3,284 research outputs found
Android Permissions Remystified: A Field Study on Contextual Integrity
Due to the amount of data that smartphone applications can potentially
access, platforms enforce permission systems that allow users to regulate how
applications access protected resources. If users are asked to make security
decisions too frequently and in benign situations, they may become habituated
and approve all future requests without regard for the consequences. If they
are asked to make too few security decisions, they may become concerned that
the platform is revealing too much sensitive information. To explore this
tradeoff, we instrumented the Android platform to collect data regarding how
often and under what circumstances smartphone applications are accessing
protected resources regulated by permissions. We performed a 36-person field
study to explore the notion of "contextual integrity," that is, how often are
applications accessing protected resources when users are not expecting it?
Based on our collection of 27 million data points and exit interviews with
participants, we examine the situations in which users would like the ability
to deny applications access to protected resources. We found out that at least
80% of our participants would have preferred to prevent at least one permission
request, and overall, they thought that over a third of requests were invasive
and desired a mechanism to block them
Demystifying security and compatibility issues in Android Apps
Never before has any OS been so popular as Android. Existing mobile phones
are not simply devices for making phone calls and receiving SMS messages, but
powerful communication and entertainment platforms for web surfing, social
networking, etc. Even though the Android OS offers powerful communication and
application execution capabilities, it is riddled with defects (e.g., security
risks, and compatibility issues), new vulnerabilities come to light daily, and
bugs cost the economy tens of billions of dollars annually. For example,
malicious apps (e.g., back-doors, fraud apps, ransomware, spyware, etc.) are
reported [Google, 2022] to exhibit malicious behaviours, including privacy
stealing, unwanted programs installed, etc. To counteract these threats, many
works have been proposed that rely on static analysis techniques to detect such
issues. However, static techniques are not sufficient on their own to detect
such defects precisely. This will likely yield false positive results as static
analysis has to make some trade-offs when handling complicated cases (e.g.,
object-sensitive vs. object-insensitive). In addition, static analysis
techniques will also likely suffer from soundness issues because some
complicated features (e.g., reflection, obfuscation, and hardening) are
difficult to be handled [Sun et al., 2021b, Samhi et al., 2022].Comment: Thesi
Privacy Leakage in Mobile Computing: Tools, Methods, and Characteristics
The number of smartphones, tablets, sensors, and connected wearable devices
are rapidly increasing. Today, in many parts of the globe, the penetration of
mobile computers has overtaken the number of traditional personal computers.
This trend and the always-on nature of these devices have resulted in
increasing concerns over the intrusive nature of these devices and the privacy
risks that they impose on users or those associated with them. In this paper,
we survey the current state of the art on mobile computing research, focusing
on privacy risks and data leakage effects. We then discuss a number of methods,
recommendations, and ongoing research in limiting the privacy leakages and
associated risks by mobile computing
Smartphone App Usage Analysis : Datasets, Methods, and Applications
As smartphones have become indispensable personal devices, the number of smartphone users has increased dramatically over the last decade. These personal devices, which are supported by a variety of smartphone apps, allow people to access Internet services in a convenient and ubiquitous manner. App developers and service providers can collect fine-grained app usage traces, revealing connections between users, apps, and smartphones. We present a comprehensive review of the most recent research on smartphone app usage analysis in this survey. Our survey summarizes advanced technologies and key patterns in smartphone app usage behaviors, all of which have significant implications for all relevant stakeholders, including academia and industry. We begin by describing four data collection methods: surveys, monitoring apps, network operators, and app stores, as well as nine publicly available app usage datasets. We then systematically summarize the related studies of app usage analysis in three domains: app domain, user domain, and smartphone domain. We make a detailed taxonomy of the problem studied, the datasets used, the methods used, and the significant results obtained in each domain. Finally, we discuss future directions in this exciting field by highlighting research challenges.Peer reviewe
Detecting Dynamic Security Threats in Multi-Component IoT Systems
The rising ubiquity of the Internet of Things (IoT) has heralded a new era of increasingly prolific and damaging IoT-centric security threat vectors. Fast-paced market demand for multi-featured IoT products urge companies, and their software engineers, to bring products to market quickly, often at the cost of security. Lack of proper security threat analysis tooling during development, testing, and release cycles exacerbate security concerns. In this paper, we augment a security threat analysis tool to use audit hooks, open-source information capture components, and machine learning techniques to profile dynamic wearable and IoT operations spanning multiple components during execution. Our tool encourages data-drive threat identification and analysis approaches that can help software engineers perform dynamic testing and threat analysis to mitigate code-level vulnerabilities that lead to attacks in IoT applications. Our approach is evaluated by means of a case study involving a system evaluation across several common attack vectors
A Behavioral Model System for Implicit Mobile Authentication
Smartphones are increasingly essential to users’ everyday lives. Security concerns of data compromises are growing, and explicit authentication methods are proving to be inconvenient and insufficient. Meanwhile, users demand quicker and more secure authentication. To address this, a user can be authenticated continuously and implicitly, through understanding consistency in their behavior. This research project develops a Behavioral Model System (BMS) that records users’ behavioral metrics on an Android device and sends them to a server to develop a behavioral model for the user. Once a strong model is generated with TensorFlow, a user’s most recent behavior is queried against the model to authenticate them. The model is tested across its metrics to evaluate the reliability of BMS
PADA: Power-aware development assistant for mobile sensing applications
� 2016 ACM. We propose PADA, a new power evaluation tool to measure and optimize power use of mobile sensing applications. Our motivational study with 53 professional developers shows they face huge challenges in meeting power requirements. The key challenges are from the significant time and effort for repetitive power measurements since the power use of sensing applications needs to be evaluated under various real-world usage scenarios and sensing parameters. PADA enables developers to obtain enriched power information under diverse usage scenarios in development environments without deploying and testing applications on real phones in real-life situations. We conducted two user studies with 19 developers to evaluate the usability of PADA. We show that developers benefit from using PADA in the implementation and power tuning of mobile sensing applications.N
Leveraging Program Analysis to Reduce User-Perceived Latency in Mobile Applications
Reducing network latency in mobile applications is an effective way of
improving the mobile user experience and has tangible economic benefits. This
paper presents PALOMA, a novel client-centric technique for reducing the
network latency by prefetching HTTP requests in Android apps. Our work
leverages string analysis and callback control-flow analysis to automatically
instrument apps using PALOMA's rigorous formulation of scenarios that address
"what" and "when" to prefetch. PALOMA has been shown to incur significant
runtime savings (several hundred milliseconds per prefetchable HTTP request),
both when applied on a reusable evaluation benchmark we have developed and on
real applicationsComment: ICSE 201
- …