CS 858: Topics on Mobile and IoT Security -- Spring 2026

Syllabus

Catalog Description

Cybercriminals are increasingly targeting mobile and IoT devices. This course examines common framework and application vulnerabilities exploited by adversaries and analyzes the security mechanisms employed by smart-device operating systems—particularly Android—to mitigate these threats. Core topics include access control, IoT security policies, and framework- and application-level security models. The course also explores recent advances in program analysis, as well as modern machine learning approaches, including large language models (LLMs), for assessing and strengthening mobile and IoT security.

Location and Time

  • Wed 1:00pm - 3:50pm in TBD

Instructor

  • Name: Yousra Aafer
  • Email: yaafer AT uwaterloo DOT ca
  • Office hours: By appointment

Course Requirements

The expectations for all CS 858 students are the following:
  1. Participation: Students are expected to attend every class and actively participate in classroom discussions.
  2. Reading: Assigned papers must be read prior to each class.
  3. Weekly Critiques: Each student is required to submit a peer-review-style critique (minimum 400 words) for each assigned paper before it is discussed in class. Each critique should include: (1) a summary of the problem and the paper’s approach, (2) key strengths, (3) weaknesses, (4) potential improvement(s), and (5) questions for class discussion.
  4. Paper Presentation: Each student will present two papers during the semester (approximately 25 minutes each) and lead the corresponding discussion. Additional details will be provided in the introductory session.
  5. Term Project: Students are expected to complete a research project in mobile or IoT security (topics in systems and network security are also acceptable). The primary deliverable is a conference-style paper submitted at the end of the semester. Project topics must be discussed with the instructor within the first three weeks of class. Projects may be completed individually or in pairs. Further details will be provided during the first class.

Paper Selection

Select a paper to present using the signup sheet (link shared via email); selections are first come, first served.

Grading

Component Weight
Paper Presentations 20%
Classroom Participation 15%
Weekly Critique 25%
Final Project 40% (10% for the Progress Report, 10% for Project Final Presentation, 20% for Project Report and Artifact

Policy for Late Submissions

Late submissions within 72 hours will be graded with 15% penalty for each day. Late submissions beyond 72 hours will not be graded. Exceptions may only be granted case by case with strong evidence presented.

Schedule

(Tentative; specific topics to be covered will be updated soon)
Date Topics Lecture Notes Announcement
13/05 Admin Details, Syllabus and Overview


20/05 Mobile Access Control
(Framework):
Access Control Mappings



27/05

Detecting Vulnerabilities
in Mobile frameworks





03/06 Mobile App Vulnerabilities



Proposal DUE
10/06 Mobile / IoT Privacy:
policies, trackers,



17/06 IoT Security:
Vulnerability Vetting






24/06 ML/LLM For :
Malware detection






Project Progress Discussion / Presentation
01/07 No Class Canada Day
Project Progress Report DUE 03/07
08/07 Mobile App Vulnerabilities



15/07 ML/LLM For:
Vulnerability Vetting




22/07 Recent Trends in mobile
and IoT ecosystems



29/07 IoT Security:
Security Enhancement



05/08 Project Presentations Final Report DUE AUG 7