MobileAppScrutinator: A Simple yet Efficient Dynamic Analysis Approach for Detecting Privacy Leaks across Mobile OSs

Smartphones, the devices we carry everywhere with us, are being heavily tracked and have undoubtedly become a major threat to our privacy. As "tracking the trackers" has become a necessity, various static and dynamic analysis tools have been developed in the past. However, today, we still lack suitable tools to detect, measure and compare the ongoing tracking across mobile OSs. To this end, we propose MobileAppScrutinator, based on a simple yet efficient dynamic analysis approach, that works on both Android and iOS (the two most popular OSs today). To demonstrate the current trend in tracking, we select 140 most representative Apps available on both Android and iOS AppStores and test them with MobileAppScrutinator. In fact, choosing the same set of apps on both Android and iOS also enables us to compare the ongoing tracking on these two OSs. Finally, we also discuss the effectiveness of privacy safeguards available on Android and iOS. We show that neither Android nor iOS privacy safeguards in their present state are completely satisfying

Impacts of Packet Scheduling and Packet Loss Distribution on FEC Performances: Observations and Recommendations

Forward Error Correction (FEC) is commonly used for content broadcasting. The performance of the FEC codes largely vary, depending in particular on the object size and on the number of parity packets produced, and these parameters have already been studied in detail by the community. However the FEC performances are also largely dependent on the packet scheduling used during transmission and on the loss pattern introduced by the channel. Therefore this work analyzes their impacts on three FEC codes: LDGM Staircase, LDGM Triangle, two large block FEC codes, and Reed-Solomon. Thanks to this analysis, we define several recommendations on how to best use these codes, depending on the test case and on the channel, which turns out to be of utmost importance

Systematic Treatment of Remote Attestation

Embedded computing devices (such as actuators, controllers and sensors of various sizes) increasingly permeate many aspects of modern life: from medical to automotive, from building and factory automation to weapons, from critical infrastructures to home entertainment. Despite their specialized nature as well as limited resources and connectivity, these devices are now becoming increasingly popular and attractive targets for various attacks, especially, remote malware infestations. There has been a number of research proposals to detect and/or mitigate such attacks. They vary greatly in terms of application generality and underlying assumptions. However, one common theme is the need for Remote Attestation, a distinct security service that allows a trusted party (verifier) to check the internal state of a remote untrusted embedded device (prover). This paper provides a systematic treatment of Remote Attestation, starting with a precise definition of the desired service and proceeding to its systematic deconstruction into necessary and sufficient properties. These properties are, in turn, mapped into a minimal collection of hardware and software components that results in secure Remote Attestation. One distinguishing feature of this line of research is the need to prove (or, at least argue) architectural minimality; this is rarely encountered in security research. This work also offers some insights into vulnerabilities of certain prior techniques and provides a promising platform for attaining more advanced security services and guarantees

Lenny the bot as a resource for sequential analysis: exploring the treatment of Next Turn Repair Initiation in the beginnings of unsolicited calls

International audienc

"Doing being" an ordinary human callee

International audienc

TESLA source authentication in the ALC and NORM protocols

IETF Internet DraftThis document explains how to integrate the TESLA source authentication and packet integrity protocol to the ALC and NORM content delivery protocols. This document only considers the authentication/integrity of the packets generated by the session's sender

Application Collusion Attack on the Permission-Based Security Model and its Implications for Modern Smartphone Systems

We show that the way in which permission-based mechanisms are used on today's mobile platforms enables attacks by colluding applications that communicate over overt and covert communication channels. These attacks allow applications to indirectly execute operations that those applications, based on their declared permissions, should not be able to execute. Example operations include disclosure of users private data (e.g., phone book and calendar entries) to remote parties by applications that do not have direct access to such data or cannot directly establish remote connections. We further show that on today’s mobile platforms users are not made aware of possible implications of application collusion--quite the contrary--users are implicitly lead to believe that by approving the installation of each application independently, based on its declared permissions, they can limit the damage that an application can cause. In this work, we show that this is not correct and that application permissions should be displayed to the users differently (e.g., in their aggregated form), reflecting their actual implications. We demonstrate the practicality of application collusion attacks by implementing several applications and example covert channels on an Android platform and an example channel on a Windows Phone 7 platform. We study free applications from the Android market and show that the potential for application collusion is significant. Finally, we discuss countermeasures that can be used to mitigate these attacks