Security for mobile devices

Al llarg dels darrers anys cada cop s'ha anat confiant més i més informació personal als nostres dispositius mòbils. Des del punt de vista de la seguretat del software això comporta un risc. En aquest projecte la recerca es centra en dues vulnerabilitats definides a la llista de vulnerabilitats en dispositius mòbils per la OWASP com són Code Tampering i Reverse-Engineering. Així doncs, s'implementa un atac que demostra com es pot exfiltrar tota mena d'informació sensible sobre els usuaris de dispositius Android, explotant les dues vulnerabilitats abans mencionades. Amb aquest atac es mostra un dels atacs més comuns que es produeixen sobretot a botigues d'aplicacions mòbils de tercers. A més a més també s'aprofita aquest projecte per proporcionar material docent i complementar així el ja existent sobre atacs en dispositius mòbils. Això permet finalment aportar un producte pels futurs enginyers i enginyeres per què puguin aprendre sobre seguretat del software en aquests entorns mòbils i vegin de primera mà les conseqüències d'aquesta mena d'atacs.A lo largo de los últimos años cada vez se ha ido confiando más y más información personal a nuestros dispositivos móviles. Desde el punto de vista de la seguridad del software esto conlleva un riesgo. En este proyecto la investigación se centra en dos vulnerabilidades definidas en la lista de vulnerabilidades en dispositivos móviles por la OWASP como son Code Tampering y Reverse Engineering. Así pues, se implementa un ataque que demuestra cómo se puede exfiltrar todo tipo de información sensible sobre los usuarios de dispositivos Android, explotando las dos vulnerabilidades mencionadas. Con este ataque se muestra uno de los ataques más comunes que se producen sobre todo en tiendas de aplicaciones móviles de terceros. Además, se aprovecha el presente proyecto para proporcionar material docente y complementar así el ya existente sobre ataques en dispositivos móviles. Esto permite finalmente aportar un producto para los futuros ingenieros e ingenieras para que así puedan aprender sobre seguridad del software en entornos móviles y vean de primera mano las consecuencias de este tipo de ataques.Over the last few years we have increasingly delegated more and more personal information to our mobile devices. From a software security perspective, this entails a significant risk. In this project we focused on two specific vulnerabilities defined in the OWASP 2016 list of mobile vulnerabilities, specifically Code Tampering and Reverse-Engineering. We implemented an attack demonstrating how we can exfiltrate sensitive information about Android users by exploiting the aforementioned vulnerabilities. This attack illustrates one of the most common attacks that take place in third-party app stores. Moreover, we elaborated new teaching materials complementing the already existing documentation about attacks on mobile devices. Therefore, this allows us to contribute with a new product for future engineers so that they can learn about software security in these mobile environments and understand the consequences that these types of attacks have

Formal Reasoning Using an Iterative Approach with an Integrated Web IDE

This paper summarizes our experience in communicating the elements of reasoning about correctness, and the central role of formal specifications in reasoning about modular, component-based software using a language and an integrated Web IDE designed for the purpose. Our experience in using such an IDE, supported by a 'push-button' verifying compiler in a classroom setting, reveals the highly iterative process learners use to arrive at suitably specified, automatically provable code. We explain how the IDE facilitates reasoning at each step of this process by providing human readable verification conditions (VCs) and feedback from an integrated prover that clearly indicates unprovable VCs to help identify obstacles to completing proofs. The paper discusses the IDE's usage in verified software development using several examples drawn from actual classroom lectures and student assignments to illustrate principles of design-by-contract and the iterative process of creating and subsequently refining assertions, such as loop invariants in object-based code.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

How to Teach Mechanical Engineering Design Using Industry Methods While Still Assessing to University Criteria

There is a growing demand from industry for qualified design engineers. Many design engineers are trained in industry at vast expense in time and money, while many more are trained at universities and colleges. This thesis will explore how to maintain the training by universities and colleges to be as up to date and relevant as possible. It will look at the modern techniques and methods such as design teams, use of computer software, communication, use of the internet, and methods to solve design problems. All these techniques and methods are used by world-leading industries during the 21st century; this century, known also as the Third Industrial Revolution, or the Information Technology Revolution. It will show how appropriate techniques and methods can be applied in academia. A challenge is highlighted, and a solution found, how to get students to design to modern industry standards but at the same time make it possible to assess their work to satisfy the needs of academia and achieve the awarding criteria. Modern techniques and methods will be applied to university students and an assessment made of the results. Use of group working will be explored, and an algorithm developed to grade the completed work. What do students need now, to equip them to become competent designers, and how do lecturers support these students in these new methods? A knowledge gap between full-time students and part-time students in their final year of a degree programme was identified. This gap was reduced by reviewing the curriculum from earlier years and specifically targeting improving the student’s knowledge. To reduce the gap further, the development of a new teaching theory based on reverse engineering and a reversed application of Bloom’s Taxonomy was developed. This new teaching theory was applied to engineering student in their final year of a BEng (Hons) Mechanical Engineering Degree. The above methods and theories were validated by experienced industry design engineers from world leading companies

Reverse Engineering Environment for Teaching Secure Coding in Java

Few toolsets for program analysis and Java learning system provide an integrated console, debugger, and reverse engineered visualizer. We present an interactive debugging environment for Java which helps students to understand the secure coding by detecting and visualizing the data flow anomaly. Previous research shows that the earlier students learn secure coding concepts, even at the same time as they first learn to write code, the better they will continue using secure coding practices. This paper proposes web-based Java programming environment for teaching secure coding practices which provides the essential and fundamental skills in secure coding. Also, this tool helps students to understand the data anomaly and security leak with detecting vulnerabilities in given code.Cockrell School of Engineerin

Using Remote Access for Sharing Experiences in a Machine Design Laboratory

A new Machine Design Laboratory at Marquette University has been created to foster student exploration and promote “hands-on” and “minds-on” learning. Laboratory experiments have been developed to give students practical experiences and expose them to physical hardware, actual tools, and design challenges. Students face a range of real-world tasks: identify and select components, measure parameters (dimensions, speed, force), distinguish between normal and used (worn) components and between proper and abnormal behavior, reverse engineer systems, and justify design choices. The experiments serve to motivate the theory, spark interest, and promote discovery learning in the subject of machine design. This paper presents details of the experiments in the Machine Design Laboratory and then explores the feasibility of sharing some of the experiences with students at other institutions through remote access technologies. The paper proposes steps towards achieving this goal and raises issues to be addressed for a pilot-study offering machine design experiences to students globally who have access to the internet

Mapping the technology landscape : linking pedagogy to the affordances of different technologies

This work evaluates the application of different learning technologies and their suitability to support blended learning approaches in Higher Education. Chickering and Gamsons's Seven Principles for Good Practice in Undergraduate Education (Chickering & Gamson, 1987) were used as an underlying pedagogical framework to evaluate the "perceived affordances‟ (Norman, 1999) of learning technologies.Chickering and Gamson‟s principles were selected as a framework due to their "face-validity‟, the accessibility of their language and since they have been derived from numerous years of reflective and effective teaching.Along with the principles we describe and recommend an innovative methodology for evaluation. This methodology can be used in a context of similar evaluation exercises.Final Accepted Versio

Block-Based Development of Mobile Learning Experiences for the Internet of Things

The Internet of Things enables experts of given domains to create smart user experiences for interacting with the environment. However, development of such experiences requires strong programming skills, which are challenging to develop for non-technical users. This paper presents several extensions to the block-based programming language used in App Inventor to make the creation of mobile apps for smart learning experiences less challenging. Such apps are used to process and graphically represent data streams from sensors by applying map-reduce operations. A workshop with students without previous experience with Internet of Things (IoT) and mobile app programming was conducted to evaluate the propositions. As a result, students were able to create small IoT apps that ingest, process and visually represent data in a simpler form as using App Inventor's standard features. Besides, an experimental study was carried out in a mobile app development course with academics of diverse disciplines. Results showed it was faster and easier for novice programmers to develop the proposed app using new stream processing blocks.Spanish National Research Agency (AEI) - ERDF fund