Reflections on a Decade of Mobile Security Research

The emergence of the smartphone in the late 2000s occurred during a perfect storm of technology and society. Advances in embedded technologies provided a critical balance of computing power and energy consumption. The integration of accelerometers and GPS sensors provided valuable primitives for innovative applications, and 3G cellular technologies provided enough data capacity for meaningful interactions with servers. Simultaneously, social networking was taking off, giving consumers a reason to increasingly engage with computing. The mobile industry capitalized on this opportunity, opening the traditionally tightly controlled environment to third-parties and providing a streamlined way for application developers and consumers to discover and commodify computing. Today, Web traffic from smartphones exceeds that of traditional desktops and laptops. The initial reaction of the security research community was cautious, not seeing what made this form of computing different. In many ways, smartphones are the same as traditional consumer platforms. Consumers download and run third-party software that connects to servers on the Internet. However, there are key ways in which smartphones are different. Some of these differences are technical. For example, smartphones never turn off and are continually collecting information. They also present a new runtime abstraction where each application is a security principal. Other differences are rooted in how we use them. Our smartphones are always with us, and as a result they have become the transport vehicle for micro-doses of dopamine that feeds our Internet addicted society. They are the first thing we look at in the morning, the last in the evening, and means of avoiding boredom throughout the day. Despite initial reservations, the past decade has seen a boom in security research studying smartphones and mobile technologies. While this research started at the application layer, it has gradually worked its way down the stack, considering operating system frameworks, trusted execution environments, attached hardware peripherals, baseband radios, and expanding into the cellular network itself. In this talk, I will reflect on the advances and knowledge we have gained through mobile security research and what these results mean for the broader area of security research. The tables have now turned, and computing technology is adopting advances made by mobile devices.