Imperial College London

Getting smart on smartphone cyber security



Imperial College cyber expert Dr Soteris Demetriou talks security threats to smartphones, and explains how we can help protect ourselves.

By 2020 it is estimated there will be 6 billion smartphones in circulation, helping us manage social, business and very private interactions. But how often do people think about security and privacy?

Smartphone security expert Dr Soteris Demetriou recently joined Imperial College’s Department of Computing, having previously completed a PhD at the University of Illinois, and having worked with major companies such as Hewlett-Packard Labs and Samsung Research America.

Max Swinscow-Hall caught up with Soteris to find out about smartphone security and what we should all be doing to protect our phones and private data.

What is your main research interest?

My research lies at the intersection of mobile computing and security and privacy. In particular I have been focusing on smartphone security, and more recently on Internet of Things security.

Smartphone technology has been advancing in leaps and bounds, but often at the expense of security and privacy.

My work uncovers the attacks possible from third-party mobile apps, and counters them by designing, implementing and evaluating tools for detecting privacy leakage, and system mechanisms to buttress smartphone security.

What sorts of threats have you uncovered?

It is well known that advertising networks want user profiles so they can sell personalized advertisements, and we uncovered one way in which they might get this from your phone without you realising. 

App developers typically build in an advertising library from a network at compilation time, which means that the advertising code runs within the same process and privilege boundaries as the host application. We showed that advertising networks can leverage those inherent privileges to accurately profile the device’s user, without their knowledge or consent.

For example, just by looking at which other apps are installed on the phone, they can infer the user’s age, gender, location, interest in workout activities, possible medical conditions the user is suffering from, even whether the smartphone user is expecting a baby.

Dr Soteris Demetriou

My work also focuses on analysing malicious third-party applications, which can be found on major app stores, and are largely unregulated.

We demonstrated how an app with zero permissions or privileges on an Android phone, can use side channels to infer a user’s medical condition, their identity, even their driving route.

Side channels are paths to information that are seemingly harmless, but that can be combined in creative ways to perform a malicious task. For example, just by looking at the length of the network packets -- a type of data -- sent and received from the Twitter app, we showed how a malicious app can uncover the identity of the device owner. You can see this in action in the below video.

Identifying Twitter user id through side-channel attack

Who might want to do this and why?

Twitter was a pivotal communications tool during the 2011 Libyan Revolution. You can imagine how the side-channel attack above might be used to crack down on dissidents. 

Getting access to a particular individual’s phone is probably more interesting if they are high profile, like a politician or celebrity, where stolen data could be used as a tool for blackmail or extortion. In fact, ransomware is one of the biggest threats in the smartphone world.  

Employees of a company might also be targeted by competitor businesses trying to get access to intellectual property secrets. 

Groups might be targeted to sell user data to third parties such as advertising firms. Data might also be interesting for insurance firms or banks that could use it to set risk scores.

What should people do to keep their smartphones secure and data private?

If you are concerned about the data advertisers collect, then you can actually reset your Advertising ID on your Android or iOS smartphone. This ID is what advertisers use to create a profile about the user. Resetting it, means that any new data collected cannot be linked to the previously collected ones.

In terms of security, there are a number of good practices that contribute to what we call ‘cyber security hygiene’, most of which are common sense and done by people without thinking about it. Here are my top 10 tips:

  1.  Always use a password or biometric authentication for unlocking your phone.
  2. Only install apps from a trusted developer on an official market.
  3. Think before granting an app permissions. Does a flashlight really need to know your device’s location?
  4. Consider revoking critical permissions when apps are not using them.
  5. Disable Bluetooth and location services when not needed.
  6. Never use a ‘jailbroken’ or ‘rooted’ phone - this essentially disables security against third-party apps accessing privileged operations.
  7. Use two-factor authentication when available.
  8. Get an antivirus app.
  9. Don’t perform financial, medical or business tasks using the smartphone when connected to a public network. If you have to, then get a VPN.
  10. Always apply software upgrades as soon as possible - these often carry security updates.

    These are general guidelines that can help keeping our phones and private data secure. It might seem like a long list but I think is a matter of mentality which should be engraved in the new generation, since mobile devices are the way we handle all our data. We should have coordinated efforts to raise cybersecurity hygiene awareness, both nationally and internationally.

    What will you be working on at Imperial College?

    At Imperial College I will continue my work on smartphone and IoT security to solve pressing real-world security issues on emerging application domains. I plan to build tools, protocols, systems and frameworks to enable trustworthy Internet of Things.


Max Swinscow-Hall

Max Swinscow-Hall
Institute for Security Science & Technology


See more tags

Leave a comment

Your comment may be published, displaying your name as you provide it, unless you request otherwise. Your contact details will never be published.