A group of researchers at Virginia Tech have developed software for the Android OS that can enforce policies on mobile devices based on what room they're in. It can even make sure that sensitive data doesn't walk out the door with them by wiping it from a phone's memory. The technology, which has gotten the attention of Google's federal government group and several defense systems integrators, could eventually be used to protect patient data on doctors' tablets and sensitive military and intelligence information. Virginia Tech researchers even suggest it could be used to prevent students from texting during classes.

While there are existing applications that manage the security of mobile devices, and technology to locate a phone by GPS is readily available, GPS signals can't be used accurately inside a building to create policy zones as small as a conference room. So Virginia Tech researchers have been looking at other ways to use smartphones' built-in hardware to sense where the device is. Their prototype system, which is about to be released as an open-source project, uses Bluetooth and near field communications (NFC) wireless signals to authenticate the location of the device.

Developed with funding from the Virginia Tech Applied Research Corporation, the software is a modified version of the Android operating system that adds a policy engine on top of Android's security model. Jules White, assistant professor in Virginia Tech's Department of Electrical and Computer Engineering, told Ars Technica in an interview that the prototype system, which was deployed on Google Nexus S phones, uses NFC to pass the phone a location-based key, and Bluetooth for the phone to communicate a confirmation of its location to a management server. ”We could theoretically do that all with just Bluetooth,” White said. “But NFC adds that extra guarantee that you're actually in the room.” Because of Bluetooth's longer range, the signal could leak out of the space being identified, potentially weakening the system's security.

The software uses the location-based authentication along with a policy engine to enable or disable Android features and applications. The policy engine can allow users to access sensitive information on the phone that is restricted to the physical space they're in, creating a “data jail," White said. Since it also can control inter-process communications on the phone, it can control where data is stored to by applications, forcing data to be written to memory instead of to SIM cards or other storage. “If you walk out of the room, or you haven't hit the NFC key for a certain amount of time,” White explained, “it can clear the data out of memory.”

Virginia Tech's outreach department played up the "Mission Impossible" nature of the technology with this YouTube video, in which White demonstrates the technology:

Because the wireless technology used for the system is all built into the Nexus S phone, a phone can even act as the base station to verify other devices' locations. White said that this could allow for the creation of a temporary “bubble” of data sharing at any location within a building. The Virginia Tech team is also investigating other ways to create location awareness for mobile devices, including signals that could be picked up by audio (such as a special pattern of “white noise”) or by the phone's camera. “But using the camera would require a person to orient the phone in a certain way,” White said, so that approach may not be practical.

The core of the software used in the project is open-source, and efforts are being made now by White and his research team (Masters candidates Paul N. Miranda and Danny Guymon, and PhD candidate Hamilton Turner) to post the code to a GIT site. “Right now it's just a research project,” White said, but he adds that there are hopes of commercialization of the technology—either through a partner or a Virginia Tech startup.