Cybercriminals are increasingly targeting mobile platforms, especially those running Android Operating System. This course will introduce common framework and application vulnerabilities exploited by malicious parties and will examine security mechanisms employed by Android platform to defend against the threat - major topics include access control, framework and application security models. The course will further explore recent applications of program analysis techniques aiming to improve Android Security.
Use the signup sheet (link shared via email) to select which paper to present (first come first serve).
| Component | Weight |
|---|---|
| Paper Presentations | 20% |
| Classroom Participation | 15% |
| Weekly Critique | 25% |
| Final Project | 40% (10% for the Progress Report, 10% for Project Presentation, 20% for Project Report and Artifact |
Late submissions within 72 hours will be graded with 15% penalty for each day. Late submissions beyond 72 hours will not be graded. Exceptions may only be granted case by case with strong evidence presented.
| Date | Topics | Lecture Notes | Announcement |
|---|---|---|---|
| 09/08 | Admin Details, Syllabus and Overview |
AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection. (NDSS'18)
Yousra Aafer, Jianjun Huang, Yi Sun, Xiangyu Zhang, Ninghui Li and Chen Tian. |
|
| 09/15 | Framework Access Control: Extraction and Evaluation |
Precise Android API Protection Mapping Derivation and Reasoning. (CCS'18)
Yousra Aafer, Guanhong Tao, Jianjun Huang, Xiangyu Zhang, and Ninghui Li. Bringing Balance to the Force: Dynamic Analysis of the Android Application Framework. (NDSS'21) Abdallah Dawoud and Sven Bugiel. |
|
| 09/22 | Framework Access Control: Evaluation |
Android Custom Permissions Demystified: From Privilege Escalation to Design Shortcomings. (Oakland'21)
Rui Li, Wenrui Diao, Zhou Li, Jianqi Du, and Shanqing Guo. Poirot: Probabilistically Recommending Protections for the Android Framework. (CCS'22) Zeinab El-Rewini, Zhuo Zhang, and Yousra Aafer. |
|
| 09/29 | Mobile App Vulnerabilities: Customization and Automization Hazards Project Proposals Due. |
FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. (Sec'20)
Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. Trouble Over-The-Air: An Analysis of FOTA Apps in the Android Ecosystem. (Oakland'21) Eduardo Blázquez, Sergio Pastrana, Álvaro Feal, Julien Gamba, Platon Kotzias, Narseo Vallina-Rodriguez, and Juan Tapiador. |
|
| 10/06 | Mobile App Security Information Leakage |
Cardpliance: PCI DSS Compliance of Android Applications. (Sec'20)
Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, and Bradley Reaves. Understanding Malicious Cross-library Data Harvesting on Android. (Sec'21) Jice Wang, Yue Xiao, Xueqiang Wang, Yuhong Nan, Luyi Xing, Xiaojing Liao, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, and Yuqing Zhang. |
|
| 10/13 | No Class | READING WEEK | |
| 10/20 | Web/Mobile App Security | Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers. (NDSS'19)
Meng Luo, Pierre Laperdrix, Nima Honarmand, and Nick Nikiforakis. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. (Oakland'18) Abner Mendoza and Guofei Gu. |
|
| 10/27 | Vulnerability Vetting and Detection: Progress Report Due |
FlowCog: Context-aware Semantics Extraction and Analysis of Information Flow Leaks in Android Apps. (Sec'18)
Xiang Pan, Yinzhi Cao, Xuechao Du, Boyuan He, Gan Fang, and Yan Chen. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. (NDSS'18) Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu and Min Yang. |
|
| 11/03 | Security Enhancement of Android OS: Framwork / App Layers |
DroidCap: OS Support for Capability-based Permissions in Android. (NDSS'19)
Abdallah Dawoud and Sven Bugiel. InstaGuard: Instantly Deployable Hot-patches for Vulnerable System Programs on Android. (NDSS'18) Yaohui Chen, Yuping Li, Long Lu, Yueh-Hsun Lin, Hayawardh Vijayakumar, Zhi Wang, and Xinming Ou. |
|
| 11/10 | IoT Security: Evaluation |
Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing. (Sec'21)
Yousra Aafer, Wei You, Yi Sun, Yu Shi, Xiangyu Zhang, and Heng Yin. Looking from the Mirror: Evaluating IoT Device Security through Mobile Companion Apps. (Sec'19) Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems. (Oakland'19) Nan Zhang, Xianghang Mi, Xuan Feng, XiaoFeng Wang, Yuan Tian, and Feng Qian. |
|
| 11/17 | IoT Security: Vetting | IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. (NDSS'17)
Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms. (Sec'19)
Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. DIANE: Identifying Fuzzing Triggers in Apps to Generate Under-constrained Inputs for IoT Devices. (Oakland'21) Nilo Redini, Andrea Continella, Dipanjan Das, Giulio De Pasquale, Noah Spahn, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. |
|
| 11/24 | IoT Security: Security Enhancement |
Situational Access Control in the Internet of Things.(CCS'18)
Roei Schuster, Vitaly Shmatikov, and Eran Tromer. IOTGUARD: Dynamic Enforcement of Security and Safety Policy in Commodity IoT.(NDSS'19) Z. Berkay Celik, Gang Tan, and Patrick McDaniel. |
|
| 12/01 | Project Presentations | Final Report DUE DEC 9 |