Android Permissions Unleashed

The Android Security Framework controls the executions of applications through permissions which are statically granted by the user during installation. However, the definition of security policies over permissions is not supported. Security policies must be therefore manually encoded into the application by the developer, which is a dangerous practice and may cause security breaches. We propose an improvement over the Android permission system that supports the specification and enforcement of fine-grained security policies. Enforcement is achieved by reducing policy decision problems to propositional satisfiability and leveraging a state-of-the-art SAT solver. Unlike alternative proposals, our approach does not require changes in the operating system and, therefore, it can be readily deployed in any commercial device

Mobile Security Education with Android Labs

The recent consumer explosion of smartphones and tablets has led to the proliferation of sensitive data stored on mobile devices and the cloud. In 2015, it was reported that 16.2% of files uploaded to file sharing services contain sensitive data (Skyhigh Networks). With users having so much personal data on their devices and the cloud, security becomes an imperative subject. Unfortunately, security is often overlooked or implemented improperly in many commercial devices. Knowledge of security fundamentals is essential to ensure users maintain their privacy and security. The work in this thesis designs and implements five labs for a potential undergraduate mobile security course with a focus on the Android operating system. The purpose of these labs is to give students practical experience and awareness in mobile security. In the first lab, I teach the basics of the Android Software Development Kit (SDK), such as accessing device hardware components and getting user permissions. The second lab teaches students how to inject malicious code into an existing app. The third lab teaches students how to implement a man in the middle attack using a WiFi Pineapple and setup an OAuth 2.0 session. In the fourth lab, students learn how to use Metasploit to run an exploit to get remote shell access to a device. In the fifth lab, I teach students how to get a device\u27s WiFi information and how to interface with the WiGLE.net and Google Maps Android APIs

An Intuitive Control API for Catroid

In this research, the main objective is to develop an intuitive control API in Catroid to enhance its usability as a graphical programming tool for children and study the human-mobile interaction and experience made possible with this control API. Another objective is to develop this control API in open source development method and benchmark it with the typical software development method. It would greatly enrich user experience if Catroid can provide support for implementing intuitive control concepts to enhance its usability for children. But currently Catroid do not have control API support to develop intuitive user interaction with the application. In brief, an intuitive control API is missing in Catroid. Without such an API, the potential of Catroid as a programming tool cannot be unleashed. This research studies the maximization programming power of Catroid and advancement of control API in Catroid into a more intuitive form. This research studies the Open Source Development Model used to develop the control API. The scope of prototype will only covers locating direction, tilting, turning, and shaking motions as the new intuitive control made possible in Catroid The research methodology is Open Source Development Methodology (OSDM) and the Test-Driven Development Method with Extreme Programming is used for code development. The objective of OSDM is to utilize the online community who is the user and developers of Catroid to review and test source code to improve the software quality. The intuitive control API where phone sensors are integrated will further improve the user interaction and experience both in using Catroid and its application. The intuitive control API consists of sensor variables and If-Then-Else Command Block. The If-Then-Else Command Block acts as the control and the sensor variables make the control become intuitive. Accelerometer and orientation sensor are implemented in this control API where each of the sensors contributed 3 different values acted as the sensor variables: X-Sensor Acceleration, Y-Sensor Acceleration, Z-Sensor Acceleration, Azimuth, Pitch, and Roll. These sensor variables can be assigned to or removed from any text field in the Command Blocks using the Formula Editor. The usage of the intuitive control API is simple and straight forward. When a sensor variable is assigned to one of the fields in If-Then-Else Command Blocks, the intuitive control is developed. The Command Blocks in between the If-Statement Command Block and End of If Command Block will be executed whenever the logic condition in the If-Statement is true. Various intuitive user interactions could be developed depending on the creativity of users. The most popular intuitive user interactions are through locating direction, tilting, turning and shaking motions. Open Source Development Method allows developers to redefine the user requirements along with the software development which reduce the risk of software failure in the end of development

Application Design for Food and Beverage Online Delivery System Based of Android Framework

Providing good services and satisfaction to customer is main concern on online business. As technology is developed rapidly, many online restaurants has sought user-friendly platform to serve their customer. The purpose of this research is to build an Android-based online order application for online delivery restaurant. We added features of outlets distribution and product promos. We also developed a more user-friendly interface as new design. Through Waterfall development method, we design the application which based of android APP Inventor framework. Based on the assessment result of four aspect (e.g., software engineering defect, learning design, visual communication), we got average scores of 2.45, 3.40, 3.35 and 3.07. The assessment results showed that our application design is eligible to be implemented for real situation with fairly eligible score. It is recommended that the application is implemented with partial improvement especially on the software engineering debugging to get a more decent score

Trusted Hart for Mobile RISC-V Security

The majority of mobile devices today are based on Arm architecture that supports the hosting of trusted applications in Trusted Execution Environment (TEE). RISC-V is a relatively new open-source instruction set architecture that was engineered to fit many uses. In one potential RISC-V usage scenario, mobile devices could be based on RISC-V hardware. We consider the implications of porting the mobile security stack on top of a RISC-V system on a chip, identify the gaps in the open-source Keystone framework for building custom TEEs, and propose a security architecture that, among other things, supports the GlobalPlatform TEE API specification for trusted applications. In addition to Keystone enclaves the architecture includes a Trusted Hart -- a normal core that runs a trusted operating system and is dedicated for security functions, like control of the device's keystore and the management of secure peripherals. The proposed security architecture for RISC-V platform is verified experimentally using the HiFive Unleashed RISC-V development board.Comment: This is an extended version of a paper that has been published in Proceedings of TrustCom 202

Artificial Intelligence and Machine Learning in Cybersecurity: Applications, Challenges, and Opportunities for MIS Academics

The availability of massive amounts of data, fast computers, and superior machine learning (ML) algorithms has spurred interest in artificial intelligence (AI). It is no surprise, then, that we observe an increase in the application of AI in cybersecurity. Our survey of AI applications in cybersecurity shows most of the present applications are in the areas of malware identification and classification, intrusion detection, and cybercrime prevention. We should, however, be aware that AI-enabled cybersecurity is not without its drawbacks. Challenges to AI solutions include a shortage of good quality data to train machine learning models, the potential for exploits via adversarial AI/ML, and limited human expertise in AI. However, the rewards in terms of increased accuracy of cyberattack predictions, faster response to cyberattacks, and improved cybersecurity make it worthwhile to overcome these challenges. We present a summary of the current research on the application of AI and ML to improve cybersecurity, challenges that need to be overcome, and research opportunities for academics in management information systems

Explaining Vulnerabilities of Deep Learning to Adversarial Malware Binaries

Recent work has shown that deep-learning algorithms for malware detection are also susceptible to adversarial examples, i.e., carefully-crafted perturbations to input malware that enable misleading classification. Although this has questioned their suitability for this task, it is not yet clear why such algorithms are easily fooled also in this particular application domain. In this work, we take a first step to tackle this issue by leveraging explainable machine-learning algorithms developed to interpret the black-box decisions of deep neural networks. In particular, we use an explainable technique known as feature attribution to identify the most influential input features contributing to each decision, and adapt it to provide meaningful explanations to the classification of malware binaries. In this case, we find that a recently-proposed convolutional neural network does not learn any meaningful characteristic for malware detection from the data and text sections of executable files, but rather tends to learn to discriminate between benign and malware samples based on the characteristics found in the file header. Based on this finding, we propose a novel attack algorithm that generates adversarial malware binaries by only changing few tens of bytes in the file header. With respect to the other state-of-the-art attack algorithms, our attack does not require injecting any padding bytes at the end of the file, and it is much more efficient, as it requires manipulating much fewer bytes

Explaining vulnerabilities of deep learning to adversarial malware binaries

Recent work has shown that deep-learning algorithms for malware detection are also susceptible to adversarial examples, i.e., carefully-crafted perturbations to input malware that enable misleading classification. Although this has questioned their suitability for this task, it is not yet clear why such algorithms are easily fooled also in this particular application domain. In this work, we take a first step to tackle this issue by leveraging explainable machine-learning algorithms developed to interpret the black-box decisions of deep neural networks. In particular, we use an explainable technique known as feature attribution to identify the most influential input features contributing to each decision, and adapt it to provide meaningful explanations to the classification of malware binaries. In this case, we find that a recently-proposed convolutional neural network does not learn any meaningful characteristic for malware detection from the data and text sections of executable files, but rather tends to learn to discriminate between benign and malware samples based on the characteristics found in the file header. Based on this finding, we propose a novel attack algorithm that generates adversarial malware binaries by only changing few tens of bytes in the file header. With respect to the other state-of-the-art attack algorithms, our attack does not require injecting any padding bytes at the end of the file, and it is much more efficient, as it requires manipulating much fewer bytes