Cybercriminals are increasingly targeting mobile platforms, especially those running Android Operating System. This course will introduce common framework and application vulnerabilities exploited by malicious parties and will examine security mechanisms employed by Android platform to defend against the threat - major topics include access control, framework and application security models. The course will further explore recent applications of program analysis techniques aiming to improve Android Security.
Use this signup sheet to select which paper to present (first come first serve). Use your UW email to access it.
|Final Project||40% (10% for the Progress Report, 10% for Project Presentation, 20% for Project Artifact)|
Late submissions within 72 hours will be graded with 15% penalty for each day. Late submissions beyond 72 hours will not be graded. Exceptions may only be granted case by case with strong evidence presented.
|01/08||Admin Details, Syllabus and Overview|
|01/15||Framework Access Control:
Extraction and Evaluation
|Axplorer: On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. (Security'16)
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber.
Precise Android API Protection Mapping Derivation and Reasoning. (CCS'18)
Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li.
Resolving the Predicament of Android Custom Permissions. (NDSS'18)
Guliz Seray Tuncay, Soteris Demetriou, Karan Ganju, Carl A. Gunter.
|01/22||Framework Access Control:
Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework. (NDSS'16)
Y. Shao, J. Ott, Q. A. Chen, Z. Qian, and Z.M. Mao.
Invetter: Locating Insecure Input Validations in Android Services. (CCS'18)
Lei Zhang, Zhemin Yang, Yuyu He, Zhenyu Zhang, Zhiyun Qian, Geng Hong, Yuan Zhang, and Min Yang.
50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System. (Security'19)
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman.
|01/29||Mobile App Vulnerabilities:
Customization and Automization Hazards
Project Proposals Due.
|Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References. (CCS'15)
Yousra Aafer, Nan Zhang, Zhongwen Zhang, Xiao Zhang, Kai Chen, XiaoFeng Wang, Xiaoyong Zhou, Wenliang Du, and Michael Grace.
The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. (Oakland'18)
Marten Oltrogge, Erik Derr, Christian Stranksy, Yasemin Acar, Sascha Fahl, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel and Michael Backes.
Total Recall: Persistence of Passwords in Android. (NDSS'19)
Jaeho Lee, Ang Chen and Dan S. Wallach.
|02/05|| Mobile App Vulnerabilities
Leaks and UI Vulnerabilities
|Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services. (NDSS'19)
Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, and Zhiqiang Lin.
Phishing Attacks on Modern Android. (CCS'18)
Simone Aonzo, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio.
Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. (Oakland'17)
Yanick Fratantonio, Chenxiong Qian, Simon P. Chung, and Wenke Lee.
|02/12||Web/Mobile App Security||Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers. (NDSS'19)
Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis.
Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. (Oakland'18)
Abner Mendoza and Guofei Gu.
Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews. (CCS'17)
Tongxin Li, Xueqiang Wang, Mingming Zha, Kai Chen, XiaoFeng Wang, Luyi Xing, Xiaolong Bai, Nan Zhang, and Xinhui Han.
|02/19||No Class||Spend Time on Progress Report.|
|02/26|| No Class (Conference Travel)
Progress Report Due.
|03/04||Vulnerability Vetting and Detection:
||JN-SAF: Precise and Efficient NDK/JNI-aware Inter-language Static Analysis Framework for Security Vetting of Android Applications with Native Code. (CCS'18)
Fengguo Wei, Xingwei Lin, Xinming Ou, Ting Chen, and Xiaosong Zhang.
FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in Android Apps. (Security'18)
Xiang Pan, Yinzhi Cao, Xuechao Du, Boyuan He, Gan Fang, and Yan Chen.
Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. (NDSS'18)
Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu and Min Yang.
|03/11||Security Enhancement of Android OS:
Framwork / App Layers
|DroidCap: OS Support for Capability-based Permissions in Android. (NDSS'19)
Abdallah Dawoud and Sven Bugiel.
InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android. (NDSS'18)
Yaohui Chen, Yuping Li, Long Lu, Yueh-Hsun Lin, Hayawardh Vijayakumar, Zhi Wang, and Xinming Ou.
WindowGuard: Systematic Protection of GUI Security in Android. (NDSS'17)
Chuangang Ren, Peng Liu, and Sencun Zhu.
|03/18||IoT Security: Evaluation||SoK: Security Evaluation of Home-Based IoT Deployments. (Oakland'19)
Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose.
Security Analysis of Emerging Smart Home Applications. (Oakland'16)
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash.
Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems. (Oakland'19)
Nan Zhang, Xianghang Mi, Xuan Feng, XiaoFeng Wang, Yuan Tian, and Feng Qian.
|03/25||IoT Security: Vetting and Security Enhancement||IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. (NDSS'17)
Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang.
Rethinking Access Control and Authentication for the Home Internet of Things (IoT). (Security'18)
Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Durmuth, Earlence Fernandes, and Blase Ur.
ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms.(NDSS'17)
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash.
|04/01||Project Presentations||Final Report DUE APR 8|