This Android Shield Could Encrypt Apps So Invisibly You Forget It’s There

In the post-Snowden era, everyone wants to make encryption easier. Now, one group of researchers has created a tool intended to make it invisible.

A team from Georgia Tech has designed software that acts as an overlay on Android smartphones communication appslike Gmail or Whatsappand mimics the apps user interfaces. When users type, the text is encrypted automatically before being passed on to the application and transmitted over the internet. Likewise, the interface invisibly decrypts text received from other users of the software. The result, as the researchers describe it, is a transparent window over apps that prevents unencrypted messages from leaving the users device, an invisible communications condom for your smartphones secrets.

The window acts as a proxy between the user and the app. But the beauty of it is that users feel like theyre interacting with the original app without much, if any, change, says Wenke Lee, the Georgia Tech professor who led the developers. Our goal is to make security thats as easy as air. You just breathe and dont even think about it.

The researchers call their prototype Mimesis Aegis, or M-Aegis, Latin for mimicry shield. They plan to present their researchat the Usenix Security conference this week.

For now, theGeorgia Tech team is framing their workas pure academic research. But they also plan to release the software in some form this fall, although it initially will work only with email and chat services like Gmail, Whatsapp, and Facebook. Eventually, they hope to extend the apps abilities to photos and audio, so multiple functions of an Android phone can be effortlessly encrypted within popular apps users already have installed without requiring them to adopt new encryption apps like Textsecure or Silent Circle.

Despite their ambition, M-Aegis prototype is far from a universal smartphone encryption engine: It can only encrypt communications with other M-Aegis users, since both phones must generate encryption keys and exchange them to allow scrambled communications. And the system only works with Android; Apple is more restrictive in controlling how the user interfaces of its iOS apps can be altered.

Aside from those limitations, the researchers claim in their Usenix paper that a lock icon added to encrypted messages will be virtually the only sign that users arent directly accessing an unaltered app. They tested M-Aegis with real emailsusing samples taken from the Enron investigation in the early 2000sand found it took less than a tenth of a second to decrypt even the longest emails on an LG Nexus 4, and at most around one-fifth of a second to encrypt them. They even were able to replicate the search function of the Android Gmail client, thanks to their own encryption system called easily-deployable efficiently-searchable symmetric encryption or EDESE, which allows the search of encrypted files with negligible slowdown.

Despite those impressive crypto claims, early users should be wary of the security of M-Aegiss untested prototype. The Georgia Tech researchers say that for now, they dont plan an open source release of the software, which may prevent the security community from identifying flaws in its privacy protections.

Maintaining the software could also turn out to be cumbersome: Given that the program is designed to exactly mimic the apps its overlaid on, every update to a communications apps interface could require a change to M-Aegis. The researchers wont yet say how they plan to support the appthrough their own volunteer labor or by spinning the technology out into a non-profit project or startup. But Lee downplays the difficulty of keeping up with the apps whose communicationsM-Aegis encrypts. If an update to an app is just to make it look prettier or move things around, that doesnt effect us at all, he says.

For now, Lee admits, the process does require a manual process of assessing new apps and updates to maintain M-Aegiss mimicry of the underlying programs. But eventually, he hopes to automate the analysis of new applications so that they can be pulled underM-Aegiss protective shieldwith minimal human effort. The goal, he says, is a future where privacy-conscious users dont need to give up mainstream cloud-based services. But thanks to invisible encryption strapped onto the apps surfaces, the apps arenonetheless prevented from ever accessing raw data that could be vulnerable to hackers or intelligence agencies.

See the rest here:
This Android Shield Could Encrypt Apps So Invisibly You Forget It’s There