Carnegie Mellon Mobile App Secures Communications

• By Dian Schaffhauser
• 03/14/12

Researchers at Carnegie Mellon University have developed a mobile app to help people set up trusted relationships with others on the fly for digital transactions. "SafeSlinger," as it's named, works on both iOS and Android devices. (It originally appeared in the Apple App Store in January under the name "KeySlinger.")

The challenge with many trust schemes is that users don't always understand how to use security protocols. SafeSlinger, which was created by the institution's CyLab, provides a simple mechanism for allowing people to exchange public keys that then establish secure channels for sending messages or exchanging files.

"Essentially, we support an abstraction to safely 'sling' information from one device to another," the researchers state in a paper they've written about the system.

"With SafeSlinger, users can gain control over their exchanged information through end-to-end encryption, preventing intermediate servers or service providers from reading their messages or other sensitive stored data in their smartphones," said Adrian Perrig, professor of electrical and computer engineering and technical director of CyLab.

"SafeSlinger provides you with the confidence that the person you are communicating with is actually the person they have represented themselves to be," added Michael Farb, a CyLab research programmer. "Perhaps the most impressive feature is that SafeSlinger provides secure communications and file transfer even if the servers involved are tainted with malware."

SafeSlinger is envisioned to work in four ways:

• Small groups of two to eight people who are physically together sling keys between their devices. This is a one-time operation. The app can also support remote setup, as long as users can authenticate each other via other means, such as via live video conference or voice communication;
• The app includes secure SMS- and MMS-messaging-like phone-to-phone messaging and file transfer capabilities designed to offer secrecy and authenticity;
• SafeSlinger can accommodate secure introductions without physical meetings by allowing one person to facilitate a mutual introduction through SafeSlinger file transfer; and
• SafeSlinger has an API that lets other applications add their public key to a contact entry. When a user slings an updated contact list entry to another user, the application's public key is automatically included, and the same application at the other end can extract the public key. The researchers explained that the point of the API is to let programs such as secure email or secure SMS solve the problem of securely exchanging the public key without the "leap of faith" inherent in many online communications.

The new app provides a way for users to secure their communications "without relying on obscure mechanisms," said researcher Jon McCune, who also worked on the project. "SafeSlinger provides users with an easy way to securely exchange messages for free, finally providing people with control over their own information.''

The Android version of the app is available free in Google Play (formerly, the Android Market).

The iOS version of the app is available in the iTunes Store.