The recent controversy surrounding the Strava fitness app has illustrated a critical security problem. Ultimately the use of a fitness app that transmits location data in a sensitive location points to a user problem. However, it’s not easy to make sure every single person is aware of and understands the security implications of the apps they use. In cases where it’s critical that security policy be implemented wholesale throughout an organization, it’s critical the mobile (and any other computing) platform be able to implement and enforce these policies. This post takes a look at a research project that GrammaTech is working on in this area to increase the security of mobile OS platforms.
- What's New in CodeSonar 4.5?
- Medical Device Security Needs a Lifecycle Approach
- Finding Bugs is Only the Beginning
GrammaTech is well known for its static analysis tools which help software practitioners develop and deploy more secure software. Besides that, the company also has a large cyber security research division that works to improve the state-of-the art in cyber security. One of the topics that the research division works on is around making software more secure by hardening and monitoring existing applications. This blog posts highlights one particular research topic: GRASP, which aims to provide a policy-enabling framework.
What have we learned from Strava?
The conditions that lead to the Strava app exposing sensitive location data have existed for some time. Since the popularity of mobile devices and their apps exploded in the last decade, these devices have been exposing user’s personal data knowingly or unknowingly. The inclusion of GPS into these devices has made accurate location data part of the problem. Much of the time users are willingly giving up this data as with the Strava app to track their physical activity (Strava is not the only app doing this). Use of such apps is so common it was inevitable that military personnel would be using them as well and likely not aware of the security and privacy implications. This leads to one of the most important areas of security – the users themselves. Regardless of the technology used to secure applications and data, the human element remains a weak point.
Training in security awareness and policies goes a long way to preventing security breaches, but it’s difficult to ensure everyone is trained and more so to account for every possible situation. In the case of mobile apps such as Strava, a typical user won’t “connect the dots” on how the use of the app could be used for nefarious purposes. In addition, even if security experts know the risks and warn against them, unless there is complete compliance, a single user’s location data may be enough. In the latest controversy surrounding the Strava app, one user jogging around the perimeter of military base is enough to highlight its existence. More so when the base exists in an area of the world devoid of such technology.
There are some technology solutions that can help with these situations, including ensuring that security policies are implemented and enforced regardless of user compliance. The OS and application platforms can make sure, for example, that location data cannot be transmitted from the device. Even if the user opts-in to social media or tracking applications, the platform itself can ensure no location data is shared. However, the specific policy that you are trying to enforce may not be built-into the platform or the application is a third-party application over which you have no control. This is exactly the area in which GrammaTech performs research: automatically securing a runtime platform and taking control of security policy for existing applications. This is something that is of importance not just in mobile environments, but is of interest in IoT and IT as well.
GRASP - Policy Enforcement Framework
Corporations, government organizations, and even app store administrators need a way to control security policies for the applications they host/support. Using a combination of static analysis, rewriting applications, and injected run time instrumentation to detect security vulnerabilities and policy violations, GRASP is a platform that enforces security policies at runtime.
How would this kind of run time policy enforcement help with something like the controversy associated with an app like Strava? A security policy preventing the sharing or use of location data can be enforced at the corporate, app store level, or even app level, en masse and regardless of individual settings. For general public use it might be overbearing, but for security-sensitive organizations and businesses it’s a realistic approach.
GRASP leverages GrammaTech's experience with binary static analysis and its cyber hardening capability to initially target mobile platforms. The aim is to eventually productize this capability as a generalized tool that can inject new security policy enforcement mechanisms into arbitrary mobile, IoT, IT or other application code. GRASP is but one of the projects that GrammaTech is working on to develop new cyber security capabilities and give administrators the ability to keep their infrastructure secure.
The capabilities of today’s advanced platforms are ever growing and new security vulnerabilities are found at a regular basis. Sometimes (as in the case of Strava) these are user-induced, other times, as in the case of the recent Spectre and Meltdown vulnerabilities, they are closer to the hardware. In both cases, new approaches to cyber security are required and GrammaTech Research continues to break new ground.