1,898 research outputs found
Towards a Certified Reference Monitor of the Android 10 Permission System
Android is a platform for mobile devices that captures more than 85% of the total market share [International Data Corporation (IDC), 2020]. Currently, mobile devices allow people to develop multiple tasks in different areas. Regrettably, the benefits of using mobile devices are counteracted by increasing security risks. The important and critical role of these systems makes them a prime target for formal verification. In our previous work [Betarte et al., 2018], we exhibited a formal specification of an idealized formulation of the permission model of version 6 of Android. In this paper we present an enhanced version of the model in the proof assistant Coq, including the most relevant changes concerning the permission system introduced in versions Nougat, Oreo, Pie and 10. The properties that we had proved earlier for the security model have been either revalidated or refuted, and new ones have been formulated and proved. Additionally, we make observations on the security of the most recent versions of Android. Using the programming language of Coq we have developed a functional implementation of a reference validation mechanism and certified its correctness. The formal development is about 23k LOC of Coq, including proofs
How Smart is your Android Smartphone?
Smart phones are ubiquitous today. These phones generally have access to sensitive personal information and, consequently, they are a prime target for attackers. A virus or worm that spreads over the network to cell phone users could be particularly damaging. Due to a rising demand for secure mobile phones, manufacturers have increased their emphasis on mobile security. In this project, we address some security issues relevant to the current Android smartphone framework. Specifically, we demonstrate an exploit that targets the Android telephony service. In addition, as a defense against the loss of personal information, we provide a means to encrypt data stored on the external media card. While smartphones remain vulnerable to a variety of security threats, this encryption provides an additional level of security
A Mobile application for tracking and verification of cobalt ores in artisanal mines a case study of democratic republic of Congo
A Dissertation submitted in partial fulfillment of the requirements for the Degree of Master of Science in Mobile Telecommunications and Innovation (MSc. MTI)Tracking and verification of Cobalt in artisanal mines is enormously challenging in the Democratic Republic of Congo. Several artisanal mining companies have been disseminated throughout the country, some of these companies are involved in illegal exports and branding of Cobalt ores. Consequently, these unlawful activities are leaching a fifth of all Cobalt revenue away from the state budget. It is estimated that between 2013 and 2016, over $1.3 billion of payment by mining companies to Congoâs tax agencies never reached the national treasury.
This research used an online questionnaire that was distributed to 95 mine inspectors and mining officers to give a comprehensive study of characteristics of a licit Cobalt ores bag, methods and technology currently used to track and verify Cobalt ores bags and how a mobile application for tracking and verification of Cobalt bags can be designed, developed and tested. Google analytics tools were used to collect data from respondents. The results were used to attain the system requirements and design of an Android application for tracking and verification of Cobalt ores in artisanal mines. Agile software development methodology was used because it allows iteration and gets the user involved in the entire process of development. The Android application was integrated with a back-end application which gives a synopsis of Cobalt ores bags legally extracted and vetted artisanal mines. Testing and validation was done on the final prototype by the potential users of the application. Mine inspectors, mining officers and ultimately the government tax collector agencies stand to gain by using the mobile application to ensure that a Cobalt ores bag has been extracted from a vetted artisanal mine. It allows the government to maximize the revenue from tax on Cobalt extracted from artisanal mines and minimize significantly the illegal exports and rebranding of Cobalt ores in artisanal mining sector.
The proposed system achieved imposing results in terms of functionalities. Respondents stated that the system solved the problem related to tracking and verification of Cobalt ores in artisanal mines. 100 % of respondents were able to scan or generate the QR code. It crucial to note that if the system is adopted by the government through the Ministry of mines, illegal exportation and branding of Cobalt ores can be significantly reduced
AppGuard â fine-grained policy enforcement for untrusted android applications
Androidâs success makes it a prominent target for malicious software. However, the user has very limited control over security-relevant operations. This work presents AppGuard, a powerful and flexible security system that overcomes these deficiencies. It enforces user-defined security policies on untrusted Android applications without requiring any changes to a smartphoneâs firmware, root access, or the like. Finegrained and stateful security policies are expressed in a formal specification language, which also supports secrecy requirements. Our system offers complete mediation of security-relevant methods based on calleesite inline reference monitoring and supports widespread deployment. In the experimental analysis we demonstrate the removal of permissions for overly curious apps as well as how to defend against several recent real-world attacks on Android phones. Our technique exhibits very little space and runtime overhead. The utility of AppGuard has already been demonstrated by more than 1,000,000 downloads
Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain
The Android Open Source Project (AOSP) was first released by Google in 2008 and
has since become the most used operating system [Andaf]. Thanks to the openness
of its source code, any smartphone vendor or original equipment manufacturer
(OEM) can modify and adapt Android to their specific needs, or add proprietary features
before installing it on their devices in order to add custom features to differentiate themselves
from competitors. This has created a complex and diverse supply chain, completely opaque to
end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and
prominent actors of the online industry that partnered with OEMs. Each of these stakeholders
can pre-install extra apps, or implement proprietary features at the framework level.
However, such customizations can create privacy and security threats to end-users. Preinstalled
apps are privileged by the operating system, and can therefore access system APIs
or personal data more easily than apps installed by the user. Unfortunately, despite these
potential threats, there is currently no end-to-end control over what apps come pre-installed
on a device and why, and no traceability of the different software and hardware components
used in a given Android device. In fact, the landscape of pre-installed software in Android and
its security and privacy implications has largely remained unexplored by researchers.
In this thesis, I investigate the customization of Android devices and their impact on the
privacy and security of end-users. Specifically, I perform the first large-scale and systematic
analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app,
Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000
different OEMs from all over the world. This dataset allows us to map the stakeholders involved
in the supply chain and their relationships, from device manufacturers and mobile network operators
to third-party organizations like advertising and tracking services, and social network
platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors.
My results show a disturbing lack of transparency and control over the Android supply
chain, thus showing that it can be damageable privacy- and security-wise to end-users.
Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing,
the permission system empowers users to control what sensitive resources (e.g., user
contacts, the camera, location sensors) are accessible to which apps. The research community
has extensively studied the permission system, but most previous studies focus on its limitations
or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis
of the evolution of the permissions system. I study how some lesser-known features of the
permission system, specifically permission flags, can impact the permission granting process,
making it either more restrictive or less. I then highlight how pre-installed apps developers
use said flags in the wild and focus on the privacy and security implications. Specifically, I
show the presence of third-party apps, installed as privileged system apps, potentially using
said features to share resources with other third-party apps.
Another salient feature of the permission system is its extensibility: apps can define their
own custom permissions to expose features and data to other apps. However, little is known
about how widespread the usage of custom permissions is, and what impact these permissions
may have on usersâ privacy and security. In the last part of this thesis, I investigate the exposure
and request of custom permissions in the Android ecosystem and their potential for opening
privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and
publicly available apps using both Firmware Scanner and purpose-built app store crawlers.
I find the usage of custom permissions to be pervasive, regardless of the origin of the apps,
and seemingly growing over time. Despite this prevalence, I find that custom permissions are
virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends
that developers use their reverse domain name as the prefix of their custom permissions
[Gpla], I find widespread violations of this recommendation, making sound attribution
at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions
can facilitate access to permission-protected system resources to apps that lack those
permissions, without user awareness. Due to the lack of tools for studying such risks, I design
and implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to study
custom permissions. I highlight multiple cases of concerning use of custom permissions by
Android apps in the wild.
In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalled
Android apps. My results show a complete lack of control of the supply chain which
is worrying, given the huge potential impact of pre-installed apps on the privacy and security
of end-users. I conclude with a number of open research questions and future avenues for
further research in the ecosystem of the supply chain of Android devices.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en IngenierĂa TelemĂĄtica por la Universidad Carlos III de MadridPresidente: Douglas Leith.- Secretario: RubĂŠn Cuevas RumĂn.- Vocal: Hamed Haddad
Formal analysis of security models for mobile devices, virtualization platforms and domain name systems
En esta tesis investigamos la seguridad de aplicaciones de seguridad criticas, es decir aplicaciones en las cuales una falla podria producir consecuencias inaceptables. Consideramos tres areas: dispositivos moviles, plataformas de virtualizacion y sistemas de nombres de dominio. La plataforma Java Micro Edition define el Perfil para Dispositivos de Informacion Moviles (MIDP) para facilitar el desarrollo de aplicaciones para dispositivos moviles, como telefonos celulares y asistentes digitales personales. En este trabajo primero estudiamos y comparamos formalmente diversas variantes del modelo de seguridad especificado por MIDP para acceder a recursos sensibles de un dispositivo movil. Los hipervisores permiten que multiples sistemas operativos se ejecuten en un hardware compartido y ofrecen un medio para establecer mejoras de seguridad y flexibilidad de sistemas de software. En esta tesis formalizamos un modelo de hipervisor y establecemos (formalmente) que el hipervisor asegura propiedades de aislamiento entre los diferentes sistemas operativos de la plataforma, y que las solicitudes de estos sistemas son atendidas siempre. Demostramos tambien que las plataformas virtualizadas son transparentes, es decir, que un sistema operativo no puede distinguir si ejecuta solo en la plataforma o si lo hace junto con otros sistemas operativos. Las Extensiones de Seguridad para el Sistema de Nombres de Dominio (DNSSEC) constituyen un conjunto de especificaciones que proporcionan servicios de aseguramiento de autenticacion e integridad de origen de datos DNS. Finalmente, presentamos una especificaci´on minimalista de un modelo de DNSSEC que proporciona los fundamentos necesarios para formalmente establecer y verificar propiedades de seguridad relacionadas con la cadena de confianza del arbol de DNSSEC. Desarrollamos todas nuestras formalizaciones en el C´alculo de Construccion
Privaros: A Framework for Privacy-Compliant Delivery Drones
We present Privaros, a framework to enforce privacy policies on drones.
Privaros is designed for commercial delivery drones, such as the ones that will
likely be used by Amazon Prime Air. Such drones visit a number of host
airspaces, each of which may have different privacy requirements. Privaros
provides an information flow control framework to enforce the policies of these
hosts on the guest delivery drones. The mechanisms in Privaros are built on top
of ROS, a middleware popular in many drone platforms. This paper presents the
design and implementation of these mechanisms, describes how policies are
specified, and shows that Privaros's policy specification can be integrated
with India's Digital Sky portal. Our evaluation shows that a drone running
Privaros can robustly enforce various privacy policies specified by hosts, and
that its core mechanisms only marginally increase communication latency and
power consumption
Accredited qualifications for capacity development in disaster risk reduction and climate change adaptation
Increasingly practitioners and policy makers working
across the globe are recognising the importance of
bringing together disaster risk reduction and climate
change adaptation. From studies across 15 Pacific island
nations, a key barrier to improving national resilience
to disaster risks and climate change impacts has been
identified as a lack of capacity and expertise resulting
from the absence of sustainable accredited and quality
assured formal training programmes in the disaster risk
reduction and climate change adaptation sectors. In the
2016 UNISDR Science and Technology Conference
on the Implementation of the Sendai Framework for
Disaster Risk Reduction 2015â2030, it was raised that
most of the training material available are not reviewed
either through a peer-to-peer mechanism or by the
scientific community and are, thus, not following quality
assurance standards. In response to these identified
barriers, this paper focuses on a call for accredited formal
qualifications for capacity development identified in the
2015 United Nations landmark agreements in DRR and
CCA and uses the Pacific Islands Region of where this
is now being implemented with the launch of the Pacific
Regional Federation of Resilience Professionals, for
DRR and CCA. A key issue is providing an accreditation
and quality assurance mechanism that is shared across
boundaries. This paper argues that by using the United
Nations landmark agreements of 2015, support for a
regionally accredited capacity development that ensures
all countries can produce, access and effectively use
scientific information for disaster risk reduction and
climate change adaptation. The newly launched Pacific
Regional Federation of Resilience Professionals who
work in disaster risk reduction and climate change
adaptation may offer a model that can be used more
widely
âAnd all the pieces matter...â Hybrid Testing Methods for Android App's Privacy Analysis
Smartphones have become inherent to the every day life of billions of people worldwide, and they
are used to perform activities such as gaming, interacting with our peers or working. While extremely
useful, smartphone apps also have drawbacks, as they can affect the security and privacy of users.
Android devices hold a lot of personal data from users, including their social circles (e.g., contacts),
usage patterns (e.g., app usage and visited websites) and their physical location. Like in most software
products, Android apps often include third-party code (Software Development Kits or SDKs) to
include functionality in the app without the need to develop it in-house. Android apps and third-party
components embedded in them are often interested in accessing such data, as the online ecosystem
is dominated by data-driven business models and revenue streams like advertising.
The research community has developed many methods and techniques for analyzing the privacy
and security risks of mobile apps, mostly relying on two techniques: static code analysis and dynamic
runtime analysis. Static analysis analyzes the code and other resources of an app to detect potential
app behaviors. While this makes static analysis easier to scale, it has other drawbacks such as
missing app behaviors when developers obfuscate the appâs code to avoid scrutiny. Furthermore,
since static analysis only shows potential app behavior, this needs to be confirmed as it can also
report false positives due to dead or legacy code. Dynamic analysis analyzes the apps at runtime to
provide actual evidence of their behavior. However, these techniques are harder to scale as they need
to be run on an instrumented device to collect runtime data. Similarly, there is a need to stimulate
the app, simulating real inputs to examine as many code-paths as possible. While there are some
automatic techniques to generate synthetic inputs, they have been shown to be insufficient.
In this thesis, we explore the benefits of combining static and dynamic analysis techniques to
complement each other and reduce their limitations. While most previous work has often relied on
using these techniques in isolation, we combine their strengths in different and novel ways that allow
us to further study different privacy issues on the Android ecosystem. Namely, we demonstrate the
potential of combining these complementary methods to study three inter-related issues:
⢠A regulatory analysis of parental control apps. We use a novel methodology that relies on
easy-to-scale static analysis techniques to pin-point potential privacy issues and violations of
current legislation by Android apps and their embedded SDKs. We rely on the results from our
static analysis to inform the way in which we manually exercise the apps, maximizing our ability
to obtain real evidence of these misbehaviors. We study 46 publicly available apps and find
instances of data collection and sharing without consent and insecure network transmissions
containing personal data. We also see that these apps fail to properly disclose these practices
in their privacy policy.
⢠A security analysis of the unauthorized access to permission-protected data without user consent.
We use a novel technique that combines the strengths of static and dynamic analysis, by
first comparing the data sent by applications at runtime with the permissions granted to each
app in order to find instances of potential unauthorized access to permission protected data.
Once we have discovered the apps that are accessing personal data without permission, we
statically analyze their code in order to discover covert- and side-channels used by apps and SDKs to circumvent the permission system. This methodology allows us to discover apps using
the MAC address as a surrogate for location data, two SDKs using the external storage as a
covert-channel to share unique identifiers and an app using picture metadata to gain unauthorized
access to location data.
⢠A novel SDK detection methodology that relies on obtaining signals observed both in the appâs
code and static resources and during its runtime behavior. Then, we rely on a tree structure
together with a confidence based system to accurately detect SDK presence without the need
of any a priory knowledge and with the ability to discern whether a given SDK is part of legacy
or dead code. We prove that this novel methodology can discover third-party SDKs with more
accuracy than state-of-the-art tools both on a set of purpose-built ground-truth apps and on a
dataset of 5k publicly available apps.
With these three case studies, we are able to highlight the benefits of combining static and dynamic
analysis techniques for the study of the privacy and security guarantees and risks of Android
apps and third-party SDKs. The use of these techniques in isolation would not have allowed us to
deeply investigate these privacy issues, as we would lack the ability to provide real evidence of potential
breaches of legislation, to pin-point the specific way in which apps are leveraging cover and side
channels to break Androidâs permission system or we would be unable to adapt to an ever-changing
ecosystem of Android third-party companies.The works presented in this thesis were partially funded within the framework of the following projects
and grants:
⢠European Unionâs Horizon 2020 Innovation Action program (Grant Agreement No. 786741,
SMOOTH Project and Grant Agreement No. 101021377, TRUST AWARE Project).
⢠Spanish Government ODIO NºPID2019-111429RB-C21/PID2019-111429RBC22.
⢠The Spanish Data Protection Agency (AEPD)
⢠AppCensus Inc.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en IngenierĂa TelemĂĄtica por la Universidad Carlos III de MadridPresidente: Srdjan Matic.- Secretario: Guillermo SuĂĄrez-Tangil.- Vocal: Ben Stoc
Deductive formal verification of embedded systems
We combine static analysis techniques with model-based deductive verification using SMT solvers to provide a framework that, given an analysis aspect of the source code, automatically generates an analyzer capable of inferring information about that aspect.
The analyzer is generated by translating the collecting semantics of a program to a formula in first order logic over multiple underlying theories. We import the semantics of the API invocations as first order logic assertions. These assertions constitute the models used by the analyzer. Logical specification of the desired program behavior is incorporated as a first order logic formula. An SMT-LIB solver treats the combined formula as a constraint and solves it. The solved form can be used to identify logical and security errors in embedded programs. We have used this framework to analyze Android applications and MATLAB code.
We also report the formal verification of the conformance of the open source Netgear WNR3500L wireless router firmware implementation to the RFC 2131. Formal verification of a software system is essential for its deployment in mission-critical environments. The specifications for the development of routers are provided by RFCs that are only described informally in English. It is prudential to ensure that a router firmware conforms to its corresponding RFC before it can be deployed for managing mission-critical networks. The formal verification process demonstrates the usefulness of inductive types and higher-order logic in software certification
- âŚ