Social Wireless Network Secure Identification
Social networks are well established on the Internet and moving into the mobile space by incorporating mobile features such as geo-location, short messaging, multimedia message among others.
Trends indicate that mobile social networks would rapidly adopt new wireless features such as upcoming direct-mode and proximity services that assume some sort close physical presence and human interaction. However, social networks users have been affected due to serious security and privacy deficiencies. Such incidents shouldn't happen in mobile social networks since mobile networks/handsets are known to be trusted by users and so should continue being.
This project addresses how to improve existing and upcoming mobile security technologies (USIM, ISIM, GBA,…) in order to enhance mobile user security experience, and also to increase trust in mobile social network providers aiming to become identity providers. Furthermore, as existing technologies may not be efficient in new mobile social scenarios, this project will research on new human-scale security protocols that take into consideration the human factor in novel direct-communication services. The results from this project would be beneficial to the mobile industry network infrastructure manufacturers with new functionality supporting mobile social networks, and also for handset manufactures that can add value to “social middleware” stack in their devices.
Currently the SWiN project focuses on the following tree aspects:
Authentication
A basic requirement for any secure service is that the users (or
their pseudonyms) are authenticated. On the other hand, for the sake
of usability, one should limit the amount of credentials the user
need to handle. Mobile devices have a strong means of authentication
by using the EAP-AKA protocol. However only a limited number of
actors (namely the operators) can use this authentication. Therefore
an alternative has to be found in order to generate and share key
material between the mobile phone and operator-independent service
providers.
We are currently investigating the use of the Generic Authentication
Architecture (GAA) standard for providing means of authentication to
mobile phones and service providers.
Android Security
Android seems to be on the way to become the dominating mobile
operating system. Android security however is based on a simplistic
access control model, which is unsatisfactory in several regards when
dealing with complex real world problems.
The base security model has been extended with various exceptions
(probably to deal with emerging requirements). These exceptions are not
well-integrated with the basic design. For example some relevant
security configuration is spread into the application code, making it
difficult to get a consistent picture of a the security policies on an
Android device.
This work aims to examine how the Android security framework could be
improved. Currently we are investigating access control mechanisms
for third-party applications to device-manufacturer APIs.
Privacy in mobile social networks
Acceptance for novel mobile social networks is currently endangered
by threats to the personal information of users.
While introducing novel identification and key exchange schemes that
combine existing mobile communications with the wireless connectivity
functionality of mobile devices (Bluetooth, WiFi), we plan to define a
framework of security and privacy functions for mobile
social networking.
The main focus of the work is on security in closed groups and the
procedures of secure registration, identification and invitation of
users in mobile social networks. Users should also be able to perform
such procedures with direct communication (e.g. NFC, Bluetooth), when
the network is not available.
The expected result should be a design that provides secure and effective
identity management, while protecting user privacy in mobile social
networks.