858 research outputs found
AdSplit: Separating smartphone advertising from applications
A wide variety of smartphone applications today rely on third-party
advertising services, which provide libraries that are linked into the hosting
application. This situation is undesirable for both the application author and
the advertiser. Advertising libraries require additional permissions, resulting
in additional permission requests to users. Likewise, a malicious application
could simulate the behavior of the advertising library, forging the user's
interaction and effectively stealing money from the advertiser. This paper
describes AdSplit, where we extended Android to allow an application and its
advertising to run as separate processes, under separate user-ids, eliminating
the need for applications to request permissions on behalf of their advertising
libraries.
We also leverage mechanisms from Quire to allow the remote server to validate
the authenticity of client-side behavior. In this paper, we quantify the degree
of permission bloat caused by advertising, with a study of thousands of
downloaded apps. AdSplit automatically recompiles apps to extract their ad
services, and we measure minimal runtime overhead. We also observe that most ad
libraries just embed an HTML widget within and describe how AdSplit can be
designed with this in mind to avoid any need for ads to have native code
HybridGuard: A Principal-based Permission and Fine-Grained Policy Enforcement Framework for Web-based Mobile Applications
Web-based or hybrid mobile applications (apps) are widely used and supported by various modern hybrid app development frameworks. In this architecture, any JavaScript code, local or remote, can access available APIs, including JavaScript bridges provided by the hybrid framework, to access device resources. This JavaScript inclusion capability is dangerous, since there is no mechanism to determine the origin of the code to control access, and any JavaScript code running in the mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a particular platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Moreover, most of the solutions require the modification of the base platform. In this paper, we present HybridGuard, a novel policy enforcement framework that can enforce principal-based, stateful policies, on multiple origins without modifying the hybrid frameworks or mobile platforms. In HybridGuard, hybrid app developers can specify principal-based permissions, and define fine-grained, and stateful policies that can mitigate a significant class of attacks caused by potentially malicious JavaScript code included from third-party domains, including ads running inside the app. HybridGuard also provides a mechanism and policy patterns for app developers to specify fine-grained policies for multiple principals. HybridGuard is implemented in JavaScript, therefore, it can be easily adapted for other hybrid frameworks or mobile platforms without modification of these frameworks or platforms. We present attack scenarios and report experimental results to demonstrate how HybridGuard can thwart attacks against hybrid mobile apps
Fine-Grained Access Control for HTML5-Based Mobile Applications in Android
HTML5-based mobile applications are becoming more and more popular because they can run on different platforms. Several newly introduced mobile OS natively support HTML5-based applications. For those that do not provide native sup-port, such as Android, iOS, and Windows Phone, developers can develop HTML5-based applications using middlewares, such as PhoneGap [17]. In these platforms, programs are loaded into a web component, called WebView, which can render HTML5 pages and execute JavaScript code. In order for the program to access the system resources, which are isolated from the content inside WebView due to its sand-box, bridges need to be built between JavaScript and the native code (e.g. Java code in Android). Unfortunately, such bridges break the existing protection that was origi-nally built into WebView. In this paper, we study the potential risks of HTML5-based applications, and investigate how the existing mobile systems ’ access control supports these applications. We fo-cus on Android and the PhoneGap middleware. However, our ideas can be applied to other platforms. Our studies indicate that Android does not provide an adequate access control for this kind of applications. We propose a fine-grained access control mechanism for the bridge in Android system. We have implemented our scheme in Android and have evaluated its effectiveness and performance. 1
Code Injection Attacks on HTML5-based Mobile Apps
HTML5-based mobile apps become more and more popular, mostly because they are
much easier to be ported across different mobile platforms than native apps.
HTML5-based apps are implemented using the standard web technologies, including
HTML5, JavaScript and CSS; they depend on some middlewares, such as PhoneGap,
to interact with the underlying OS.
Knowing that JavaScript is subject to code injection attacks, we have
conducted a systematic study on HTML5-based mobile apps, trying to evaluate
whether it is safe to rely on the web technologies for mobile app development.
Our discoveries are quite surprising. We found out that if HTML5-based mobile
apps become popular--it seems to go that direction based on the current
projection--many of the things that we normally do today may become dangerous,
including reading from 2D barcodes, scanning Wi-Fi access points, playing MP4
videos, pairing with Bluetooth devices, etc. This paper describes how
HTML5-based apps can become vulnerable, how attackers can exploit their
vulnerabilities through a variety of channels, and what damage can be achieved
by the attackers. In addition to demonstrating the attacks through example
apps, we have studied 186 PhoneGap plugins, used by apps to achieve a variety
of functionalities, and we found that 11 are vulnerable. We also found two real
HTML5-based apps that are vulnerable to the attacks.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS
ABSTRACT
All the mainstream mobile operating systems provide a web container, called ``WebView\u27\u27. This Web-based interface can be included as part of the mobile application to retrieve and display web contents from remote servers. WebView not only provides the same functionalities as web browser, more importantly, it enables rich interactions between mobile apps and webpages loaded inside WebView. Through its APIs, WebView enables the two-way interaction. However, the design of WebView changes the landscape of the Web, especially from the security perspective.
This dissertation conducts a comprehensive and systematic study of WebView\u27s impact on web security, with a particular focus on identifying its fundamental causes. This dissertation discovers multiple attacks on WebView, and proposes new protection models to enhance the security of WebView. The design principles of these models are also described as well as the prototype implementation in Android platform. Evaluations are used to demonstrate the effectiveness and performance of these protection models
Desktop Sharing Portal
Desktop sharing technologies have existed since the late 80s. It is often used in scenarios where collaborative computing is beneficial to participants in the shared environment by the control of the more knowledgeable party. But the steps required in establishing a session is often cumbersome to many. Selection of a sharing method, obtaining sharing target’s network address, sharing tool’s desired ports, and firewall issues are major hurdles for a typical non-IT user. In this project, I have constructed a web-portal that helps collaborators to easily locate each other and initialize sharing sessions. The portal that I developed enables collaborated sessions to start as easily as browsing to a URL of the sharing service provider, with no need to download or follow installation instructions on either party’s end. In addition, I have added video conferencing and audio streaming capability to bring better collaborative and multimedia experience
Tablets report
In January 2014, the Government of Malta launched the ‘One Tablet per Child’ pilot
project whose aim is to foresee the introduction of computer tablets in primary
schools. An expression of interest was also published in order to test different types
of hardware and software solutions with the aim of collecting feedback from
educators and students.
As part of this initiative, the Faculty of Information and Communication Technology
was requested to assist. In fact, an inter-departmental team was setup made up of
academics from the Department of Intelligent Computer Systems and the
Department of Computer Information Systems. These academics were entrusted
with the task of analyzing the three major tablet platforms in order to create a
coherent and impartial analysis, which can help during the selection of the ultimate
platform. The result of this exercise is this document, which was presented to the
committee responsible for the tablets project.
Throughout this document, one can find a thorough discussion pertaining the
positive and negative aspects of each platform; be it Android, iOS or Microsoft.
Whilst praising the most positive features of each platform, the document also
highlights the issues, which might arise when developing content for these operating
systems (OSs) and the weaknesses, which currently exist. We also examined issues,
which might arise when using these platforms. In particular, our analysis also takes
into consideration the fact that the usage will happen in a primary classroom setting
and thus, additional issues such as sturdiness of the device had to be considered.
Even though we mentioned some examples, we did not really go into the merits of
particular devices because the market is so fragmented that it would have been
impossible to pinpoint specific models or brands. Being a highly volatile sector
means that the information presented in this document can be considered correct at
the time of writing however we are expecting major changes in the coming months
which will definitely change the way in which we interact with computers forever.
The document is well suited to help the committee get abreast with the latest
offerings and future potential of each platform in order to allow them to take an
informed decision. A decision, which will have a long lasting effect on the eventual
success of the project and the ultimate wellbeing of our children.peer-reviewe
- …