| Centre on Security, Mobile Applications and Cryptography

SMU-Ansteroid-DSO: Android App Analysis with AI-Enabled Usability (PI: Gao Debin)

Competitive Analysis and Target Customers

Our Unique Offering

Fine-grained at instruction level, covering all (including malicious activities)
AI-driven automatic interaction with subject app, automatic adjusting logging granularity
AI-driven interpreter of logging output and highlighting suspicious/interesting events

Our Targeted Customers

Corporates: Deep inspection of app made by outsourced development team before rolling out to customers
Test houses, anti-virus: performing “pen testing” on target apps
Government agencies: certifying apps developed for finance and CI
Academic: research

Bigger Picture of Commercialization Plan

Overview

In April 2024, the center was awarded a project entitled “Trusted Decentralized Identities”. The project is funded by the Digital Trust Centre (DTC), a Singapore national Centre at the Nanyang Technological University for coordinating research in trust technology.

A trusted digital identity is an essential component for securely and conveniently accessing services and authorizing transactions in cyberspace. With the rapid development of decentralized technologies and applications, such as distributed ledgers, Web3, and decentralized finance, there is an urging demand for decentralized digital identities (DID), also known as self-sovereign identities, which empower end users to create, own and govern their digital identities and assets in an autonomous, reliable, and privacy-preserving manner.

The overarching goal of this project is to develop and implement a trusted, versatile, reliable and user centric DID framework covering a complete DID lifecycle. Specifically, the project aims to investigate novel techniques for enabling key components and features that are either missing or inadequately addressed in the existing DID proposals.

Limitations of existing DID solutions

Lack a fully user-centric approach to allow autonomous creation of DIDs with verifiable credentials by leveraging the existing digital credentials and evidences
Need new solutions to reconcile and balance the privacy and accountability requirements in digital transactions involving self-created DIDs

Technical approach

A DID-bridging mechanism to port identity attributes from valid sources
Secure and scalable DID storage, version control, revocation, and wallet management by utilizing blockchain and cryptographic technologies
Conditional auditing and tracing of anonymous but critical/suspicious transactions by authorized parties

Translation opportunities

Work closely with collaborators (iSprint, ST Engineering) to meet users/market requirements
Seek translational funding to develop an operational prototype and conduct extensive user trials

Contact Us

smc@smu.edu.sg

General Contact

Singapore Management University
Administration Building, Level 9
81 Victoria Street
Singapore 188065

Overview

In December 2023, the center was awarded a project entitled “Development of Secured Components & Systems in Emerging Technologies through Hardware & Software Evaluation” (DeSCEmT). The project is funded by the Cyber Security Agency of Singapore (CSA) and National Research Foundation, Singapore (NRF).

In the past decade, mobile devices and Internet of Things (IoT) have become prevalent in our daily lives, both in business and social settings. The applications of such devices have also been growing exponentially due to the development of technologies that support artificial intelligence (AI) and cloud computing. The advances of cloud and mobile computing in the past decade have fundamentally reshaped the computing infrastructure used by individual, business, and government users into a distributed, heterogenous and collaborative system. Modern applications are hence often built as a fusion of data, software, and services from a mixture of stakeholders. Growing with this evolution are the deep-rooted security concerns over a broad spectrum of issues such as leakage of private data, infringement of software copyrights, and corruption of computation results.

This research programme gathers a core team of experts from the Nanyang Technological University (NTU) and the Singapore Management University (SMU) to tackle these security concerns. The SMU team aims to holistically address security challenges in the mobile and cloud computing ecosystem pivoting on the new so-called "confidential computing" techniques featuring hardware-based Trusted Execution Environments (TEEs). The research outcomes are expected to build up the infrastructure and capabilities towards a zero-trust computing domain for industry and government users.

Technical approach

De-couples the analyzing mechanism from app execution environment
Runs the analyzing system on powerful emulators
Uses offloading techniques to mirror app-system interactions to a real handset

Benefits

Malicious apps can no longer detect the existence of analyzing platform
Lower performance overhead
Supports non-pixel phones

Translation opportunities

Security vetting of mobile apps for government agencies and industry
Collaborators: DSO, DSTA, GovTech

No remedy for misbehaving "sick" VMs due to errors or attacks.

Technical approach

CSP provides an infrastructure for VMCare. (vm hospital)
Tenant (or Authority) uses its own tool to introspect and/or rectify the live but misbehaving virtual machine. (vm surgeon)

Impact

A new cloud service and business model benefit CSP, tenants and authorities.
Extensible to Android phones to harden user interfaces and analyze malicious apps.

Translation opportunities

Collaborate with ST Engineering and HTX to conduct pilot tests for feasibility evaluation.
Apply translation fund to develop an operational prototype and market exploration.

Data breaches are a growing risk [IBM Cost of A Data Breach Report 2023]

average cost of a data breach in 2023 was USD4.45m, a 15% increase over 3 years
82% of breaches involved data stored in the cloud

Limitations of existing cloud data security solutions

access control is enforced by could service providers and can be by-passed due to backend misconfigurations and leakage of user credentials
Extensible to Android phones to harden user interfaces and analyze malicious apps.

Technical approach

access control policies are managed by user organizations and enforced by TEE
seamlessly integrate TEE and E2E encryption to eliminate top attack vectors
Support standard/prevalent access control mechanisms to maintain interoperability with popular could platforms

Translation opportunities

Work closely with collaborators (DSTA, GovTech, HTX, ST EE) to meet users/market requirements
Seek translational funding to develop an operational prototype and conduct extensive user trials

Why TEE?

Isolating sensitive code and data-in-use in TEE protects them from vulnerabilities in the rest of the app. The usage of TEE is recommended, e.g., in the Monetary Authority of Singapore’s advisory.

Problem

Many applications are not designed for or protected by TEE. Migrating and maintaining an evolving app to properly take advantage of TEEs is complex, time-consuming, and error-prone.
Bad migration leads to little benefit and even harm.

Technical approach

Realize a toolchain (Shield-It!, Forge-It!, and Fix-It!) for reengineering & maintenance of evolving applications to benefit from TEE while minimizing costs.
Investigate SGX and the newly-released Android Virtualization Framework (AVF)

Translation opportunities

App hardening service for government agencies and industry
Collaborators: HTX, ST Engineering (project on SGX-protected credit card processing started)

Dive into groundbreaking research at the intersection of security, mobile applications, and cryptography. Explore the latest insights from us, unlocking the secrets of digital protection. Join us on a journey through innovation and discovery, where every click unveils a new layer of technological advancement.