1,931 research outputs found
Survey of End-to-End Mobile Network Measurement Testbeds, Tools, and Services
Mobile (cellular) networks enable innovation, but can also stifle it and lead
to user frustration when network performance falls below expectations. As
mobile networks become the predominant method of Internet access, developer,
research, network operator, and regulatory communities have taken an increased
interest in measuring end-to-end mobile network performance to, among other
goals, minimize negative impact on application responsiveness. In this survey
we examine current approaches to end-to-end mobile network performance
measurement, diagnosis, and application prototyping. We compare available tools
and their shortcomings with respect to the needs of researchers, developers,
regulators, and the public. We intend for this survey to provide a
comprehensive view of currently active efforts and some auspicious directions
for future work in mobile network measurement and mobile application
performance evaluation.Comment: Submitted to IEEE Communications Surveys and Tutorials. arXiv does
not format the URL references correctly. For a correctly formatted version of
this paper go to
http://www.cs.montana.edu/mwittie/publications/Goel14Survey.pd
Managing big data experiments on smartphones
The explosive number of smartphones with ever growing sensing and computing capabilities have brought a paradigm shift to many traditional domains of the computing field. Re-programming smartphones and instrumenting them for application testing and data gathering at scale is currently a tedious and time-consuming process that poses significant logistical challenges. Next generation smartphone applications are expected to be much larger-scale and complex, demanding that these undergo evaluation and testing under different real-world datasets, devices and conditions. In this paper, we present an architecture for managing such large-scale data management experiments on real smartphones. We particularly present the building blocks of our architecture that encompassed smartphone sensor data collected by the crowd and organized in our big data repository. The given datasets can then be replayed on our testbed comprising of real and simulated smartphones accessible to developers through a web-based interface. We present the applicability of our architecture through a case study that involves the evaluation of individual components that are part of a complex indoor positioning system for smartphones, coined Anyplace, which we have developed over the years. The given study shows how our architecture allows us to derive novel insights into the performance of our algorithms and applications, by simplifying the management of large-scale data on smartphones
Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain
The Android Open Source Project (AOSP) was first released by Google in 2008 and
has since become the most used operating system [Andaf]. Thanks to the openness
of its source code, any smartphone vendor or original equipment manufacturer
(OEM) can modify and adapt Android to their specific needs, or add proprietary features
before installing it on their devices in order to add custom features to differentiate themselves
from competitors. This has created a complex and diverse supply chain, completely opaque to
end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and
prominent actors of the online industry that partnered with OEMs. Each of these stakeholders
can pre-install extra apps, or implement proprietary features at the framework level.
However, such customizations can create privacy and security threats to end-users. Preinstalled
apps are privileged by the operating system, and can therefore access system APIs
or personal data more easily than apps installed by the user. Unfortunately, despite these
potential threats, there is currently no end-to-end control over what apps come pre-installed
on a device and why, and no traceability of the different software and hardware components
used in a given Android device. In fact, the landscape of pre-installed software in Android and
its security and privacy implications has largely remained unexplored by researchers.
In this thesis, I investigate the customization of Android devices and their impact on the
privacy and security of end-users. Specifically, I perform the first large-scale and systematic
analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app,
Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000
different OEMs from all over the world. This dataset allows us to map the stakeholders involved
in the supply chain and their relationships, from device manufacturers and mobile network operators
to third-party organizations like advertising and tracking services, and social network
platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors.
My results show a disturbing lack of transparency and control over the Android supply
chain, thus showing that it can be damageable privacy- and security-wise to end-users.
Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing,
the permission system empowers users to control what sensitive resources (e.g., user
contacts, the camera, location sensors) are accessible to which apps. The research community
has extensively studied the permission system, but most previous studies focus on its limitations
or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis
of the evolution of the permissions system. I study how some lesser-known features of the
permission system, specifically permission flags, can impact the permission granting process,
making it either more restrictive or less. I then highlight how pre-installed apps developers
use said flags in the wild and focus on the privacy and security implications. Specifically, I
show the presence of third-party apps, installed as privileged system apps, potentially using
said features to share resources with other third-party apps.
Another salient feature of the permission system is its extensibility: apps can define their
own custom permissions to expose features and data to other apps. However, little is known
about how widespread the usage of custom permissions is, and what impact these permissions
may have on users’ privacy and security. In the last part of this thesis, I investigate the exposure
and request of custom permissions in the Android ecosystem and their potential for opening
privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and
publicly available apps using both Firmware Scanner and purpose-built app store crawlers.
I find the usage of custom permissions to be pervasive, regardless of the origin of the apps,
and seemingly growing over time. Despite this prevalence, I find that custom permissions are
virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends
that developers use their reverse domain name as the prefix of their custom permissions
[Gpla], I find widespread violations of this recommendation, making sound attribution
at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions
can facilitate access to permission-protected system resources to apps that lack those
permissions, without user awareness. Due to the lack of tools for studying such risks, I design
and implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to study
custom permissions. I highlight multiple cases of concerning use of custom permissions by
Android apps in the wild.
In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalled
Android apps. My results show a complete lack of control of the supply chain which
is worrying, given the huge potential impact of pre-installed apps on the privacy and security
of end-users. I conclude with a number of open research questions and future avenues for
further research in the ecosystem of the supply chain of Android devices.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Douglas Leith.- Secretario: Rubén Cuevas Rumín.- Vocal: Hamed Haddad
FORENSIC ANALYSIS OF THE GARMIN CONNECT ANDROID APPLICATION
Wearable smart devices are becoming more prevalent in our lives. These tiny devices
read various health signals such as heart rate and pulse and also serve as companion
devices that store sports activities and even their coordinates. This data is typically
sent to the smartphone via a companion application installed. These applications
hold a high forensic value because of the users’ private information they store. They
can be crucial in a criminal investigation to understand what happened or where
that person was during a given period. They also need to guarantee that the data
is secure and that the application is not vulnerable to any attack that can lead to
data leaks.
The present work aims to do a complete forensic analysis of the companion
application Garmin Connect for Android devices. We used a Garmin Smartband to
generate data and test the application with a rooted Android device. This analysis is
split into two parts. The first part will be a traditional Post Mortem analysis where
we will present the application, data generation process, acquisition process, tools,
and methodologies. Lastly, we analyzed the data extracted and studied what can
be considered a forensic artifact. In the second part of this analysis, we performed
a dynamic analysis. We used various offensive security techniques and methods to
find vulnerabilities in the application code and network protocol to obtain data in
transit.
Besides completing the Garmin Connect application analysis, we contributed
various modules and new features for the tool Android Logs Events And Protobuf
Parser (ALEAPP) to help forensic practitioners analyze the application and to
improve the open-source digital forensics landscape. We also used this analysis as a
blueprint to explore six other fitness applications that can receive data from Garmin
Connect.
With this work, we could conclude that Garmin Connect stores a large quantity
of private data in its device, making it of great importance in case of a forensic
investigation. We also studied its robustness and could conclude that the application
is not vulnerable to the tested scenarios. Nevertheless, we found a weakness in their
communication methods that lets us obtain any data from the user even if it was
not stored in the device. This fact increased its forensic importance even more
Covert Communication in Mobile Applications
This paper studies communication patterns in mobile applications. Our analysis shows that 63% of the external communication made by top-popular free Android applications from Google Play has no effect on the user-observable application functionality. To detect such covert communication in an efficient manner, we propose a highly precise and scalable static analysis technique: it achieves 93% precision and 61% recall compared to the empirically determined “ground truth”, and runs in a matter of a few minutes. Furthermore, according to human evaluators, in 42 out of 47 cases, disabling connections deemed covert by our analysis leaves the delivered application experience either completely intact or with only insignificant interference. We conclude that our technique is effective for identifying and disabling covert communication. We then use it to investigate communication patterns in the 500 top-popular applications from Google Play.United States. Defense Advanced Research Projects Agency (Agreement FA8750-12-2-0110
Eavesdropping Whilst You're Shopping: Balancing Personalisation and Privacy in Connected Retail Spaces
Physical retailers, who once led the way in tracking with loyalty cards and
`reverse appends', now lag behind online competitors. Yet we might be seeing
these tables turn, as many increasingly deploy technologies ranging from simple
sensors to advanced emotion detection systems, even enabling them to tailor
prices and shopping experiences on a per-customer basis. Here, we examine these
in-store tracking technologies in the retail context, and evaluate them from
both technical and regulatory standpoints. We first introduce the relevant
technologies in context, before considering privacy impacts, the current
remedies individuals might seek through technology and the law, and those
remedies' limitations. To illustrate challenging tensions in this space we
consider the feasibility of technical and legal approaches to both a) the
recent `Go' store concept from Amazon which requires fine-grained, multi-modal
tracking to function as a shop, and b) current challenges in opting in or out
of increasingly pervasive passive Wi-Fi tracking. The `Go' store presents
significant challenges with its legality in Europe significantly unclear and
unilateral, technical measures to avoid biometric tracking likely ineffective.
In the case of MAC addresses, we see a difficult-to-reconcile clash between
privacy-as-confidentiality and privacy-as-control, and suggest a technical
framework which might help balance the two. Significant challenges exist when
seeking to balance personalisation with privacy, and researchers must work
together, including across the boundaries of preferred privacy definitions, to
come up with solutions that draw on both technology and the legal frameworks to
provide effective and proportionate protection. Retailers, simultaneously, must
ensure that their tracking is not just legal, but worthy of the trust of
concerned data subjects.Comment: 10 pages, 1 figure, Proceedings of the PETRAS/IoTUK/IET Living in the
Internet of Things Conference, London, United Kingdom, 28-29 March 201
Mobile Big Data Analytics in Healthcare
Mobile and ubiquitous devices are everywhere around us generating considerable amount of data. The concept of mobile computing and analytics is expanding due to the fact that we are using mobile devices day in and out without even realizing it. These mobile devices use Wi-Fi, Bluetooth or mobile data to be intermittently connected to the world, generating, sending and receiving data on the move. Latest mobile applications incorporating graphics, video and audio are main causes of loading the mobile devices by consuming battery, memory and processing power. Mobile Big data analytics includes for instance, big health data, big location data, big social media data, and big heterogeneous data. Healthcare is undoubtedly one of the most data-intensive industries nowadays and the challenge is not only in acquiring, storing, processing and accessing data, but also in engendering useful insights out of it. These insights generated from health data may reduce health monitoring cost, enrich disease diagnosis, therapy, and care and even lead to human lives saving.
The challenge in mobile data and Big data analytics is how to meet the growing performance demands of these activities while minimizing mobile resource consumption. This thesis proposes a scalable architecture for mobile big data analytics implementing three new algorithms (i.e. Mobile resources optimization, Mobile analytics customization and Mobile offloading), for the effective usage of resources in performing mobile data analytics. Mobile resources optimization algorithm monitors the resources and switches off unused network connections and application services whenever resources are limited. However, analytics customization algorithm attempts to save energy by customizing the analytics process while implementing some data-aware techniques. Finally, mobile offloading algorithm decides on the fly whether to process data locally or delegate it to a Cloud back-end server. The ultimate goal of this research is to provide healthcare decision makers with the advancements in mobile Big data analytics and support them in handling large and heterogeneous health datasets effectively on the move
- …