devices are commonly shared with others, yet the access control mechanisms support only single-user model, in which whoever unlocks the phone has access to its apps, data, and services. Snooping on mobile device by social insiders has been established as a real threat, which cannot be ignored. Yet, passcode (easily shoulder-surfed by social insiders) remains the primary authentication mechanism, knowledge of which is sufficient not only to unlock the device but also to change any settings on it. It's prime time to rethink physical security for mobile devices, particularly smartphones. I propose to explore the design space for improving physical security and privacy of mobile devices. My proposed research program for the next five years comprises investigation in systems design as well as human and social aspects of privacy and security. Together with the graduate students from my research group as well as my industry and academic collaborators, I will explore and evaluate alternative designs that support secure and usable device sharing, optimize usability and security in the context of apps and services of varying degrees of sensitivity, and address the threat of social insider.

智能手机和其他移动设备的物理安全设计可以追溯到12多年前推出的第一款智能手机，当时它们的初衷是充当音乐播放器，具有通话功能和更可用的用户界面。当时，只需一个PIN(现在更广为人知的密码)就足以播放音乐和打电话。如今，智能手机和其他移动设备的用途远远不止于此。越来越多的经验证据表明，移动设备的物理安全和隐私不再足够好。智能手机应用程序的敏感度差异很大，但解锁设备对于启动大多数应用程序来说仍然是必要的，也是足够的。这种要么全有要么全无的解锁角色一方面导致访问低敏感度应用程序(例如，公共信息检索应用程序，如天气、维基百科、IMDB)的不必要的高开销，另一方面导致高敏感度应用程序(例如，金融、约会、医疗、消息传递)的安全性不足。智能手机和其他移动设备通常与其他人共享，但访问控制机制只支持单用户模式，在这种模式下，无论谁解锁手机，都可以访问其应用程序、数据和服务。社交圈内人对移动设备的窥探已被确立为一种不容忽视的真正威胁。然而，密码(很容易被社交圈内人用肩膀冲浪)仍然是主要的身份验证机制，了解密码不仅足以解锁设备，还可以更改设备上的任何设置。现在是重新考虑移动设备，特别是智能手机的物理安全的最佳时机。我建议探索提高移动设备物理安全性和隐私的设计空间。我提出的未来五年的研究计划包括对系统设计以及隐私和安全的人类和社会方面的调查。我将与我的研究小组的研究生以及我的行业和学术合作者一起，探索和评估支持安全和可用的设备共享的替代设计，在不同程度敏感的应用程序和服务的背景下优化可用性和安全性，并应对社交内部人士的威胁。