Proof Compression and the Mobius PCC Architecture for Embedded Devices

The EU Mobius project has been concerned with the security of Java applications, and of mobile devices such as smart phones that execute such applications. In this talk, I'll give a brief overview of the results obtained on on-device checking of various security-related program properties. I'll then describe in more detail how the concept of certified abstract interpretation and abstraction-carrying code can be applied to polyhedral-based analysis of Java byte code in order to verify properties pertaining to the usage of resources of a down-loaded application. Particular emphasis has been on finding ways of reducing the size of the certificates that accompany a piece of code

Faktor yang Mendorong Intensi untuk Melanjutkan Penggunaan Dompet Digital: Studi Pada Pengguna di Pulau Jawa

The tight competition in the e-wallet market and the rapid growth in the number of users in Indonesia require e-wallet companies to retain their users. This study aims to analyze the direct and indirect effects perceived security, trust in mobile payment, perceived usefulness, perceived enjoyment, user interface on user’s continuance intention to use e-wallet. The type of data in this research is primary data, with an online survey method using google form, and the sample technique is purposive sampling, involving 350 respondents who live in Java and for the last 1 month have used one of the GoPay, OVO, DANA, or ShopeePay. Data analysis using Structural Equation Model. The results show that perceived security, trust in mobile payments, user interface can not directly affect the user's continuance intention to use e-wallet. Meanwhile, perceived usefulness and perceived enjoyment have direct effect on continuance intention to use. The results of the indirect effect proved that satisfaction can mediate the influence of trust in mobile payment, perceived usefulness, perceived enjoyment, user interface on user’s continuance intention to use e-wallet. However, satisfaction was not able to mediate the effect of user's perceived security on continuance intention to use. Keywords: perceived usability, perceived security, trust in mobile payment, satisfaction, continuance intention to us

Security analysis of JXME-Proxyless version

JXME es la especificación de JXTA para dispositivos móviles con J2ME. Hay dos versiones diferentes de la aplicación JXME disponibles, cada una específica para un determinado conjunto de dispositivos, de acuerdo con sus capacidades. El principal valor de JXME es su simplicidad para crear peer-to-peer (P2P) en dispositivos limitados. Además de evaluar las funciones JXME, también es importante tener en cuenta el nivel de seguridad por defecto que se proporciona. Este artículo presenta un breve análisis de la situación actual de la seguridad en JXME, centrándose en la versión JXME-Proxyless, identifica las vulnerabilidades existentes y propone mejoras en este campo.JXME és l'especificació de JXTA per a dispositius mòbils amb J2ME. Hi ha dues versions diferents de l'aplicació JXME disponibles, cada una d'específica per a un determinat conjunt de dispositius, d'acord amb les seves capacitats. El principal valor de JXME és la seva simplicitat per crear peer-to-peer (P2P) en dispositius limitats. A més d'avaluar les funcions JXME, també és important tenir en compte el nivell de seguretat per defecte que es proporciona. Aquest article presenta un breu anàlisis de la situació actual de la seguretat en JXME, centrant-se en la versió JXME-Proxyless, identifica les vulnerabilitats existents i proposa millores en aquest camp.JXME is the JXTA specification for mobile devices using J2ME. Two different flavors of JXME implementation are available, each one specific for a particular set of devices, according to their capabilities. The main value of JXME is its simplicity to create peer-to-peer (P2P) applications in limited devices. In addition to assessing JXME functionalities, it is also important to realize the default security level provided. This paper presents a brief analysis of the current state of security in JXME, focusing on the JXME-Proxyless version, identifies existing vulnerabilities and proposes further improvements in this field

Hooking Java methods and native functions to enhance Android applications security

Mobile devices are becoming the main end-user platform to access the Internet. Therefore, hackers’ interest for fraudulent mobile applications is now higher than ever. Most of the times, static analysis is not enough to detect the application hidden malicious code. For this reason, we design and implement a security library for Android applications exploiting the hooking of Java and native functions to enable runtime analysis. The library verifies if the application shows compliance to some of the most important security protocols and it tries to detect unwanted activities. Testing of the library shows that it successfully intercepts the targeted functions, thus allowing to block the application malicious behaviour. We also assess the feasibility of an automatic tool that uses reverse engineering to decompile the application, inject our library and recompile the security-enhanced application. I dispositivi mobile rappresentano ormai per gli utenti finali la principale piattaforma di accesso alla rete. Di conseguenza, l’interesse degli hacker a sviluppare applicazioni mobile fraudolente è più forte che mai. Il più delle volte, l’analisi statica non è sufficiente a rilevare tracce di codice ostile. Per questo motivo, progettiamo e implementiamo una libreria di sicurezza per applicazioni Android che sfrutta l’hooking di funzioni Java e native per effettuare un’analisi dinamica del codice. La libreria verifica che l’applicazione sia conforme ad alcuni dei principali protocolli di sicurezza e tenta di rilevare tracce di attività indesiderate. La fase di testing mostra che la libreria intercetta con successo le funzioni bersaglio, consentendo di bloccare il comportamento malevolo dell’applicazione. Valutiamo altresì la fattibilità di un programma che in modo automatico sfrutti tecniche di reverse engineering per decompilare un’applicazione, inserire al suo interno la libreria e ricompilare l’applicazione messa in sicurezza

The Transitivity of Trust Problem in the Interaction of Android Applications

Mobile phones have developed into complex platforms with large numbers of installed applications and a wide range of sensitive data. Application security policies limit the permissions of each installed application. As applications may interact, restricting single applications may create a false sense of security for the end users while data may still leave the mobile phone through other applications. Instead, the information flow needs to be policed for the composite system of applications in a transparent and usable manner. In this paper, we propose to employ static analysis based on the software architecture and focused data flow analysis to scalably detect information flows between components. Specifically, we aim to reveal transitivity of trust problems in multi-component mobile platforms. We demonstrate the feasibility of our approach with Android applications, although the generalization of the analysis to similar composition-based architectures, such as Service-oriented Architecture, can also be explored in the future

In-Vivo Bytecode Instrumentation for Improving Privacy on Android Smartphones in Uncertain Environments

In this paper we claim that an efficient and readily applicable means to improve privacy of Android applications is: 1) to perform runtime monitoring by instrumenting the application bytecode and 2) in-vivo, i.e. directly on the smartphone. We present a tool chain to do this and present experimental results showing that this tool chain can run on smartphones in a reasonable amount of time and with a realistic effort. Our findings also identify challenges to be addressed before running powerful runtime monitoring and instrumentations directly on smartphones. We implemented two use-cases leveraging the tool chain: BetterPermissions, a fine-grained user centric permission policy system and AdRemover an advertisement remover. Both prototypes improve the privacy of Android systems thanks to in-vivo bytecode instrumentation.Comment: ISBN: 978-2-87971-111-

Building distributed heterogeneous smart phone Java applications an evaluation from a development perspective

The advances in mobile phone technology have enabled such devices to be programmed to run general-purpose applications using a special edition of the Java programming language. Java is designed to be a heterogeneous programming language targeting different platforms. Such ability when coupled with the provision of high-speed mobile Internet access would open the door for a new breed of distributed mobile applications. This paper explores the capabilities and limitations of this technology and addresses the considerations that must be taken when designing and developing such distributed applications. Our findings are verified by building a test client-server system where the clients in this system are mobile phones behaving as active processing elements not just mere service requesters