SoniControl - A Mobile Ultrasonic Firewall

The exchange of data between mobile devices in the near-ultrasonic frequency band is a new promising technology for near field communication (NFC) but also raises a number of privacy concerns. We present the first ultrasonic firewall that reliably detects ultrasonic communication and provides the user with effective means to prevent hidden data exchange. This demonstration showcases a new media-based communication technology ("data over audio") together with its related privacy concerns. It enables users to (i) interactively test out and experience ultrasonic information exchange and (ii) shows how to protect oneself against unwanted tracking.Comment: To appear in proceedings of 2018 ACM Multimedia Conference October 22--26, 2018, Seoul, Republic of Kore

A Forensically Sound Adversary Model for Mobile Devices

In this paper, we propose an adversary model to facilitate forensic investigations of mobile devices (e.g. Android, iOS and Windows smartphones) that can be readily adapted to the latest mobile device technologies. This is essential given the ongoing and rapidly changing nature of mobile device technologies. An integral principle and significant constraint upon forensic practitioners is that of forensic soundness. Our adversary model specifically considers and integrates the constraints of forensic soundness on the adversary, in our case, a forensic practitioner. One construction of the adversary model is an evidence collection and analysis methodology for Android devices. Using the methodology with six popular cloud apps, we were successful in extracting various information of forensic interest in both the external and internal storage of the mobile device

Privacy Risks in Mobile Dating Apps

Dating apps for mobile devices, one popular GeoSocial app category, are growing increasingly popular. These apps encourage the sharing of more personal information than conventional social media apps, including continuous location data. However, recent high profile incidents have highlighted the privacy risks inherent in using these apps. In this paper, we present a case study utilizing forensic techniques on nine popular proximity-based dating apps in order to determine the types of data that can be recovered from user devices. We recover a number of data types from these apps that raise concerns about user privacy. For example, we determine that chat messages could be recovered in at least half of the apps examined and, in some cases, the details of any users that had been discovered nearby could also be extracted

A Completely Covert Audio Channel in Android

Exfilteration of private data is a potential security threat against mobile devices. Previous research concerning such threats has generally focused on techniques that are only valid over short distances (NFC, Bluetooth, electromagnetic emanations, and so on). In this research, we develop and analyze an exfilteration attack that has no distance limitation. Specifically, we take advantage of vulnerabilities in Android that enable us to covertly record and exfilterate a voice call. This paper presents a successful implementation of our attack, which records a call (both uplink and downlink voice streams), and inaudibly transmits the recorded voice over a subsequent inaudible call, without any visual or audio indication given to the victim. We provide a detailed analysis of our attack, and we suggest possible counter measures to thwart similar attacks

Smartphone as an Agent of Anti-forensics: A Case of Workplace Environment in Kenya

Computer anti-forensic techniques work to ensure that forensic evidence left behind after a digital crime is not easily uncovered by forensic investigators, if they are to uncover them, there will be a considerable delay. Smartphones have become a common device within an organization’s workforce where employees interact with highly confidential data that they access using their laptop computers at the workplace. This has led to the use of smartphones to commit digital crimes at the workplace.  The primary objective of this study is to find out whether the use of smartphones at workplace environment in Kenya may be exploited to advance activities that may derail forensic investigations in the event of a digital crime. We also set to establish data security risks within organization and other techniques and/or methods by which smartphones may be used to exfiltrate data. Finally, we shall analyze research areas that require further attention from researchers to enhance defense and guard against smartphones data exfiltration. To achieve these objectives, we shall implement and test an android mobile software prototype, developed using android studio to send data exfiltration attempt to a web-based user interface when an employee within an organization uploads data above a set authorized limit. We shall review existing literature to understand other techniques that may be used to exfiltrate data from organizations as well as analyze research areas that require further attention from researchers to enhance defense and guard against data exfiltration through smartphones usage. We collected a total of two thousand five hundred and eighty-four records of data exfiltration attempts from our eleven sampled population. Of these records, One thousand eight hundred and ninety-one happened in the evening hours while six hundred and seven in the afternoon hours, then finally, eighty-six records were registered in the morning hours.  In conclusion, the research study, has revealed that there exist challenges in reporting smartphone-based data exfiltration attempts while using the mobile-based software prototype.Data exfiltration attempts was observed to happen within organization’s workplace, with evening hours being the most affected by this vice with a figure of over one thousand data exfiltration attempts. We also noted that there exists, at least three categories of data security risks that organizations are exposed to when employees have their smartphones within the workplace. We recorded an additional eleven other techniques and methods by which a smartphone may be used to steal data from an organization

A framework for application partitioning using trusted execution environments

The size and complexity of modern applications are the underlying causes of numerous security vulnerabilities. In order to mitigate the risks arising from such vulnerabilities, various techniques have been proposed to isolate the execution of sensitive code from the rest of the application and from other software on the platform (such as the operating system). New technologies, notably Intel’s Software Guard Extensions (SGX), are becoming available to enhance the security of partitioned applications. SGX provides a trusted execution environment (TEE), called an enclave, that protects the integrity of the code and the confidentiality of the data inside it from other software, including the operating system. However, even with these partitioning techniques, it is not immediately clear exactly how they can and should be used to partition applications. How should a particular application be partitioned? How many TEEs should be used? What granularity of partitioning should be applied? To some extent, this is dependent on the capabilities and performance of the partitioning technology in use. However, as partitioning becomes increasingly common, there is a need for systematization in the design of partitioning schemes. To address this need, we present a novel framework consisting of four overarching types of partitioning schemes through which applications can make use of TEEs. These schemes range from coarse-grained partitioning, in which the whole application is included in a single TEE, through to ultra-fine partitioning, in which each piece of security-sensitive code and data is protected in an individual TEE. Although partitioning schemes themselves are application-specific, we establish application-independent relationships between the types we have defined. Since these relationships have an impact on both the security and performance of the partitioning scheme, we envisage that our framework can be used by software architects to guide the design of application partitioning schemes. To demonstrate the applicability of our framework, we have carried out case studies on two widely-used software packages, the Apache web server and the OpenSSL library. In each case study, we provide four high level partitioning schemes - one for each of the types in our framework. We also systematically review the related work on hardware-enforced partitioning by categorising previous research efforts according to our framework

The Role of the Adversary Model in Applied Security Research

Adversary models have been integral to the design of provably-secure cryptographic schemes or protocols. However, their use in other computer science research disciplines is relatively limited, particularly in the case of applied security research (e.g., mobile app and vulnerability studies). In this study, we conduct a survey of prominent adversary models used in the seminal field of cryptography, and more recent mobile and Internet of Things (IoT) research. Motivated by the findings from the cryptography survey, we propose a classification scheme for common app-based adversaries used in mobile security research, and classify key papers using the proposed scheme. Finally, we discuss recent work involving adversary models in the contemporary research field of IoT. We contribute recommendations to aid researchers working in applied (IoT) security based upon our findings from the mobile and cryptography literature. The key recommendation is for authors to clearly define adversary goals, assumptions and capabilities

It\u27s A Small World After All: Exploring Mobile Dating Application Use and Sexual Partner Networks Among Black Men who have Sex with Men (BMSM)

Research supports risky sexual behaviors are especially pervasive traits in high risk groups such as gay and bisexual men; and despite representing a mere 12% of the total LGBTQ population, Black men who have sex with men (BMSM) are at highest risk for transmitting and contracting HIV and other non-HIV sexually transmitted diseases. Even knowing this, the disparity of research coverage of BMSM compared to White MSM is staggering. Recent research has indicated MSM are at even greater risk than before since the advent of mobile dating apps. Online partnering via mobile apps has been linked to overlapping sexual partner networks and outcomes such as greater numbers of sexual partners and a higher likelihood of practicing unprotected anal sex. As such, this study aimed to investigate how BMSM\u27s sexual sensation seeking behaviors may be influenced by use of mobile dating apps and PrEP, as well as provide indication of BMSM attitudes related to sexual partner networks and their role as a risk factor. The study uses primary data collection via an online survey tool and univariate, bivariate, and multivariate analysis techniques were employed to analyze the collected data. Results revealed there is not a difference in sexual sensation seeking behaviors based on the number of mobile dating apps used, and that PrEP use and PrEP knowledge do not have an independent influence on sexual sensation seeking behaviors. However, there is a statistically significant influence on BMSM SSS by confirmed PrEP use and an average understanding of PrEP. Qualitative results expanded current research understanding of why BMSM utilize mobile dating apps as well as BMSM sexual partner networks and how they influence BMSM sexual sensation seeking habits

Vulnerabilidades nas conexões USB em dispositivos com o sistema Android

Nos últimos anos, a quantidade de ataques em Smartphones aumentou rapidamente, principalmente devido a complexidade de manter os Sistemas Operativos atuais a gerir esses dispositivos. A complexidade de evitar vulnerabilidades nos sistemas operativos moveis atuais torna-os vulneráveis a muitos tipos de ataques. Esta dissertaçao apresenta informações resultantes do uso do Android Debug Bridge para extrair dados privados de smartphones. Foram identificados três cenarios e foi desenvolvido uma prova de conceito. Ao ser executado num computador, o script á capaz de extrair dados privados de um smartphone quando este e conectado por USB. Em dois cenarios foi possível extrair a informacao de forma totalmente furtiva, sem o conhecimento do utilizador. No terceiro cenário, utilizando uma versão mais recente do Sistema Operativo Android, e necessaria uma açao do utilizador, o que torna o ataque menos provavel de ter exito, mas ainda possível