Researchers find way to tighten control over mobile device data

For some time now, many security experts have argued that rather than focus efforts on locking down endpoints, the focus needs to be on keeping the data itself secure. Just last week, we covered a number of the findings from the Human Behavior and Security Culture workshop, held by the Tuck School of Business at Dartmouth. Those at the workshop discussed a Hotel California strategy to data protection — enabling data to be checked out, but to never leave a prescribed area.

It turns out that a team of researchers, underwritten by Virginia Tech Applied Research Corporation, believes they’ve found a way to do just that. They’ve modified Google’s Android operating system to add additional security features so that when devices leave a certain area, there is control on what applications can run, and sensitive data is wiped clean.

While many mobile phones and tablets make it possible for owners to lock device access and wipe data of lost phones, there are ways that determined adversaries may be able to bypass such controls. “This level of complexity and security, nobody else has,” said Jules White, assistant professor of electrical and computer engineering at Virginia Tech in a statement. “There are commercial products that do limited versions of these things, but nothing that allows for automating wiping and complete control of settings and apps on smart phones and tablets.”

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

The software can also help to establishe rules for where and what applications can be launched.

This type of control over data and applications could have many use cases. For instance, R&D teams could work on initiatives within their labs, but should the tablet leave the lab, the data could be wiped and design applications blacklisted from being able to launch. The same level of control could be true for many other types of data that’s proven troublesome when placed on mobile devices such as patient and medical data, financial data, and databases used by application designers and development teams.

Researchers provided many other examples of the technology, stating that a general could be enabled to access secret intelligence while visiting a secure government facility without fear that their smart phone or tablet computer might later be lost or stolen. “This system provides something that has never been available before. It puts physical boundaries around information in cyberspace,” White said.

Another example cited how medical workers could review patient information during a visit, but they couldn’t walk out of the examination room with the patient’s records.

The software also controls a mobile device’s features such as by preventing a smart phone’s camera or email from working. “For instance, you could keep certain apps from working in the operating room so surgeons wouldn’t get distracted, or you could prevent nurses from taking patient photos and putting them on the Internet,” White said.

CSO’s Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

The research team demonstrated the software for an inside-the-beltway group, Virginia Tech Intelligence and Defense Executive Alumni. The group consists of Virginia Tech alums who are interested in research that could benefit intelligence and military agencies.

George V. Hulme writes about security and technology from his home in Minneapolis. If he could actually figure out how to use his smart phone, he may then be able to put data on it worth protecting. You can also find him tweeting about security and business topics on Twitter @georgevhulme.