This project addresses how to improve existing and upcoming mobile security technologies (USIM, ISIM, GBA, ) in order to enhance mobile user security experience, and also to increase trust in mobile social network providers aiming to become identity providers.
Yucheng Wu, Master Thesis worker explains how it works:
Social networks are well established on the Internet and moving into the mobile space by incorporating mobile features such as geo-location, short messaging, multimedia message among others.
Trends indicate that mobile social networks would rapidly adopt new wireless features such as upcoming direct-mode and proximity services that assume some sort close physical presence and human interaction. However, social networks users have been affected due to serious security and privacy deficiencies. Such incidents shouldn't happen in mobile social networks since mobile networks/handsets are known to be trusted by users and so should continue being.
The Social Wireless Network Secure Identification project
This project addresses how to improve existing and upcoming mobile security technologies (USIM, ISIM, GBA, ) in order to enhance mobile user security experience, and also to increase trust in mobile social network providers aiming to become identity providers. Furthermore, as existing technologies may not be efficient in new mobile social scenarios, this project will research on new human-scale security protocols that take into consideration the human factor in novel direct-communication services. The results from this project would be beneficial to the mobile industry network infrastructure manufacturers with new functionality supporting mobile social networks, and also for handset manufactures that can add value to social middleware stack in their devices.
Currently the SWiN project focuses on the following tree aspects:
A basic requirement for any secure service is that the users (or their pseudonyms) are authenticated. On the other hand, for the sake of usability, one should limit the amount of credentials the user need to handle. Mobile devices have a strong means of authentication by using the EAP-AKA protocol. However only a limited number of actors (namely the operators) can use this authentication. Therefore an alternative has to be found in order to generate and share key material between the mobile phone and operator-independent service providers. We are currently investigating the use of the Generic Authentication Architecture (GAA) standard for providing means of authentication to mobile phones and service providers.
Android seems to be on the way to become the dominating mobile operating system. Android security however is based on a simplistic access control model, which is unsatisfactory in several regards when dealing with complex real world problems. The base security model has been extended with various exceptions (probably to deal with emerging requirements). These exceptions are not well-integrated with the basic design. For example some relevant security configuration is spread into the application code, making it difficult to get a consistent picture of a the security policies on an Android device. This work aims to examine how the Android security framework could be improved. Currently we are investigating access control mechanisms for third-party applications to device-manufacturer APIs.
Privacy in mobile social networks
Acceptance for novel mobile social networks is currently endangered by threats to the personal information of users. While introducing novel identification and key exchange schemes that combine existing mobile communications with the wireless connectivity functionality of mobile devices (Bluetooth, WiFi), we plan to define a framework of security and privacy functions for mobile social networking. The main focus of the work is on security in closed groups and the procedures of secure registration, identification and invitation of users in mobile social networks. Users should also be able to perform such procedures with direct communication (e.g. NFC, Bluetooth), when the network is not available.The expected result should be a design that provides secure and effective identity management, while protecting user privacy in mobile social networks.