SYSTEMATIC DISCOVERY OF ANDROID CUSTOMIZATION HAZARDS

The open nature of Android ecosystem has naturally laid the foundation for a highly fragmented operating system. In fact, the official AOSP versions have been aggressively customized into thousands of system images by everyone in the customization chain, such as device manufacturers, vendors, carriers, etc. If not well thought-out, the customization process could result in serious security problems. This dissertation performs a systematic investigation of Android customization’ inconsistencies with regards to security aspects at various Android layers. It brings to light new vulnerabilities, never investigated before, caused by the under-regulated and complex Android customization. It first describes a novel vulnerability Hare and proves that it is security critical and extensive affecting devices from major vendors. A new tool is proposed to detect the Hare problem and to protect affected devices. This dissertation further discovers security configuration changes through a systematic differential analysis among custom devices from different vendors and demonstrates that they could lead to severe vulnerabilities if introduced unintentionally

Detecting vulnerabilities in smart contract within blockchain: a review and comparative analysis of key approaches

Blockchain technology was created with security in mind. However, in recent years, there has been various confirmed cases of breach, worth billions of dollars loss in Blockchain associated to smart contracts. In order to address this growing concern, it is crucial to investigate detection and mitigation of vulnerabilities in smart contract, and this paper critically reviews and analyses key approaches for detecting vulnerabilities in smart contract within Blockchain. In order to achieve the purpose of this paper, five key approaches, notably the application of OWASP Top 10, SCSVS, vulnerability detection tools, fuzz testing and the AI-driven approaches are critically reviewed and compared. As part of the comparison performed, a penetration testing quality model was applied to study six quality metrics, notably extensibility, maintainability, domain coverage, usability, availability and reliability. Results revealed limitations of the studied vulnerability detection approaches and findings are expected to help in decision making especially when selecting approaches to be used during security analysis and pen-testing

Contingency planning in southern Africa: Events rather than processes?

With the increasing frequency, magnitude and impact of disasters, there is growing focus on contingency planning as a tool for enhancing resilience. Yet, there is little empirical evidence that reflects on the practice of contingency planning systems within the context of disaster risk reduction. This article explores the practice of contingency planning in southern Africa, focussing on Malawi, Mozambique, Namibia, Zambia and Zimbabwe. A qualitative comparative analysis informed by fieldwork was used. The findings show that (1) there was a wide gap between theory and practice in contingency planning, (2) response activities rarely reflected projected scenarios and (3) resources were inadequate for effective contingency planning. We conclude that unless these issues are addressed, contingency planning is likely o remain a theoretical rather than a practical tool for building disaster-resilient communities in southern African countries. Although a generalisation cannot be made on the status of contingency planning and practice in southern Africa without a wider analysis of more examples, the findings may apply beyond the examined contexts and also offer insights into research gaps

How to design browser security and privacy alerts

Browser security and privacy alerts must be designed to ensure they are of value to the end-user, and communicate risks efficiently. We performed a systematic literature review, producing a list of guidelines from the research. Papers were analysed quantitatively and qualitatively to formulate a comprehensive set of guidelines. Our findings seek to provide developers and designers with guidance as to how to construct security and privacy alerts. We conclude by providing an alert template, highlighting its adherence to the derived guidelines