iSpy: App Guarden at Midlothian Science Festival 2016

On Sat 15th October 2016, our researchers had the opportunity to share App Guarden with families at the Midlothian Science Festival.

Presented as the iSpy game, members of the public (children aged 8-12 and their parents) were assigned into two teams and given a controlled experience of real-time data exfiltration, and made aware of research into checkers that can provide digital evidence of the security status of apps.

Assisted by our researchers, Team Fun's mission was to play a game: Their game was to identify pixelated images on a screen using the camera app on their Android device, take a picture of the image, store it on the phone as their wallpaper, and make an audio recording of their name and what they saw — all in under 30 seconds before handing the device to the next player in the team to take a turn!

To play the game, they had to first download an image wallpaper app and a sound recording microphone app, choosing from apps in a simplified app store.

Also assisted by our researchers, Team HaHa's mission was to play a different game: their game was to secretly monitor and exfiltrate data from Team Fun's phone as they played the game — spying activities made possible by the presence of malevolent code in the apps Team Fun had chosen to install. Team HaHa were also able to take command of Team Fun's camera phone - taking pictures of Team Fun members as they innocently played their game!

At the end of the game, Team HaHa were able to send Team Fun's device screen shots of the images they had seen as they played their game, and photos of Team Fun players taken from the Team Fun device covertly.

The ability to do this simply by a "bad" app shocked both teams. Their curiosity at how this was possible, served as our researchers' opportunity to close the event by demonstrating teaching points on making better choices of applications, based on permissions or by using an example checking tool, one of the research protoypes developed under App Guarden.

In a final demonstration of checkers and validity, players were invited by our researchers to try the App Guarden checkers and replay the game, finding that this time it identified the bad code in the apps that Team Fun had downloaded - and warned against downloading it. The safe versions of the apps prevented Team HaHa from spying on the files and camera on the first device.