Mobile Device Security

Mobile Device Security

Mobile devices have revolutionized the way we do work, enabling on-demand access to services and information anytime from anywhere. In the United States, there are an estimated 200 million smart mobile devices and two billion such devices worldwide. Within DHS, more than 38 percent of employees have government-issued mobile devices, totaling approximately 90,000 devices in use. To promote the safe and secure adoption of mobile technology in DHS and across the federal government, the DHS Science and Technology Directorate (S&T) created the Mobile Device Security (MDS) project.

Motivation

Mobile technology promotes lower costs, geographic flexibility and other advantages to government services such as public safety, health, education and finance. However, as government services grow more dependent on mobile technology, mobile devices become bigger targets for cybercriminals. As a result, the cyberthreats the government faces include physical tracking of government personnel, unauthorized access to sensitive information and denying or degrading government services. Government mobile users need assurances that the apps on their devices execute securely on a “safe” device. A verifiable, trusted execution environment is needed to detect when the mobile device’s system has been maliciously modified. Additionally, one-time validation schemes that rely on passwords and tokens are PC-centric security approaches that are insufficient for mobile device security. New approaches are needed to leverage the unique capabilities and functions of mobile devices.

Approach

Several DHS mobility working groups and federal interagency working groups gathered requirements for the MDS project. This interaction enabled a prioritization of mobile security capability gaps that are impeding mobile implementations both at the federal level and across the Homeland Security Enterprise. Several of the high-priority target areas addressed by the project include mobile device management, trust implementation for executables, and identity management and authentication. The project has established three overarching objectives to accelerate the adoption of secure mobile technologies by the government.

To address these gaps, the MDS project has established several R&D initiatives that encompass projects related to:

The Mobile Security R&D Program has established three overarching objectives to accelerate the adoption of secure mobile technologies by the government.Mobile software roots-of-trust—Developing tamper-evident modules that continuously measure and verify a chain of cryptographically strong evidence to prove the trustworthiness of the device’s environment prior to executing software.

Continuous authentication—Developing capabilities to do continuous, multi-factor verification that leverages contextual attributes on a mobile device to make real-time security decisions within the device and when accessing remote systems; leveraging a device’s innate functionality (e.g., application sandboxing, camera, GPS, etc.) to sense and measure the environment, user interaction and app interaction to ascertain risk.

Virtual mobile infrastructure extensions—Developing mobile access control functionalities that leverage cloud-based technology to secure access to critical data without the need for resident data on the mobile device.

Performers

BlueRisc: Software-only Roots of Trust for Mobile Devices

Mobile roots-of -trust (MobileRoT) technology, which is based on software that measures and verifies a mobile device’s static and runtime state, was created to enable trust and overall device security.

HRL Laboratories, LLC: Continuous Behavior-Based Authentication for Mobile Devices

The Continuous Behavior-Based Authentication for Mobile Devices effort developed an anomaly-detection system for mobile devices based on HRL’s neuromorphic chip. It includes algorithms for continuous, behavior-based authentication for mobile devices.

Kryptowire LLC: Quo Vandis: A Framework for Mobile Device and User Authentication

The Quo Vandis effort created a framework for continuous device and user-behavioral authentication to prevent unauthorized access to mobile app functionality and sensitive enterprise data.

Rutgers University: Dynamic Data Protection via Virtual Micro Security Perimeters

For this effort, the primary output was a data-protection architecture for mobile operating systems using dynamic information flow tracking and cryptographic policy enforcement technologies to isolate data, instead of isolating the information processing environment.

University of North Carolina at Charlotte (UNCC): Theseus: A Mobile Security Management Tool for Mitigating Attacks in Mobile Networks

The Theseus effort developed a mobile device security management tool that monitors user activities, detects threats and provides situational awareness tailored to emerging first responder mobile networks.

Intelligent Automation, Inc.: TrustMS: Trusted Monitor and Protection for Mobile Systems

The TrustMS effort consists of two processor-level components: an offline instrumentation engine and a runtime multi-core security monitor. The instrumentation engine inserts security check code into target vulnerable programs and optimizes the instrumented code through static analysis. The runtime security monitor dedicates a central processing unit (CPU) core to monitor instrumented programs executed by other CPU cores to reduce processing overhead.

Hypori Federal: Process Level Security for Mobile System Assurance

The Process Level Security for Mobile System Assurance has developed and currently is piloting secure mobile infrastructure in virtualized environments.

Resources

DHS Study on Mobile Device Security

Mobile Device Security Fact Sheet

Mobile Security R&D Program Guide, Volume 2

Visit the cybersecurity projects, news and resources pages for cyber specific articles and other written products or connect with us at the next S&T cybersecurity event.  

Archive

Press Releases and Media Advisories

S&T Announces Transition of New Phishing Protection for Mobile Devices, July 5, 2018

DHS S&T Announces Four SBIR Awards to Secure Mobile Device Firmware, May 30, 2018

S&T Announces Release of Mobile Security R&D Program Guide Vol. 2, April 13, 2018

DHS Seeks Input to Study Safeguards to Mobile Devices; Industry Day Events to Follow, July 18, 2016

DHS S&T Awards SBIR Contract to Mclean Small Business for Mobile Security Research and Development, July 12, 2016

S&T Awards $10.4M in Mobile Security Research Contracts, September 3, 2015

S&T Awards $1.3M to Yorktown Heights NY Company, September 1, 2015

S&T Awards $759K to UNC Charlotte, August 24, 2015

S&T Awards $576K to Rutgers University, August 19, 2015

S&T Awards $1.7M to Fairfax VA Company, August 19, 2015

S&T Awards Hartford Conn Company $790K for Research, August 12, 2015

S&T Awards $2.2M to Malibu Calif Company, August 12, 2015

DHS S&T Awards $1.2M to Rockville Company, August 6, 2015

Snapshot Articles

DHS S&T, DARPA Co-Leading Development of Higher-Level Mobile Device Authentication Methods, July 20, 2016

Videos

2016 R&D Technical Workshop: Mobile Device Security Introduction

2016 R&D Showcase: MobileRoT: Establishing Trust in Mobile Devices

2016 R&D Technical Workshop: Critical Applications for Mobile Roots-of-Trust

2016 R&D Technical Workshop: Multi-modal Mobile Security Management Tool

2016 R&D Technical Workshop: iSentinel: Continuous Behavior-Based Authentication for Mobile Devices

2016 R&D Technical Workshop: Continuous Authentication on Mobile Devices

2016 R&D Technical Workshop: Theseus: A Tool for Mitigating Attacks in Mobile Networks

2016 R&D Technical Workshop: Physical Unclonable Functions for Mobile Device Roots of Trust

2016 R&D Technical Workshop: CASTRA: User Authentication for Mobile Devices

2016 R&D Technical Workshop: Remote Access for Mobility via Virtual Micro Security Perimeters

2014 R&D Technical Workshop: Software-based Dynamic Mobile Trusted Module (SW-dMTM)

2014 R&D Technical Workshop: Practical Roots of Trust for Mobile Devices

2014 R&D Technical Workshop: Physical Unclonable Functions for Mobile Device Roots of Trust

Publications

K. Carver, V. Sritapan and C. Corbett, "Establishing and Maintaining Trust in a Mobile Device," in IT Professional, vol. 17, no. 6, pp. 66-68, Nov.-Dec. 2015.

Z. Ali, J. Payton and V. Sritapan, "At Your Fingertips: Considering Finger Distinctness in Continuous Touch-Based Authentication for Mobile Devices," 2016 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 2016, pp. 272-275.

Salles-Loustau G, Sadhu V, Pompili D, Zonouz S, Sritapan V., "Secure Mobile Technologies for Proactive Critical Infrastructure Situational Awareness," Proceedings of IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.

M. Phillips, N. Stepp, J. Cruz-Albrecht, V. De Sapio, T lu, V. Sritapan, “Neuromorphic and Early Warning Behavior-Based Authentication for Mobile Devices,” Poster session presented at IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.

R. Johnson, A. Stavrou, V. Sritapan, “Empowering Android MDMs Using Non-Traditional Means,” Poster session presented at IEEE International Symposium on Technologies for Homeland Security (HST), Walham, MA, 2016.

Contact

Program Manager: Vincent Sritapan

Email: SandT-Cyber-Liaison@hq.dhs.gov

Was this page helpful?

This page was not helpful because the content:
Back to Top