Researchers Aim To Stop Android Data Leaks
Security capabilities shouldn't need to be bolted onto the mobile operating system, but unfortunately we're headed down the same painful path with smartphones and tablets that we took with desktops and notebooks.
Researchers at North Carolina State University have developed software that aims to protect Android smartphone users' data from being stolen. My question: Is this really necessary?
The answer is probably "yes." But should it be?
More Security Insights
- Getting a Grip on Mobile Malware
- How Attackers Identify and Exploit Software and Network Vulnerabilities
White PapersMore >>
Dr. Xuxian Jiang, an assistant professor of computer science at N.C. State and co-author of a paper describing the research, said in a statement, "There are a lot of concerns about potential leaks of personal information from smartphones."
And to help Android users regain some control over their information, the team developed software they say will give users flexible control over what personal information is made available to what applications. They've named the software, Taming Information-Stealing Smartphone Applications, or TISSA.
In their statement, the team said TISSA works by creating a privacy setting manager that enables users to customize the level of information each smartphone application can access. Those settings can be adjusted any time that the relevant applications are being run–instead of just at their installation.
TISSA, currently in prototype, includes four possible privacy settings for each application: Trusted, Anonymized, Bogus, and Empty, according to their statement. "If an application is listed as Trusted, TISSA does not impose additional information access restrictions. If the user selects Anonymized, TISSA provides the application with generalized information that allows the application to run, without providing access to detailed personal information. The Bogus setting provides an application with fake results when it requests personal information. The Empty setting responds to information requests by saying the relevant information does not exist or is unavailable," they said.
Now, why wouldn't this be a good idea? Why wouldn't people want a Personally Identifiable Information firewalled? They would. That's not the problem. The problem is that these sort of capabilities shouldn't have to be bolted onto the mobile operating system. They should be built into the feature set of the phone.
But it won't be that way. We have anti-virus for mobile, firewalls, and now this type of information protection. We are going down the same painful path with smartphones and tablets that we took with desktops and notebooks–and we haven't learned a thing.
The paper, "Taming Information-Stealing Smartphone Applications (on Android)," was co-authored by Jiang; Yajin Zhou, a Ph.D. student at NC State; Dr. Vincent Freeh, an associate professor of computer science at NC State; and Dr. Xinwen Zhang of Huawei America Research Center. The paper will be presented in June at the 4th International Conference on Trust and Trustworthy Computing, in Pittsburgh, Pa.