Measuring and Mitigating Security and Privacy Issues on Android Applications

Over time, the increasing popularity of the Android operating system (OS) has resulted in its user-base surging past 1 billion unique devices. As a result, cybercriminals and other non-criminal actors are attracted to the OS due to the amount of user information they can access. Aiming to investigate security and privacy issues on the Android ecosystem, previous work has shown that it is possible for malevolent actors to steal users' sensitive personal information over the network, via malicious applications, or vulnerability exploits etc., presenting proof of concepts or evidences of exploits. Due to the ever-changing nature of the Android ecosystem and the arms race involved in detecting and mitigating malicious applications, it is important to continuously examine the ecosystem for security and privacy issues. This thesis presents research contributions in this space, and it is divided into two parts. The first part focuses on measuring and mitigating vulnerabilities in applications due to poor implementation of security and privacy protocols. In particular, we investigate the implementation of the SSL/TLS protocol validation logic, and properties such as ephemerality, anonymity, and end-to-end encryption. We show that, despite increased awareness of vulnerabilities in SSL/TLS implementation by application developers, these vulnerabilities are still present in popular applications, allowing malicious actors steal users' information. To help developers mitigate them, we provide useful recommendations such as enabling SSL/TLS pinning and using the same certificate validation logic in their test and development environments. The second part of this thesis focuses on the detection of malicious applications that compromise users' security and privacy, the detection performance of the different program analysis approach, and the influence of different input generators during dynamic analysis on detection performance. We present a novel method for detecting malicious applications, which is less susceptible to the evolution of the Android ecosystem (i.e., changes in the Android framework as a result of the addition/removal of API calls in new releases) and malware (i.e., changes in techniques to evade detection) compared to previous methods. Overall, this thesis contributes to knowledge around Android apps with respect to, vulnerability discovery that leads to loss of users' security and privacy, and the design of robust Android malware detection tools. It highlights the need for continual evaluation of apps as the ecosystem changes to detect and prevent vulnerabilities and malware that results in a compromise of users' security and privacy

A Framework For Detecting And Countering Android Ui Attacks Via Inspection Of Ipc Traffic

Android represents an ever-increasing share of the worldwide smart device market. The platform\u27s ubiquity and open nature make Android a prime target for malicious actors. Unfortunately, device fragmentation among manufacturers makes maintaining cyber security difficult, invoking the need for third party security software. We present a framework for detecting and countering deceptive user interface attacks on the Android platform via inspection and analysis of inter-process communication transactions in the operating system. We evaluate our proof of concept implementation on a known class of malware that exploits the Android display system, allowing a malicious application to control the screen and mimic any application launched by the user. We achieve 100% detection rate of this malicious behavior with no false alarms

Privacy by (re)design: a comparative study of the protection of personal information in the mobile applications ecosystem under United States, European Union and South African law.

Doctoral Degree. University of KwaZulu-Natal, Durban.The dissertation presents a comparative desktop study of the application of a Privacy by Design (PbD) approach to the protection of personal information in the mobile applications ecosystem under the Children’s Online Privacy Protection Act (COPPA) and the California Consumer Protection Act (CCPA) in the United States, the General Data Protection Regulation (GDPR) in the European Union, and the Protection of Personal Information Act (POPIA) in South Africa. The main problem considered in the thesis is whether there is an ‘accountability gap’ within the legislation selected for comparative study. This is analysed by examining whether the legislation can be enforced against parties other than the app developer in the mobile app ecosystem, as it is theorised that only on this basis will the underlying technologies and architecture of mobile apps be changed to support a privacy by (re)design approach. The key research question is what legal approach is to be adopted to enforce such an approach within the mobile apps ecosystem. It describes the complexity of the mobile apps ecosystem, identifying the key role players and the processing operations that take place. It sets out what is encompassed by the conceptual framework of PbD, and why the concept of privacy by (re)design may be more appropriate in the context of mobile apps integrating third party services and products. It identifies the core data protection principles of data minimisation and accountability, and the nature of informed consent, as being essential to an effective PbD approach. It concludes that without strengthening the legal obligations pertaining to the sharing of personal information with third parties, neither regulatory guidance, as is preferred in the United States, nor a direct legal obligation, as created by article 25 of the GDPR, is adequate to enforce a PbD approach within the mobile apps ecosystem. It concludes that although a PbD approach is implied for compliance by a responsible party with POPIA, legislative reforms are necessary. It proposes amendments to POPIA to address inadequacies in the requirements for notice, and to impose obligations on a responsible party in relation to the sharing of personal information with third parties who will process the personal information for further, separate purposes

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Responsible AI and Analytics for an Ethical and Inclusive Digitized Society

publishedVersio

A Generic Framework for Enforcing Security in Distributed Systems

A large extent of today's computer programs is distributed. For instance, services for backups, file storage, and cooperative work are now typically managed by distributed programs. The last two decades also brought a variety of services establishing social networks, from exchanging short messages to sharing personal information to dating. In each of the services, distributed programs process and store sensitive information about their users or the corporations their users work for. Secure processing of the sensitive information is essential for service providers. For instance, businesses are bound by law to take security measures against conflicts of interest. Beyond legal regulations, service providers are also pressed by users to satisfy their demands for security, such as the privacy of their profiles and messages in online social networks. In both instances, the prospect of security violations by a service provider constitutes a serious disadvantage and deters potential users from using the service. The focus of this thesis is on enabling service providers to secure their distributed programs by means of run-time enforcement mechanisms. Run-time enforcement mechanisms enforce security in a given program by monitoring, at run-time, the behavior of the program and by intervening when security violations are about to occur. Enforcing security in a distributed program includes securing the behavior of the individual agents of the distributed program as well as securing the joint behavior of all the agents. We present a framework for enforcing security in distributed programs. The framework combines tools and techniques for the specification, enforcement, and verification of security policies for distributed programs. For the specification of security policies, the framework provides the policy language CoDSPL. For generating run-time enforcement mechanisms from given security policies and applying these mechanisms to given distributed programs, the framework includes the tool CliSeAu. For the verification of generated enforcement mechanisms, the framework provides a formal model in the process algebra CSP. All three, the policy language, the tool, and the formal model allow for the distributed units of enforcement mechanisms to cooperate with each other. For supporting the specification of cooperating units, the framework provides two techniques as extensions of CoDSPL: a technique for specifying cooperation in a modular fashion and a technique for effectively cooperating in presence of race conditions. Finally, with the cross-lining technique of the framework, we devise a general approach for instrumenting distributed programs to apply an enforcement mechanism whose units can cooperate. The particular novelty of the presented framework is that the cooperation to be performed can be specified by the security policies and can take place even when the agents of the distributed program do not interact. This distinguishing feature of the framework enables one to specify and enforce security policies that employ a form of cooperation that suits the application scenario: Cooperation can be used when one's security requirements cannot be enforced in a fully decentralized fashion; but the overhead of cooperation can be avoided when no cooperation is needed. The case studies described in this thesis provide evidence that our framework is suited for enforcing custom security requirements in services based on third-party programs. In the case studies, we use the framework for developing two run-time enforcement mechanisms: one for enforcing a policy against conflicts of interest in a storage service and one for enforcing users' privacy policies in online social networks with respect to the sharing and re-sharing of messages. In both case studies, we experimentally verify the enforcement mechanisms to be effective and efficient, with an overhead in the range of milliseconds

Factors Influencing Customer Satisfaction towards E-shopping in Malaysia

Online shopping or e-shopping has changed the world of business and quite a few people have decided to work with these features. What their primary concerns precisely and the responses from the globalisation are the competency of incorporation while doing their businesses. E-shopping has also increased substantially in Malaysia in recent years. The rapid increase in the e-commerce industry in Malaysia has created the demand to emphasize on how to increase customer satisfaction while operating in the e-retailing environment. It is very important that customers are satisfied with the website, or else, they would not return. Therefore, a crucial fact to look into is that companies must ensure that their customers are satisfied with their purchases that are really essential from the ecommerce’s point of view. With is in mind, this study aimed at investigating customer satisfaction towards e-shopping in Malaysia. A total of 400 questionnaires were distributed among students randomly selected from various public and private universities located within Klang valley area. Total 369 questionnaires were returned, out of which 341 questionnaires were found usable for further analysis. Finally, SEM was employed to test the hypotheses. This study found that customer satisfaction towards e-shopping in Malaysia is to a great extent influenced by ease of use, trust, design of the website, online security and e-service quality. Finally, recommendations and future study direction is provided. Keywords: E-shopping, Customer satisfaction, Trust, Online security, E-service quality, Malaysia

Друга міжнародна конференція зі сталого майбутнього: екологічні, технологічні, соціальні та економічні питання (ICSF 2021). Кривий Ріг, Україна, 19-21 травня 2021 року

Second International Conference on Sustainable Futures: Environmental, Technological, Social and Economic Matters (ICSF 2021). Kryvyi Rih, Ukraine, May 19-21, 2021.Друга міжнародна конференція зі сталого майбутнього: екологічні, технологічні, соціальні та економічні питання (ICSF 2021). Кривий Ріг, Україна, 19-21 травня 2021 року

A Systematic Review and Meta-Analysis of the Incidence of Injury in Professional Female Soccer

The epidemiology of injury in male professional football is well documented and has been used as a basis to monitor injury trends and implement injury prevention strategies. There are no systematic reviews that have investigated injury incidence in women’s professional football. Therefore, the extent of injury burden in women’s professional football remains unknown. PURPOSE: The primary aim of this study was to calculate an overall incidence rate of injury in senior female professional soccer. The secondary aims were to provide an incidence rate for training and match play. METHODS: PubMed, Discover, EBSCO, Embase and ScienceDirect electronic databases were searched from inception to September 2018. Two reviewers independently assessed study quality using the Strengthening the Reporting of Observational Studies in Epidemiology statement using a 22-item STROBE checklist. Seven prospective studies (n=1137 professional players) were combined in a pooled analysis of injury incidence using a mixed effects model. Heterogeneity was evaluated using the Cochrane Q statistic and I2. RESULTS: The epidemiological incidence proportion over one season was 0.62 (95% CI 0.59 - 0.64). Mean total incidence of injury was 3.15 (95% CI 1.54 - 4.75) injuries per 1000 hours. The mean incidence of injury during match play was 10.72 (95% CI 9.11 - 12.33) and during training was 2.21 (95% CI 0.96 - 3.45). Data analysis found a significant level of heterogeneity (total Incidence, X2 = 16.57 P < 0.05; I2 = 63.8%) and during subsequent sub group analyses in those studies reviewed (match incidence, X2 = 76.4 (d.f. = 7), P <0.05; I2 = 90.8%, training incidence, X2 = 16.97 (d.f. = 7), P < 0.05; I2 = 58.8%). Appraisal of the study methodologies revealed inconsistency in the use of injury terminology, data collection procedures and calculation of exposure by researchers. Such inconsistencies likely contribute to the large variance in the incidence and prevalence of injury reported. CONCLUSIONS: The estimated risk of sustaining at least one injury over one football season is 62%. Continued reporting of heterogeneous results in population samples limits meaningful comparison of studies. Standardising the criteria used to attribute injury and activity coupled with more accurate methods of calculating exposure will overcome such limitations