Virginia Tech researchers for the past month and a half have been working to customize Google’s Android software to lock down smartphones so that sensitive data isn’t exposed once a user leaves approved locations. They’re hopeful the technology – part of a project dubbed GhostBox -- will be production-ready by year-end.
The software would be loaded on a smartphone or tablet computer and policies for hundreds or hundreds of thousands of devices could then be controlled remotely via a server.
One application might be to give medical personnel access to patient data from a smartphone within certain hospital rooms but cut off access outside such rooms, protecting the data in the event the device is lost, compromised by malware or if the phone user attempts to misuse the data. Other applications could include safeguarding military data or putting parental controls on kids, according to project lead Jules White, assistant professor in the Department of Electrical and Computer Engineering.
Hamilton Turner, a Ph.D. student working on the project within the schools’ MAGNUM group, answered a few of my questions to clarify how the technology works.
How does the software actually work?
The software is a custom version of Android, so it would be loaded onto the smartphone that you want to lock down, such as a Nexus S. Once the software is on the Android device, multiple security features can be enabled and disabled from a remote location. For example, we can force specific phones to require 2-factor authentication, where a user needs both an ID badge and a password to unlock the device. In a military domain, these badges would obviously be unique and personal security badges. Additionally, we are working with multiple technologies on the phone to determine where the phone is physically. The GPS is used occasionally, but we are focusing on more fine-grained localization methods such as Bluetooth proximity, near-field communication [NFC], or using light/sound as a data transfer medium. As the user enters or leaves a "secure" location, there are thousands of policies that we can enforce that change vanilla Android behavior - we can selectively enable/disable the camera, the GPS, the settings on the phone, installing or uninstalling applications, using various applications, allowing copy/paste in some applications and not in others, etc. Technologically, we do this by applying interceptors to key services. If a user attempts to do something restricted, the phone simply ignores that attempt, alters it or reports it. More secure versions could naturally react to an attempt to do something insecure more strictly, such as logging the attempt or locking the phone.
Sign up for CIO Asia eNewsletters.