Smartphones are becoming increasingly widespread in both private and business environments. According to the BITKOM association, one in three Germans already owns a smartphone – and the trend is growing rapidly. A key success factor of smartphones is the ability to conveniently purchase, download, and install application programs (apps) in “app stores” from providers on the Internet. However, the opportunities presented by this development are accompanied by major risks, especially due to the growing number of mobile applications with often unknown origins. This increases the risk of malware spreading, disguised as a useful application, for example. In addition, vulnerabilities in apps can be used by attackers as entry points to gain access to company data. The joint project ZertApps (Certified Security for Mobile Applications; Zertifizierte Sicherheit für mobile Anwendungen) specifically addresses this problem.
App analytics and certification for more security
ZertApps supports a thorough analysis and subsequent security certification of apps before they are released for public use. This obvious approach is also followed by app providers such as Google. However, the quality of the analysis methods used and the secure creation and management of certificates to prevent forgeries are crucial for actually increasing app security. There is still a great need for research and development in this area, which the Zert Apps network will take up, since the existing mechanisms can still be easily circumvented by malware providers.
Extensions of existing analysis methods
The specific solution approaches of ZertApps, which go beyond the state of the art, are based on an application-specific optimized combination of static as well as dynamic analyses, the integration of the security models of platform-specific environments (primarily Android will be considered here) and platform-independent HTML5 and Java environments, as well as the consideration also of such security vulnerabilities that only arise in the interaction of several apps.
Funded by: Bundesministerium für Bildung und Forschung (BMBF)
Partners: OTARIS, datenschutz cert, SAP, Fraunhofer SIT, TZI/University of Bremen, SECUSO (Karlsruhe Institute of Technology)
Funding period: 1.1.2014 – 31.12.2015
