Using Hover to Compromise the Confidentiality of User Input on Android

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by any Android application running with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input into other applications. Leveraging this attack, a malicious application running on the system is therefore able to profile user's behavior, capture sensitive input such as passwords and PINs as well as record all user's social interactions. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the system background and records all input to foreground applications. We evaluated Hoover with 40 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.Comment: 11 page

Security Code Smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201

Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders

While sequential recommender systems achieve significant improvements on capturing user dynamics, we argue that sequential recommenders are vulnerable against substitution-based profile pollution attacks. To demonstrate our hypothesis, we propose a substitution-based adversarial attack algorithm, which modifies the input sequence by selecting certain vulnerable elements and substituting them with adversarial items. In both untargeted and targeted attack scenarios, we observe significant performance deterioration using the proposed profile pollution algorithm. Motivated by such observations, we design an efficient adversarial defense method called Dirichlet neighborhood sampling. Specifically, we sample item embeddings from a convex hull constructed by multi-hop neighbors to replace the original items in input sequences. During sampling, a Dirichlet distribution is used to approximate the probability distribution in the neighborhood such that the recommender learns to combat local perturbations. Additionally, we design an adversarial training method tailored for sequential recommender systems. In particular, we represent selected items with one-hot encodings and perform gradient ascent on the encodings to search for the worst case linear combination of item embeddings in training. As such, the embedding function learns robust item representations and the trained recommender is resistant to test-time adversarial examples. Extensive experiments show the effectiveness of both our attack and defense methods, which consistently outperform baselines by a significant margin across model architectures and datasets.Comment: Accepted to RecSys 202

Security Analysis and Evaluation of Smart Toys

During the last years, interconnectivity and merging the physical and digital technological dimensions have become a topic attracting the interest of the modern world. Internet of Things (IoT) is rapidly evolving as it manages to transform physical devices into communicating agents which can consecutively create complete interconnected systems. A sub-category of the IoT technology is smart toys, which are devices with networking capabilities, created for and used in play. Smart toys’ targeting group is usually children and they attempt to provide a higher level of entertainment and education by offering an enhanced and more interactive experience. Due to the nature and technical limitations of IoT devices, security experts have expressed concerns over the effectiveness and security level of smart devices. The importance of securing IoT devices has an increased weight when it pertains to smart toys, since sensitive information of children and teenagers can potentially be compromised. Furthermore, various security analyses on smart toys have discovered a worryingly high number of important security flaws. The master thesis focuses on the topic of smart toys’ security by first presenting and analyzing the necessary literature background. Furthermore, it presents a case study where a smart toy is selected and analyzed statically and dynamically utilizing a Raspberry Pi. The aim of this thesis is to examine and apply methods of analysis used in the relevant literature, in order to identify security flaws in the examined smart toy. The smart toy is a fitness band whose target consumers involve children and teenagers. The fitness band is communicating through Bluetooth with a mobile device and is accompanied by a mobile application. The mobile application has been installed and tested on an Android device. Finally, the analyses as well as their emerged results are presented and described in detail. Several security risks have been identified indicating that developers must increase their efforts in ensuring the optimal level of security in smart toys. Furthermore, several solutions that could minimize security risks and are related to our findings are suggested, along with potentially interesting topics for future work and further research

Integrating TrustZone Protection with Communication Paths for Mobile Operating System

Nowadays, users perform various essential activities through their smartphones, including mobile payment and financial transaction. Therefore, users’ sensitive data processed by smartphones will be at risk if underlying mobile OSes are compromised. A technology called Trusted Execution Environment (TEE) has been introduced to protect sensitive data in the event of compromised OS and hypervisor. This dissertation points out the limitations of the current design model of mobile TEE, which has a low adoption rate among application developers and has a large size of Trusted Computing Base (TCB). It proposes a new design model for mobile TEE to increase the TEE adoption rate and to decrease the size of TCB. This dissertation applies a new model to protect mobile communication paths in the Android platform. Evaluations are performed to demonstrate the effectiveness of the proposed design model