CS 858: Topics on Mobile and IoT Security -- Fall 2024

Syllabus

Catalog Description

Cybercriminals are increasingly targeting mobile and IoT devices. This course will introduce common framework and application vulnerabilities exploited by malicious parties and will examine security mechanisms employed by smart devices' Operating Systems (particularly Android) to defend against the threat - major topics include access control, IoT security policies, framework and application security models. The course will further explore recent applications of program analysis techniques and emerging ML-based and LLM-based approaches for assessing and enhancing mobile and IoT security.

Location and Time

  • Fridays 1:30pm - 4:20pm in TBD

Instructor

  • Name: Yousra Aafer
  • Email: yaafer AT uwaterloo DOT ca
  • Office hours: By appointment

Course Requirements

The expectations for all CS 858 students are the following:
  1. Participate: Students are expected to attend every class and actively take part of the classroom discussions.
  2. Read Literature: Assigned papers should be read before each class.
  3. Write Weekly Critiques: Each Student is required to write a peer-review critique (at least 400 words) for all the papers, before the papers are presented in class. A review must include the following aspects: (1) Summary of the problem and how the paper tackles the problem, (2) Details of positive points, (3) Details of negative points or any improvement you can suggest, and (4) list of questions you would like to discuss in class.
  4. Present Literature: Each student is responsible to present two papers in the class for about 25 minutes and lead the discussion. More details about paper presentation expections will be discussed in the introductory section.
  5. Term Project: Students are expected to conduct a research project in mobile or IoT security (topics in systems and network security are acceptable), with the major deliverable being a conference-style paper at the end of the semester. Project topics should be discussed outside of class with the professor within the first 3 weeks of class. Projects can be done individually or by groups of two. More details will be discussed in the first class as part of the introductory material.

Paper Selection

Use the signup sheet (link shared via email) to select which paper to present (first come first serve).

Grading

Component Weight
Paper Presentations 20%
Classroom Participation 15%
Weekly Critique 25%
Final Project 40% (10% for the Progress Report, 10% for Project Presentation, 20% for Project Report and Artifact

Policy for Late Submissions

Late submissions within 72 hours will be graded with 15% penalty for each day. Late submissions beyond 72 hours will not be graded. Exceptions may only be granted case by case with strong evidence presented.

Schedule

(Tentative; specific topics to be covered will be updated soon)
Date Topics Lecture Notes Announcement
09/06 Admin Details, Syllabus and Overview AceDroid: Normalizing Diverse Android Access Control Checks for Inconsistency Detection. (NDSS'18)
Yousra Aafer, Jianjun Huang, Yi Sun, Xiangyu Zhang, Ninghui Li and Chen Tian.

09/13 Mobile Access Control
(Framework):
Access Control Maps 		AXPlorer: On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. (Sec'16)

Bringing Balance to the Force: Dynamic Analysis of the Android Application Framework. (NDSS'21)

09/20 Mobile Access Control
(Framework)
Detecting Vulnerabilities
in OEM frameworks 		Poirot: Probabilistically Recommending Protections for the Android Framework. (CCS'22)

Auditing Framework APIs via Inferred App-side Security Specifications. (Sec'23)

FReD: Identifying File Re-Delegation in Android System Services. (Sec'22)

09/27 Mobile App Vulnerabilities FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. (Sec'20)

Detecting and Measuring Misconfigured Manifest in Android Apps. (CCS'22)

Proposal Due
10/04 Mobile / IoT Privacy:
policies, trackers, 		Post-GDPR Threat Hunting on Android Phones: Dissecting OS-level Safeguards of User-unresettable Identifiers.. (NDSS'23)

Are You Spying on Me? Large-Scale Analysis on IoT Data Exposure through Companion Apps. (Sec'23)

10/11 IoT Security:
Evaluation of Security Policies
and Vulnerability Vetting		 Understanding IoT Security from a Market-Scale Perspective. (CCS'22)

IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. (NDSS'28)

Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing. (Sec'21)

10/18 No Class READING WEEK
10/25 ML for Mobile Malware
and PHA Detection		 Continuous Learning for Android Malware Detection. (Sec'23)

DeepIntent: Deep Icon-Behavior Learning for Detecting Intention-Behavior Discrepancy in Mobile Apps. (CCS'19)

Project Progress Report Due
11/1 Deep Learning Models,
threats and usage
by Android apps		 The Droid is in the Details: Environment-aware Evasion of Android Sandboxes. (NDSS'22)

Understanding Real-world Threats to Deep Learning Models in Android Apps. (CCS'22)

11/8 LLMs for Android Security Large Language Models for Code Analysis: Do LLMs Really Do Their Job? (Sec'24)

Large Language Model vs. Stack Overflow in Addressing Android Permission Related Challenges. (MSR'24)

11/15 Recent Trends in mobile
and IoT ecosystems		 Uncovering and Exploiting Hidden APIs in Mobile Super Apps. (CCS'23)

One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. (Sec'23)

11/22 IoT Security:
Security Enhancement		 ARGUS: Context-Based Detection of Stealthy IoT Infiltration Attacks. (Sec'23)

IOTGUARD: Dynamic Enforcement of Security and Safety Policy in Commodity IoT. (NDSS'19)

11/29 Project Presentations Final Report DUE DEC 10