Insights into security-relevant smartphone innovations at the Cyber Defence Campus
As part of its innovation activities, the Cyber Defence Campus is investigating the potential of various smartphone security technologies. Through such investigations, the CYD Campus provides a great deal of support when it comes to cyber security in Switzerland. Among other things, one of these innovation projects focuses on security in the use of smartphones.
Two important CYD Campus projects from 2023 were the development of a secure network environment for smartphones and the investigation of methods for detecting security vulnerabilities in smartphone applications. The knowledge gained from these two projects provides important insights for ensuring secure mobile communication in the DDPS.
As part of its national cyber strategy (NCS), Switzerland is focusing on exploiting the opportunities offered by digitalisation. This is so that cyber threats and their effects can be minimised through appropriate protective measures. Through its innovation projects, the CYD Campus makes a significant contribution to promoting and strengthening Swiss cyber security and defence.
Development of a secure network for smartphone communication
One of these innovation projects focussed on securing smartphone communication. The project focussed on the development and use of a messaging app for sending sensitive data. For its solution, the CYD Campus relied on the Threema messaging app and the SCION network (Scalability, Control, and Isolation on Next-Generation Networks). The SCION network is a new type of network architecture developed by ETH researchers. Both are therefore technologies with a Swiss background.
CYD Campus employees installed a secure Threema server in the CYD Campus infrastructure in Thun, which was only accessible via the SCION network. The aim of the CYD Campus project was to use a secure and trustworthy SCION network for smartphone communication. The CYD Campus used the SCION network to create a controlled test environment to ensure the security of communication with Threema.
Identification of vulnerabilities in smartphone apps
The US startup Ostorlab convinced the jury of the CYD Campus Startup Challenge in autumn 2023 and was allowed to present its innovative approach to the security analysis of mobile applications at the Cyber-Defence Campus Conference on 26 October 2023. Ostorlab has developed a mobile application scanner that enables organisations to efficiently identify security vulnerabilities in both Android and iOS applications. Ostorlab uses static and dynamic analysis methods to detect vulnerabilities that can cause significant security and reputational damage to organisations. These range from security breaches and data leaks to compromised communication. The CYD Campus is now investigating how Ostorlab's software can be used to identify cyber vulnerabilities in VBS as part of a proof of concept.
Secure mobile operating systems
The Android and iOS smartphone ecosystems in widespread use today offer a high degree of functionality and flexibility. While Android and iOS are widely used for the storage and processing of unclassified data, their use in the area of classified data is currently not possible or only possible to a very limited extent. In Switzerland, however, there is a need for an operating system for use with classified data. An innovation project was therefore launched with the aim of identifying and analysing possible solutions to meet this need. The main challenge is to find the most suitable network architecture for a secure mobile operating system that offers a balance between security, feasibility and user-friendliness.
The CYD Campus takes two approaches to protect sensitive data: The first approach consists of a so-called compartmentalisation of the software applications. This means that the attack surface on the system is nested so that the impact of a cyber attack can be minimised. To this end, two network architectures for a secure mobile operating system were developed, including a risk analysis. Cybersecurity includes not only the mobile operating system, but also the hardware, cryptographic components and startup processes with verifiable security guarantees.
The second approach separates the execution of an application from the operating system and the manufacturer in order to ensure sovereignty over the application and increase security.
The findings of the CYD Campus from these innovation projects make a significant contribution to increasing the security of smartphones for Swiss security organisations. Further innovation projects will be presented at the CYD Campus Innovation Day in Bern on 15 May 2024.