Secure Apps: How Digital Data Remains Protected in Everyday Life

Using application software, or apps for short, is part of everyday life for many of us: quickly transferring money via e-banking, dealing with official matters in the digital office via ID Austria, managing files in the cloud or sending messages and distracting ourselves a little on social media. In all these activities, we send and receive data, much of which is highly sensitive as it concerns personal or financial information. This makes it all the more important that they are protected against unauthorised access, modification or misuse.

Interaction between software and hardware

The Secure Applications research area at the Institute of Information Security (ISEC) at Graz University of Technology (TU Graz) is working on how this can be achieved and maintained in the future. “In security, it’s always about how critical the asset is that I need to protect,” says Arne Tauber, who at ISEC is particularly concerned with information security in the public sector, for example eGovernment applications such as ID Austria, the basic concept of which was developed at TU Graz.

Arne Tauber and his team work at the application level of cyber security, in other words where users interact directly with software and hardware. For an app to be well secured, the hardware, cryptography and application have to work together seamlessly. Arne Tauber has the advantage that experts from these fields also conduct research at the Institute of Information Security and collaboration is right next door.

Mathematics as a basis for security

Encryption is essentially based on difficult mathematical problems that are so complex that even high-performance computers would need thousands of years to solve them without the right key. “Let’s take the example of a digital signature. It corresponds to a highly complex mathematical problem, and only the users or their end devices have the solution to this problem. By entering a password or biometrics such as fingerprints and facial recognition, access to this solution is authorised in order to prove your identity to the other party,” says Arne Tauber.

Tauber and his team use cryptographic libraries to implement digital signatures or proofs of identity in applications. The challenge is to incorporate the mathematical procedures developed by cryptographers into the software in such a way that no security gaps or sources of error arise and the authorisation mechanism cannot be circumvented. 

Modern mobile devices are better protected

In addition to the appropriate encryption, the applications must also work with the hardware on which they run. Arne Tauber considers modern mobile devices to be more secure than classic PCs or notebooks due to their system architecture. “Today’s smartphones have their own security chips that are optimised to perform complex cryptographic operations. Sensitive information, such as cryptographic keys, is stored directly in these chips and therefore cannot leave the device,” says Arne Tauber. In addition, mobile operating systems severely restrict access between different apps and between apps and the operating system, which further increases security. This is not the case with classic PC operating systems, which are based on concepts from the 1960s to 1980s.

AI and quantum computing as a challenge

Arne Tauber’s team is currently focusing on two factors in particular: AI and quantum computing. The rapid development of artificial intelligence has greatly accelerated the cat-and-mouse game between attackers and defenders. “AI helps you find more security gaps so that you can close them, but of course it is also used to circumvent security systems. Attacks can essentially be automated and previously unknown serious security vulnerabilities can be found in a short space of time, which poses a major problem for existing infrastructure, as the current example of the Claude Mythos model, which has not yet been made publicly available, shows,” explains Arne Tauber.

Quantum computers present a completely different challenge. When they are operational, they can crack current encryptions within minutes, even without a known key. This is because they are extremely efficient at solving certain complex mathematical problems. Quantum-safe algorithms already exist, but they cannot simply be deployed via an update. Arne Tauber: “This is a process that will certainly take several years to implement everywhere.”

Users as door openers

However, such attacks using quantum computers are not yet foreseeable. According to Arne Tauber, the greatest danger in the consumer sector is still the person in front of the screen. “Ultimately, it’s usually the users themselves who open the door.” All it takes is a click on a false link, which either leads to a fake page that captures the login data or smuggles a Trojan onto the device. Due to its architecture, the PC is still more vulnerable to Trojans in particular. If you only install trustworthy apps from secure sources on your mobile phone, you should have little to fear.

From a technical point of view, it is very difficult to penetrate the system on modern mobile devices. Tauber therefore advises particular caution with emails that ask for sensitive data. “If you are not sure, only open the website in question via the web address you know or open an app yourself without clicking on a link.” The same applies to calls requesting access data or remote access to the computer. His conclusion: “The technology is very safe, we just have to use it carefully.”