Smartphone Security via Accelerometer Data LaToya Green Mentor: Adrian Perrig Carnegie Mellon University Android Security

The Android platform is an open platform for mobile devices consisting of an operating system, applications and middleware [1]. Android gives users the opportunity to build and publish their own applications by providing an open development environment. Android treats all applications (native and third-party) as equals [3]. (Professional Android 2 Application Development) Therefore, having such an open development environment requires security measures to be taken in order to protect the integrity of the Android platform.

The Android Platform takes advantage of several mechanisms designed to protect the privacy and security of Android users, as well as the operating system. These methods include the Android security architecture, application certificates, and application permissions. The purpose of the Android security architecture is to prevent applications from being able to automatically perform operations that could jeopardize the security of other applications, the operating system or the user. Certificates are used to identify the author of a specific application and to prevent users from installing fraudulent software on their devices. Android will not install an application that has not been signed with a certificate. Therefore, the origin of all published applications is traceable.

Security Permissions

Android security permissions are handled by the AndroidManifest.xml file present within all application files. When a user downloads an application onto their device, they are automatically notified of the permissions the application has access to. This informs the user of what type of information an application is able to collect from the device as well as the hardware the application can use.

The AndroidManifest.xml file takes care of both software and hardware permissions. But while Android does require permissions for the use of hardware devices such as the camera and vibrator, it does not require permissions to be set in place for the use of any available sensors, including the accelerometer, orientation, and gyroscope sensors [4]. But these sensors, along with other tools such as the internet and GPS, can also pose as security threat to the user. And it is possible for an application to collect user information from these sensors without the user’s knowledge.

Accelerometer Application Server Connection

The accelerometer in Android phones measures the acceleration of the device on the lateral (x), longitudinal (y), and vertical (z) axes. Accelerometers can be used to detect movement and the rate of change of the speed of movement. As stated above, the use of accelerometers in Android applications does not require the application to have permission to use it. Therefore, it is possible for an application to collect a user’s accelerometer data without the user’s knowledge. With accelerometer data and the use of a server to collect the information, it is a fairly simple task for someone to gain a user’s personal information, their location, or to figure out what a user is doing or typing.

The Eclipse development environment along with Android Development Tools was used to implement an accelerometer application for the Motorola Droid and the Android Platform. The purpose of the application is to record the user’s accelerometer data while during a certain activity. When the user presses the “Start” button, the application retrieves data from the accelerometer and writes it to a .csv file (chosen by the user) and sends the data to a server in order for the data to be analyzed to determine what the user is doing. The acceleration values are shown continuously on the screen as they are read from the accelerometer, along with the calculated Pythagorean Theorem value. When the “Stop” button is pressed, the data is no longer sent to the file and the application disconnects from the server .

Fig. 2 Accelerometer Application Screenshot

The acceleration data can be analyzed in several ways. Fig. 3 shows a graph of the calculated Pythagorean Theorem values of the accelerometer reading while traveling down and then up an elevator. Using this graph, it is very easy to determine when the elevator accelerates and decelerates downward or upward, when it maintains its speed, and when it comes to a complete stop.

Elevator

16 14 12 10 8 6 4 2 0 0 500 1000 1500 2000

Number of Measurements Fig. 3 Accelerometer Reading Down and Up an Elevator

2500 3000 3500 The goal of the project was to figure out what type of information Alice could find out about Bob, when Bob’s accelerometer data is sent to a server via internet connection. In order to connect the Accelerometer application to the internet, the Server and ServerSocket classes located in the java.net package were utilized.

How it works: 1. The ServerSocket class is used to create and set up the server side of a socket to listen for a connection from a client.

2. The client (application) uses the Server class to request a connection to the host.

3. The server accepts the request from the client and information flows to and from the server.

4. Alice is able to analyze Bob’s accelerometer data in order to determine what Bob is doing e.g. running, walking, typing and possibly Bob’s location and the contents of what Bob is typing.

Fig. 4 Server/Client Socket Connection Diagram [2]

Acknowledgements

I would like to thank the Team Ubiquitous Secure Technology for supporting my research. I would also like to thank my faculty advisor, Adrian Perrig and the CyLab at Carnegie Mellon University.

References

[1] "

Android FAQ - What Is Google Android?" Android News - Android Google

Phone Forums. Web. 20 July 2010.

android-faq/>.

[2] “Java Tech - Chapter 13 : Networking Basics." Java Tech. Web. 28 July 2010.

[3] Meier, Reto. Professional Android 2 Application Development. Indianapolis, IN: Wiley, 2009. Print.

[4] “Security and Permissions." Android Developers. Web. 20 July 2010.

.

Fig. 1 Example AndroidManifest.xml file