Analysis of Data-At-Rest Security In Smartphones

With almost two billion users worldwide, smartphones are used for almost everything – booking a hotel, ordering a cup of coffee, or paying in a shop. However, small size and high mobility makes these devices prone to theft and loss. In this work we aim to broaden our understanding of how smartphone users and application developers protect sensitive data on smartphones. To understand how well users are protecting their data in smartphones, we conducted several studies. The results revealed that 50% of the subjects locked their smartphone with an unlocking secret and 95% of them chose unlocking secrets that could be guessed within minutes. To understand how well application developers protect sensitive data in smartphones, we analyzed 132K Android applications. We focused on identifying misuse of cryptography in applications and libraries. The study results revealed that developers often misuse cryptographic API. In fact, 9 out of 10 Android applications contained code that used a symmetric cipher with a static encryption key. Further, source attribution revealed that libraries are the main consumer of cryptography and the major contributor of misuse cases. Finally, an in-depth analysis of the top libraries highlighted the need for improvement in the way we define and detect misuse of cryptography. Based on these results we designed and evaluated a system for encryption keys management that uses wearable devices as an additional source of entropy. Evaluation results showed that the proposal introduces insignificant overhead in power consumption and latency.