1,198 research outputs found
Novel Attacks and Defenses in the Userland of Android
In the last decade, mobile devices have spread rapidly, becoming more and more part of our everyday lives; this is due to their feature-richness, mobility, and affordable price. At the time of writing, Android is the leader of the market among operating systems, with a share of 76% and two and a half billion active Android devices around the world. Given that such small devices contain a massive amount of our private and sensitive information, the economic interests in the mobile ecosystem skyrocketed. For this reason, not only legitimate apps running on mobile environments have increased dramatically, but also malicious apps have also been on a steady rise. On the one hand, developers of mobile operating systems learned from security mistakes of the past, and they made significant strides in blocking those threats right from the start. On the other hand, these high-security levels did not deter attackers. In this thesis, I present my research contribution about the most meaningful attack and defense scenarios in the userland of the modern Android operating system. I have emphasized "userland'' because attack and defense solutions presented in this thesis are executing in the userspace of the operating system, due to the fact that Android is slightly different from traditional operating systems. After the necessary technical background, I show my solution, RmPerm, in order to enable Android users to better protect their privacy by selectively removing permissions from any app on any Android version. This operation does not require any modification to the underlying operating system because we repack the original application. Then, using again repackaging, I have developed Obfuscapk; it is a black-box obfuscation tool that can work with every Android app and offers a free solution with advanced state of the art obfuscation techniques -- especially the ones used by malware authors. Subsequently, I present a machine learning-based technique that focuses on the identification of malware in resource-constrained devices such as Android smartphones. This technique has a very low resource footprint and does not rely on resources outside the protected device. Afterward, I show how it is possible to mount a phishing attack -- the historically preferred attack vector -- by exploiting two recent Android features, initially introduced in the name of convenience. Although a technical solution to this problem certainly exists, it is not solvable from a single entity, and there is the need for a push from the entire community. But sometimes, even though there exists a solution to a well-known vulnerability, developers do not take proper precautions. In the end, I discuss the Frame Confusion vulnerability; it is often present in hybrid apps, and it was discovered some years ago, but I show how it is still widespread. I proposed a methodology, implemented in the FCDroid tool, for systematically detecting the Frame Confusion vulnerability in hybrid Android apps. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. The impact of such results on the Android users' community is estimated in 250.000.000 installations of vulnerable apps
ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS
ABSTRACT
All the mainstream mobile operating systems provide a web container, called ``WebView\u27\u27. This Web-based interface can be included as part of the mobile application to retrieve and display web contents from remote servers. WebView not only provides the same functionalities as web browser, more importantly, it enables rich interactions between mobile apps and webpages loaded inside WebView. Through its APIs, WebView enables the two-way interaction. However, the design of WebView changes the landscape of the Web, especially from the security perspective.
This dissertation conducts a comprehensive and systematic study of WebView\u27s impact on web security, with a particular focus on identifying its fundamental causes. This dissertation discovers multiple attacks on WebView, and proposes new protection models to enhance the security of WebView. The design principles of these models are also described as well as the prototype implementation in Android platform. Evaluations are used to demonstrate the effectiveness and performance of these protection models
An Empirical Study on Android-related Vulnerabilities
Mobile devices are used more and more in everyday life. They are our cameras,
wallets, and keys. Basically, they embed most of our private information in our
pocket. For this and other reasons, mobile devices, and in particular the
software that runs on them, are considered first-class citizens in the
software-vulnerabilities landscape. Several studies investigated the
software-vulnerabilities phenomenon in the context of mobile apps and, more in
general, mobile devices. Most of these studies focused on vulnerabilities that
could affect mobile apps, while just few investigated vulnerabilities affecting
the underlying platform on which mobile apps run: the Operating System (OS).
Also, these studies have been run on a very limited set of vulnerabilities.
In this paper we present the largest study at date investigating
Android-related vulnerabilities, with a specific focus on the ones affecting
the Android OS. In particular, we (i) define a detailed taxonomy of the types
of Android-related vulnerability; (ii) investigate the layers and subsystems
from the Android OS affected by vulnerabilities; and (iii) study the
survivability of vulnerabilities (i.e., the number of days between the
vulnerability introduction and its fixing). Our findings could help OS and apps
developers in focusing their verification & validation activities, and
researchers in building vulnerability detection tools tailored for the mobile
world
Reaching across - managing variants of one application on multiple platforms
The number of platforms to support in today's software projects are many and there are a wide range of differences to consider. There are tons of programming languages on the market and each platform, both mobile and desktop, have different preferences on how to develop applications. This do often result in multiple applications, similar to the end user but different to the developers. The same functionality has to be developed and maintained in multiple versions of the application in different ways. To solve these issues there is a need to think of the applications and platform in a new way. They have to be unified and commonalities has to be found or made. New application structures and tools are also needed to keep the platforms in sync. When developing those concepts each platform’s flexibility must be protected. Each platform has it’s own advantages and features like a GPS and camera and they have to be available to build a competitive product. This report concludes that web technology such as HTML5, JavaScript and CSS is a promising way to introduce common parts in the application. This helps to manage the platforms in one way and reduces the differences. To retain the platform specifics, language bridges are used to directly communicate with the native platform from the web parts. This enables the full strength of each platform and makes the solution a fully featured competitor to native applications
Peer-to-Peer File Sharing WebApp: Enhancing Data Security and Privacy through Peer-to-Peer File Transfer in a Web Application
Peer-to-peer (P2P) networking has emerged as a promising technology that enables distributed systems to operate in a decentralized manner. P2P networks are based on a model where each node in the network can act as both a client and a server, thereby enabling data and resource sharing without relying on centralized servers. The P2P model has gained considerable attention in recent years due to its potential to provide a scalable, fault-tolerant, and resilient architecture for various applications such as file sharing, content distribution, and social networks.In recent years, researchers have also proposed hybrid architectures that combine the benefits of both structured and unstructured P2P networks. For example, the Distributed Hash Table (DHT) is a popular hybrid architecture that provides efficient lookup and search algorithms while maintaining the flexibility and adaptability of the unstructured network.To demonstrate the feasibility of P2P systems, several prototypes have been developed, such as the BitTorrent file-sharing protocol and the Skype voice-over-IP (VoIP) service. These prototypes have demonstrated the potential of P2P systems for large-scale applications and have paved the way for the development of new P2P-based systems
Agile Beeswax: Mobile App Development Process and Empirical Study in Real Environment
Mobile application development is a highly competitive environment; agile methodologies
can enable teams to provide value faster, with higher quality and predictability, and a better attitude
to deal with the continuous changes that will arise in the mobile context application (App), and the
positive impact of that on sustainable development through continuous progress. App development
is different from other types of software. For this reason, our objective is to present a new agilebased methodology for app development that we call Agile Beeswax. Agile Beeswax is conceived
after identifying the mobile development process’s issues and challenges, and unique requirements.
Agile Beeswax is an incremental, iterative development process composed of two main iterative
loops (sprints), the incremental design loop and the incremental development loop, and one bridge
connecting these two sprints. Agile Beeswax is structured in six phases, idea and strategy, user
experience design, user interface design, design to development, handoff and technical decisions,
development, and deployment and monitoring. One of its main strengths is that it has been created
with academic and business perspectives to bring these two communities closer. To achieve this
purpose, our research methodology comprises four main phases: Phase 1: Extensive literature review
of mobile development methodologies, Phase 2: Interviews with mobile application developers
working in small to medium software companies, Phase 3: Survey to extract valuable knowledge
about mobile development (which was carefully designed based on the results of the first and the
second phases), and Phase 4: Proposal of a new methodology for the agile development of mobile
applications. With the aim of integrating both perspectives, the survey was answered by a sample of
35 experts, including academics and developers. Interesting results have been collected and discussed
in this paper (on issues such as the development process, the tools used during this process, and the
general issues and challenges they encountered), laying the foundations of the methodology Agile
Beeswax proposed to develop mobile apps. Our results and the proposed methodology are intended
to serve as support for mobile application developers.Spanish Government
European Commission
RTI2018-096986-B-C3
- …