Viewability: An Exaggerated Crisis

This thesis addresses the ongoing debate surrounding Viewability within the digital advertising industry. Since advertising is the lifeblood of many publishers and sites across the web, it is vital that brands and marketers derive value from this relationship. The Media Rating Council and Making Measurement Make Sense Movement both over exaggerate the value of Viewability in the digital advertising marketplace. By examining a plethora of articles and regulatory standards, I have been able to conclude that Viewability is a soft metric that does not provide media insights into the success of a given campaign. By conducting interviews and reviewing articles from the advertising trade press, I have determined that marketers, advertising agencies and publishers must work in tandem to achieve a solution that is both sustainable economically and administrable on a mass scale. The implementation of corporate-specific Viewability standards for marketers would lead to a greater autonomy over the analysis of the success of a particular campaign. Publishers’ refocus on website redesign and roll out of innovative advertising units can drastically contribute to value generation for marketers. In addition, both the MRC and 3MS pivot towards traffic fraud would warrant greater fiscal control over industry media spending and an improved analysis of campaign data. Viewability across the digital advertising industry is simply a singular cog in the wheel of digital media injustice. If the MRC and 3MS refocus their efforts towards fraudulent traffic while adopting a laissez faire approach to tackling Viewability, both organizations will greatly aid in the growth and prosperity of a free and open Interne

Do Androids Dream of Electric Sheep? On Privacy in the Android Supply Chain

The Android Open Source Project (AOSP) was first released by Google in 2008 and has since become the most used operating system [Andaf]. Thanks to the openness of its source code, any smartphone vendor or original equipment manufacturer (OEM) can modify and adapt Android to their specific needs, or add proprietary features before installing it on their devices in order to add custom features to differentiate themselves from competitors. This has created a complex and diverse supply chain, completely opaque to end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and prominent actors of the online industry that partnered with OEMs. Each of these stakeholders can pre-install extra apps, or implement proprietary features at the framework level. However, such customizations can create privacy and security threats to end-users. Preinstalled apps are privileged by the operating system, and can therefore access system APIs or personal data more easily than apps installed by the user. Unfortunately, despite these potential threats, there is currently no end-to-end control over what apps come pre-installed on a device and why, and no traceability of the different software and hardware components used in a given Android device. In fact, the landscape of pre-installed software in Android and its security and privacy implications has largely remained unexplored by researchers. In this thesis, I investigate the customization of Android devices and their impact on the privacy and security of end-users. Specifically, I perform the first large-scale and systematic analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app, Firmware Scanner [Sca], to crowdsource close to 34,000 Android firmware versions from 1,000 different OEMs from all over the world. This dataset allows us to map the stakeholders involved in the supply chain and their relationships, from device manufacturers and mobile network operators to third-party organizations like advertising and tracking services, and social network platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors. My results show a disturbing lack of transparency and control over the Android supply chain, thus showing that it can be damageable privacy- and security-wise to end-users. Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing, the permission system empowers users to control what sensitive resources (e.g., user contacts, the camera, location sensors) are accessible to which apps. The research community has extensively studied the permission system, but most previous studies focus on its limitations or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis of the evolution of the permissions system. I study how some lesser-known features of the permission system, specifically permission flags, can impact the permission granting process, making it either more restrictive or less. I then highlight how pre-installed apps developers use said flags in the wild and focus on the privacy and security implications. Specifically, I show the presence of third-party apps, installed as privileged system apps, potentially using said features to share resources with other third-party apps. Another salient feature of the permission system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what impact these permissions may have on users’ privacy and security. In the last part of this thesis, I investigate the exposure and request of custom permissions in the Android ecosystem and their potential for opening privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and publicly available apps using both Firmware Scanner and purpose-built app store crawlers. I find the usage of custom permissions to be pervasive, regardless of the origin of the apps, and seemingly growing over time. Despite this prevalence, I find that custom permissions are virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends that developers use their reverse domain name as the prefix of their custom permissions [Gpla], I find widespread violations of this recommendation, making sound attribution at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions, without user awareness. Due to the lack of tools for studying such risks, I design and implement two tools, PermissionTracer [Pere] and PermissionTainter [Perd] to study custom permissions. I highlight multiple cases of concerning use of custom permissions by Android apps in the wild. In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of preinstalled Android apps. My results show a complete lack of control of the supply chain which is worrying, given the huge potential impact of pre-installed apps on the privacy and security of end-users. I conclude with a number of open research questions and future avenues for further research in the ecosystem of the supply chain of Android devices.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Douglas Leith.- Secretario: Rubén Cuevas Rumín.- Vocal: Hamed Haddad

Security Implementation of Mission Control System for ESTCube-1 Satellite

Lühikokkuvõte ESTCube-1 on Eesti esimene satelliit ja ühtlasi onta ehitatud tervenisti üliõpilaste poolt. ESTCube-1 paljudestallsüsteemidest on üks osa missioonijuhtimissüsteemist (ingl. k.Mission Control System- MCS). Missioonijuhtimise tarkvara on modulaarne, moodulid võivad asuda erinevates serverites. Praeguses seadistusestöötab enamik moodulitest vaikimisi konfiguratsiooniseadetes ja mõnel juhul ei ole andmed piisavalt kaitstud – näiteks suhtlevad osad komponendidilma turvalise võrguühenduseta. Käesoleva töö eesmärk on süstemaatiliselt läheneda missioonijuhtimise süsteemi kui terviku turvalisusele ja leida lahendus senisest paremini turvatud süsteemi seadistamiseks. Töö koosneb järgnevatest sammudest:kirjeldada ESTCube-1 missioonijuhtimissüsteemi arhitektuuri, analüüsida kõikide süsteemi moodulite turvalahenduste võimalusi, rakendada leitud terviklahendus missioonijuhtimissüsteemi turvalahendustetestkeskkonnas, katsetadaja kontrollida süsteemi tööd uues seadistuses. Töös valitud lahendus võimaldab turvalisiühendusi erinevate moodulite vahel ja krüpteerib salvestatud andmed. Andmetele juurdepääsu saab piirata ka kasutajapõhiselt. Kokkuvõttes võib missioonijuhtimissüsteemi tarkvara panna tööle avatud ligipääsuga üle Interneti. Seni kasutatud lahendus tugines VPN ja SSH tunnelitele, mis on küll sobiliksüsteemi arenduseks, aga käesolev lahendus võimaldab süsteemile turvalise ligipääsu satelliidi opereerimise igapäevatöös. Võtmesõnad: ESTCube-1, Mission Control System, CubeSat, Hummingbird, Atlassian Crowd, Mongodb, Oracle 11g, Apache ActiveMQ, Jetty Web ServerAbstract: ESTCube-1 is Estonia’s first satellite project built by university students. ESTCube-1 Mission Control System (MCS) software is also developed as part of this educational project. Mission Control System is a modular system, comprised of various components in multiple servers, of which most of them are running on default or basic security configuration settings and in some cases, data is not protected well enough in the present state. Some of the components communicate over unsecured network thereby making its data vulnerable. As this thesis title “Security Implementation of Mission Control System for ESTCube-1 Satellite” implies, there is need for a systematic approach about the entire data security of the mission and my aim is to improve the security of ESTCube-1 Mission Control System. The following steps are taken in the thesis: establish a good understanding ESTCube-1 MCS architecture, understand the possibilities of security configurations of all used technologies, analyse the effect of a possible selection of security methods, implement the chosen solutions in a sandbox environment, test and verify the operating of the complete MCS with the implemented solution. The results shows security implementations done on the various components allows the connection between components are secure and data in motion are encrypted. Access to the data at rest are restricted, some are encrypted and only privileged users can gain access. Mission Control System accessibility over the Internet is more secure and access to the hardware tightened. In conclusion, the Mission Control System can certainly be accessed via the Internet securely as long as the user has valid certificates. Other access means are through other means like VPN and SSH Tunnelling. The original system configuration providedESTCube-1 MCS with just adequate security that would be befitting for a production environment, with the security solution found in current thesis, the system could be elevated for enterprise-level usage. Keywords: ESTCube-1, Mission Control System, CubeSat, Hummingbird, Atlassian Crowd, Mongodb, Oracle 11g, Apache ActiveMQ, Jetty Web Serve

Improving Software Development Process and Product Management with Software Project Telemetry

Software development is slow, expensive and error prone, often resulting in products with a large number of defects which cause serious problems in usability, reliability, and performance. To combat this problem, software measurement provides a systematic and empirically-guided approach to control and improve software development processes and final products. However, due to the high cost associated with "metrics collection" and difficulties in "metrics decision-making," measurement is not widely adopted by software organizations. This dissertation proposes a novel metrics-based program called "software project telemetry" to address the problems. It uses software sensors to collect metrics automatically and unobtrusively. It employs a domain-specific language to represent telemetry trends in software product and process metrics. Project management and process improvement decisions are made by detecting changes in telemetry trends and comparing trends between different periods of the same project. Software project telemetry avoids many problems inherent in traditional metrics models, such as the need to accumulate a historical project database and ensure that the historical data remain comparable to current and future projects. The claim of this dissertation is that software project telemetry provides an effective approach to (1) automated metrics collection and analysis, and (2) in-process, empirically-guided software development process problem detection and diagnosis. Two empirical studies were carried out to evaluate the claim: one in software engineering classes, and the other in the Collaborative Software Development Lab. The results suggested that software project telemetry had acceptably-low metrics collection and analysis overhead, and that it provided decision-making value at least in the exploratory context of the two studies

Revisiting Piggyback Prototyping: Examining Benefits and Tradeoffs in Extending Existing Social Computing Systems

The CSCW community has a history of designing, implementing, and evaluating novel social interactions in technology, but the process requires significant technical effort for uncertain value. We discuss the opportunities and applications of "piggyback prototyping", building and evaluating new ideas for social computing on top of existing ones, expanding on its potential to contribute design recommendations. Drawing on about 50 papers which use the method, we critically examine the intellectual and technical benefits it provides, such as ecological validity and leveraging well-tested features, as well as research-product and ethical tensions it imposes, such as limits to customization and violation of participant privacy. We discuss considerations for future researchers deciding whether to use piggyback prototyping and point to new research agendas which can reduce the burden of implementing the method.Comment: To appear at the 25th ACM Conference On Computer-Supported Cooperative Work And Social Computing (CSCW '22

Smart cities: event everywhere

The research attempts to provide a big picture from the literature through a Systematic Literature Review about the smart city and the existing standards topics for interchanging data through Smart City Apps. Additionally a prototype was created to analyze one of the standards found in the SL

Improving software engineering processes using machine learning and data mining techniques

The availability of large amounts of data from software development has created an area of research called mining software repositories. Researchers mine data from software repositories both to improve understanding of software development and evolution, and to empirically validate novel ideas and techniques. The large amount of data collected from software processes can then be leveraged for machine learning applications. Indeed, machine learning can have a large impact in software engineering, just like it has had in other fields, supporting developers, and other actors involved in the software development process, in automating or improving parts of their work. The automation can not only make some phases of the development process less tedious or cheaper, but also more efficient and less prone to errors. Moreover, employing machine learning can reduce the complexity of difficult problems, enabling engineers to focus on more interesting problems rather than the basics of development. The aim of this dissertation is to show how the development and the use of machine learning and data mining techniques can support several software engineering phases, ranging from crash handling, to code review, to patch uplifting, to software ecosystem management. To validate our thesis we conducted several studies tackling different problems in an industrial open-source context, focusing on the case of Mozilla

Flight Data Entry, Descent, and Landing (EDL) Repository

Dr. Daniel Winterhalter, NASA Engineering and Safety Center Chief Engineer at the Jet Propulsion Laboratory, requested the NASA Engineering and Safety Center sponsor a 3-year effort to collect entry, descent, and landing material and to establish a NASA-wide archive to serve the material. The principle focus of this task was to identify entry, descent, and landing repository material that was at risk of being permanently lost due to damage, decay, and undocumented storage. To provide NASA-wide access to this material, a web-based digital archive was created. This document contains the outcome of the effort

TLS on Android – Evolution over the last decade

Mobile Geräte und mobile Plattformen sind omnipräsent. Android hat sich zum bedeutendsten mobilen Betriebssystem entwickelt und bietet Milliarden Benutzer:innen eine Plattform mit Millionen von Apps. Diese bieten zunehmend Lösungen für alltägliche Probleme und sind aus dem Alltag nicht mehr wegzudenken. Mobile Apps arbeiten dazu mehr und mehr mit persönlichen sensiblen Daten, sodass ihr Datenverkehr ein attraktives Angriffsziel für Man-in-the-Middle-attacks (MitMAs) ist. Schutz gegen solche Angriffe bieten Protokolle wie Transport Layer Security (TLS) und Hypertext Transfer Protocol Secure (HTTPS), deren fehlerhafter Einsatz jedoch zu ebenso gravierenden Unsicherheiten führen kann. Zahlreiche Ereignisse und frühere Forschungsergebnisse haben diesbezüglich Schwachstellen in Android Apps gezeigt. Diese Arbeit präsentiert eine Reihe von Forschungsbeiträgen, die sich mit der Sicherheit von Android befassen. Der Hauptfokus liegt dabei auf der Netzwerksicherheit von Android Apps. Hierbei untersucht diese Arbeit verschiedene Möglichkeiten zur Verbesserung der Netzwerksicherheit und deren Erfolg, wobei sie die Situation in Android auch mit der generellen Evolution von Netzwerksicherheit in Kontext setzt. Darüber hinaus schließt diese Arbeit mit einer Erhebung der aktuellen Situation und zeigt Möglichkeiten zur weiteren Verbesserung auf.Smart devices and mobile platforms are omnipresent. Android OS has evolved to become the most dominating mobile operating system on the market with billions of devices and a platform with millions of apps. Apps increasingly offer solutions to everyday problems and have become an indispensable part of people’s daily life. Due to this, mobile apps carry and handle more and more personal and privacy-sensitive data which also involves communication with backend or third party services. Due to this, their network traffic is an attractive target for Man-in-the-Middle-attacks (MitMAs). Protection against such attacks is provided by protocols such as Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS). Incorrect use of these, however, can impose similar vulnerabilities lead to equally serious security issues. Numerous incidents and research efforts have featured such vulnerabilities in Android apps in this regard. This thesis presents a line of research addressing security on Android with a main focus on the network security of Android apps. This work covers various approaches for improving network security on Android and investigates their efficacy as well as it puts findings in context with the general evolution of network security in a larger perspective. Finally, this work concludes with a survey of the current state of network security in Android apps and envisions directions for further improvement

Understanding the Impact of Release Processes and Practices on Software Quality

L’ingénierie de production (release engineering) englobe toutes les activités visant à «construire un pipeline qui transforme le code source en un produit intégré, compilé, empaqueté, testé et signé prêt à être publier». La stratégie des production et les pratiques de publication peuvent avoir un impact sur la qualité d’un produit logiciel. Bien que cet impact ait été longuement discuté et étudié dans la communauté du génie logiciel, il reste encore plusieurs problèmes à résoudre. Cette thèse s’attaque à quelque-uns de ces problèmes non résoulus de l’ingénierie de production en vue de proposer des solutions. En particulier, nous investigons : 1) pourquoi les activités de révision de code (code review) peuvent rater des erreurs de code susceptibles de causer des plantages (crashs); (2) comment prévenir les bogues lors de l’approbation et l’intégration des patches urgents; 3) dans un écosystème logiciel, comment atténuer le risque de bogues dus à des injections de DLL. Nous avons choisi d’étudier ces problèmes car ils correspondent à trois phases importantes des processus de production de logiciels, c’est-à-dire la révision de code, les patches urgents, et la publication de logiciels dans un écosystème. Les solutions à ces problèmes peuvent aider les entreprises de logiciels à améliorer leur stratégie de production et de publication. Ce qui augmentera leur productivité de développement et la qualité générale de leurs produits logiciels.----------ABSTRACT: Release engineering encompasses all the activities aimed at “building a pipeline that transforms source code into an integrated, compiled, packaged, tested, and signed product that is ready for release”. The strategy of the release processes and practices can impact the quality of a software artefact. Although such impact has been extensively discussed and studied in the software engineering community, there are still many pending issues to resolve. The goal of this thesis is to study and solve some of these pending issues. More specifically, we examine 1) why code review practices can miss crash-prone code; 2) how urgent patches (also called patch uplift) are approved to release and how to prevent regressions due to urgent patches; 3) in a software ecosystem, how to mitigate the risk of defects due to DLL injections. We chose to study these problems because they correspond to three important phases of software release processes, i.e., code review, patch uplift, and releasing software in an ecosystem. The solutions of these problems can help software organizations improve their release strategy; increasing their development productivity and the overall user-perceived quality of their products