Cybercriminals are increasingly targeting mobile and IoT devices. This course will introduce common vulnerabilities exploited by malicious parties and will examine security mechanisms employed by smart devices’ Operating Systems (particularly Android) to defend against the threat - major topics include access control, framework, and application security models. The course will further explore recent applications of static and dynamic analysis techniques aiming to evaluate and enhance the mobile and IoT Security.
Use the signup sheet (link shared via email) to select which paper to present (first come first serve).
| Component | Weight |
|---|---|
| Paper Presentations | 20% |
| Classroom Participation | 15% |
| Weekly Critique | 25% |
| Final Project | 40% (10% for the Progress Report, 10% for Project Presentation, 20% for Project Report and Artifact |
Late submissions within 72 hours will be graded with 15% penalty for each day. Late submissions beyond 72 hours will not be graded. Exceptions may only be granted case by case with strong evidence presented.
| Date | Topics | Lecture Notes | Announcement |
|---|---|---|---|
| 09/08 | Admin Details, Syllabus and Overview |
AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection. (NDSS'18)
Yousra Aafer, Jianjun Huang, Yi Sun, Xiangyu Zhang, Ninghui Li and Chen Tian. |
|
| 09/15 | Framework Access Control: Extraction and Evaluation |
Axplorer: On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. (Security'16)
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. Bringing Balance to the Force: Dynamic Analysis of the Android Application Framework. (NDSS'21) Abdallah Dawoud and Sven Bugiel. Poirot: Probabilistically Recommending Protections for the Android Framework. (CCS'22) Zeinab El-Rewini, Zhuo Zhang, and Yousra Aafer. |
|
| 09/22 | Mobile App Vulnerabilities: | FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. (Sec'20)
Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. Detecting and Measuring Misconfigured Manifest in Android Apps. (CCS'22) Yuqing Yang, Mohamed Elsabagh, Chaoshun Zuo, Ryan Johnson, Angelos Stavrou, and Zhiqiang Lin. The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators. (Oakland'18) Marten Oltrogg, Erik Derr, Christian Stranksy, Yasemin Acar, Sascha Fahl, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel and Michael Backes. |
|
| 09/29 | IoT Security: Evaluation Project Proposals Due. |
Looking from the Mirror: Evaluating IoT Device Security through Mobile Companion Apps. (Sec'19)
Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. Understanding IoT Security from a Market-Scale Perspective. (CCS'22) Xin Jin, Sunil Manandhar, Kaushal Kafle, Zhiqiang Lin, and Adwait Nadkarni. SoK: Security Evaluation of Home-Based IoT Deployments. (Oakland'19) Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. Security Analysis of Emerging Smart Home Applications. (Oakland'16) Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. (Optional Reading) |
|
| 10/06 | IoT Security: Vetting | IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. (NDSS'17)
Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. Towards automated dynamic analysis for Linux-based embedded firmware. (NDSS'16) Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference. (CCS'21) Xiaotao Feng, Ruoxi Sun, Xiaogang Zhu, Minhui Xue, Sheng Wen, Dongxi Liu, Surya Nepal, and Yang Xiang. |
|
| 10/13 | No Class | READING WEEK | |
| 10/20 | Mobile / IoT Security: Data Leakage and Trackers |
50 Ways to Leak Your Data: An Exploration of Apps’
Circumvention of the Android Permissions System. (Security'19)
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. Understanding Worldwide Private Information Collection on Android. (NDSS'21) Yun Shen, Pierre-Antoine Vervier, and Gianluca Stringhini. (Optional Reading) Log: It’s Big, It’s Heavy, It’s Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem.(SEC’23) Allan Lyons, Julien Gamba, Austin Shawaga, Joel Reardon, Juan Tapiador, Serge Egelman, and Narseo Vallina-Rodríguez. Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps. Yuhong Nan, Xueqiang Wang, Luyi Xing, Xiaojing Liao, Ruoyu Wu, Jianliang Wu, Yifan Zhang, and XiaoFeng Wang. |
|
| 10/27 | Mobile / IoT Security Privacy Policies Progress Report Due |
Cardpliance: PCI DSS Compliance of Android Applications. (Sec'20)
Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, and Bradley Reaves. Freely Given Consent? Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps. (CCS'22) > Smart Home Privacy Policies Demystified: A Study of Availability, Content, and Coverage. (Sec'22) Sunil Manandhar, Kaushal Kafle, Benjamin Andow, Kapil Singh, Adwait Nadkarni |
|
| 11/3 | Web/Mobile App Security | Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers. (NDSS'19)
Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. (Oakland'18) Abner Mendoza and Guofei Gu. Iframes/popups are dangerous in mobile webview: studying and mitigating differential context vulnerabilities (SEC'19) GuangLiang Yang, Jeff Huang, and Guofei Gu. |
|
| 11/10 | Mobile Malware: |
Continuous Learning for Android Malware Detection(SEC'23)
Yizheng Chen, Zhoujie Ding, and David Wagner. How Did That Get In My Phone? Unwanted App Distribution on Android Devices(Oakland'21) Platon Kotzias, Juan Caballero, and Leyla Bilge. A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned.(SEC'22) Yun Shen and Pierre-Antoine Vervier, and Gianluca Stringhini. |
|
| 11/17 | IoT Malware |
The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle(SEC'21)
Omar Alrawi, Charles Lever, Kevin Valakuzhy, Ryan Court, Kevin Snow, Fabian Monrose, and Manos Antonakakis. ARGUS: Context-Based Detection of Stealthy IoT Infiltration Attacks(SEC'23) Phillip Rieger, Marco Chilese, Reham Mohamed, Markus Miettinen, Hossein Fereidooni, and Ahmad-Reza Sadeghi. HAWatcher: Semantics-Aware Anomaly Detection for Appified Smart Homes(SEC'21) Chenglong Fu, Qiang Zeng, Xiaojiang Du |
|
| 11/24 | IoT Security: Security Enhancement |
Rethinking Access Control and Authentication for the Home Internet of Things (IoT). (Sec'18)
Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Durmuth, Earlence Fernandes, and Blase Ur. Situational Access Control in the Internet of Things.(CCS'18) Roei Schuster, Vitaly Shmatikov, and Eran Tromer. IOTGUARD: Dynamic Enforcement of Security and Safety Policy in Commodity IoT.(NDSS'19) Z. Berkay Celik, Gang Tan, and Patrick McDaniel. ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms.(NDSS'17) Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash. (Optional Reading) |
|
| 12/01 | Project Presentations | Final Report DUE DEC 9 |