EPSRC logo

Details of Grant 

EPSRC Reference: EP/K032666/1
Title: App Guarden: Resilient Application Stores
Principal Investigator: Aspinall, Professor D
Other Investigators:
Stark, Dr I Sutton, Dr C Sannella, Professor D
Gordon, Professor A Franke, Professor B
Researcher Co-Investigators:
Project Partners:
Contemplate Ltd Google Kotikan
McAfee Labs Metaforic Research In Motion Ltd RIM
Department: Sch of Informatics
Organisation: University of Edinburgh
Scheme: Standard Research
Starts: 01 September 2013 Ends: 31 August 2016 Value (£): 588,377
EPSRC Research Topic Classifications:
Computer Sys. & Architecture Fundamentals of Computing
Software Engineering
EPSRC Industrial Sector Classifications:
Creative Industries Information Technologies
Related Grants:
Panel History:
Panel DatePanel NameOutcome
23 Jan 2013 EPSRC Research Institute APA & V Announced
Summary on Grant Application Form
Application stores are set to become the dominant model for software distribution. After only four years, they are incredibly successful. In 2012, Apple's App Store and Google's Play Store each topped 25 billion app downloads. App stores not only offer apps and media content, they also have near total control on phones and tablets that connect to them. Hundreds of millions of people place their trust in app store and device security every day. Unfortunately, this trust is sometimes misplaced and is starting to be eroded.

Also in 2012, mobile malware took off: tens of thousands of rogue apps have been found `in the wild', including premium-rate SMS-sending apps, mobile botnets that are orchestrated to attack others, Trojans that steal passwords, and spyware that monitors users' activities. Legitimate apps and mobile operating systems have also had flaws leading to exploits and information leaks. And as the Wired reporter Mat Honan discovered painfully this summer, the convenience of cloud backed-up synchronized devices means that a single break-in can destroy your data everywhere, in one fell swoop.

App stores of the future, and the devices they control, must be better defended and resilient under attack. Users and data owners need justifiable confidence that apps will behave well and will not cause damage, whether by accident through bugs, or by intention through malicious design. Security should be ever present but unobtrusive, not impacting performance or causing crashes, not forever downloading patches, not demanding complex decisions, and not in the hands of just one party.

Our research will examine a number of improvements to app stores and mobile device operating systems which will take us closer to future generation, secure app stores.

For example, we will design algorithms that will automatically analyse apps to ensure they are safe. At the moment, this has to be done manually by malware analysts in expensive, time-consuming and sometimes unreliable ways. Another improvement is to add "digital evidence" to apps. Digital evidence can guarantee that an app is safe and it can be checked automatically, even on a phone. Evidence establishes that the code is safe, whereas the current state-of-the-art in industry is code signing, which at best only says where the code has come from. Finally, we want to find natural, user-friendly security policies: rather than the user examining a long list of complicated permissions as currently happens in Android, we want to have a set of sensible policies for different types of app. Under the bonnet the controls will actually be more precise than at present: with our solution, a game, for example, would not be allowed to access anywhere on the Internet, just the few places that it really needs to go; a text-messaging app might only be allowed to send messages to contacts from a users address book, not unknown numbers that might be premium-rate.

Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Impacts
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Summary
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.ed.ac.uk