1,875 research outputs found
Completely Automated Public Physical test to tell Computers and Humans Apart: A usability study on mobile devices
A very common approach adopted to fight the increasing sophistication and dangerousness of malware and hacking is to introduce more complex authentication mechanisms. This approach, however, introduces additional cognitive burdens for users and lowers the whole authentication mechanism acceptability to the point of making it unusable. On the contrary, what is really needed to fight the onslaught of automated attacks to users data and privacy is to first tell human and computers apart and then distinguish among humans to guarantee correct authentication. Such an approach is capable of completely thwarting any automated attempt to achieve unwarranted access while it allows keeping simple the mechanism dedicated to recognizing the legitimate user. This kind of approach is behind the concept of Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), yet CAPTCHA leverages cognitive capabilities, thus the increasing sophistication of computers calls for more and more difficult cognitive tasks that make them either very long to solve or very prone to false negatives. We argue that this problem can be overcome by substituting the cognitive component of CAPTCHA with a different property that programs cannot mimic: the physical nature. In past work we have introduced the Completely Automated Public Physical test to tell Computer and Humans Apart (CAPPCHA) as a way to enhance the PIN authentication method for mobile devices and we have provided a proof of concept implementation. Similarly to CAPTCHA, this mechanism can also be used to prevent automated programs from abusing online services. However, to evaluate the real efficacy of the proposed scheme, an extended empirical assessment of CAPPCHA is required as well as a comparison of CAPPCHA performance with the existing state of the art. To this aim, in this paper we carry out an extensive experimental study on both the performance and the usability of CAPPCHA involving a high number of physical users, and we provide comparisons of CAPPCHA with existing flavors of CAPTCHA
ClickPattern: A Pattern Lock System Resilient to Smudge and Side-channel Attacks
Pattern lock is a very popular mechanism to secure authenticated access to mobile terminals; this is mainly due to its ease of use and the fact that muscle memory endows it with an extreme memorability. Nonetheless, pattern lock is also very vulnerable to smudge and side channels attacks, thus its actual level of security has been often considered insufficient. In this paper we describe a mechanism that enhances pattern lock security with resilience to smudge and side channel attacks, maintains a comparable level of memorability and provides ease of use that is still comparable with Pattern Lock while outperforming other schemes proposed in the literature. To prove our claim, we have performed a usability test with 51 volunteers and we have compared our results with the other schemes
Android Permissions Unleashed
The Android Security Framework controls the executions of applications through permissions which are statically granted by the user during installation. However, the definition of security policies over permissions is not supported. Security policies must be therefore manually encoded into the application by the developer, which is a dangerous practice and may cause security breaches. We propose an improvement over the Android permission system that supports the specification and enforcement of fine-grained security policies. Enforcement is achieved by reducing policy decision problems to propositional satisfiability and leveraging a state-of-the-art SAT solver. Unlike alternative proposals, our approach does not require changes in the operating system and, therefore, it can be readily deployed in any commercial device
Deep Reinforcement Learning for Black-Box Testing of Android Apps
The state space of Android apps is huge and its thorough exploration during
testing remains a major challenge. In fact, the best exploration strategy is
highly dependent on the features of the app under test. Reinforcement Learning
(RL) is a machine learning technique that learns the optimal strategy to solve
a task by trial and error, guided by positive or negative reward, rather than
by explicit supervision. Deep RL is a recent extension of RL that takes
advantage of the learning capabilities of neural networks. Such capabilities
make Deep RL suitable for complex exploration spaces such as the one of Android
apps. However, state of the art, publicly available tools only support basic,
tabular RL. We have developed ARES, a Deep RL approach for black-box testing of
Android apps. Experimental results show that it achieves higher coverage and
fault revelation than the baselines, which include state of the art RL based
tools, such as TimeMachine and Q-Testing. We also investigated qualitatively
the reasons behind such performance and we have identified the key features of
Android apps that make Deep RL particularly effective on them to be the
presence of chained and blocking activities
Obfuscapk: An open-source black-box obfuscation tool for Android apps
Abstract Obfuscapk is an open-source automatic obfuscation tool for Android apps that works in a black-box fashion (i.e., it does not need the app source code). Obfuscapk supports advanced obfuscation features and has a modular architecture that could be straightforwardly extended to support new obfuscation techniques. This paper introduces the architecture, the main obfuscation techniques implemented in Obfuscapk, as well as the basics of the Obfuscapk CLI. Finally, the paper discusses an actual use-case for Obfuscapk, and an empirical assessment on the reliability of the tool on a set of 1000 "most downloaded" APKs from the Google Play Store
Securing PIN-based Authentication in Smartwatches With just Two Gestures
Smartwatches are becoming increasingly ubiquitous as they offer new capabilities to
develop sophisticated applications that make daily life easier and more convenient
for consumers. The services provided include applications for mobile payment, ticketing,
identification, access control, etc. While this makes modern smartwatches very
powerful devices, it also makes them very attractive targets for attackers. Indeed,
PINs and Pattern Lock have been widely used in smartwatches for user authentication.
However, such authentication methods are not robust against various forms of
cybersecurity attacks, such as side channel, phishing, smudge, shoulder surfing, and
video recording attacks. Moreover, the recent adoption of hardware-based solutions,
like the Trusted Execution Environment (TEE), can mitigate only partially such problems.
Thus, the user’s security and privacy are at risk without a strong authentication
scheme in place. In this work, we propose 2GesturePIN, a new authentication framework
that allows users to authenticate securely to their smartwatches and related
sensitive services through solely two gestures. 2GesturePIN leverages the rotating
bezel or crown, which are the most intuitive ways to interact with a smartwatch, as a
dedicated hardware. 2GesturePIN improves the resilience of the regular PIN authentication
method against state-of-the-art cybersecurity attacks while maintaining a
high level of usability
- …