Improving the Impact of Smartphone Apps

Add to your list(s) Download to your calendar using vCal

• Vincent Taylor, University of Oxford
• Tuesday 23 May 2017, 14:00-15:00
• LT2, Computer Laboratory, William Gates Building.

If you have a question about this talk, please contact Laurent Simon.

Abstract:

Smartphones continue their explosive growth to ubiquity, and as their popularity increases, so does the attention they attract from adversaries. Adversaries need not be the typical attacker on the network. App developers, malicious or not, and third-party library developers also contribute to security concerns.

Several classes of Android vulnerabilities have been highlighted in the literature but it remains unclear whether Android app developers heed warnings and write secure apps. Additionally, it is not known how permission usage or the vulnerabilities contained within apps change as apps get updated. We statically analyse a corpus of 30,000 apps for which we have app versions two years apart, to understand how vulnerabilities in apps and the permissions apps use have changed over the period. Worryingly, we show that many popular apps contain vulnerabilities, and that in many cases, app updates only serve to increase the number of vulnerabilities contained within apps. Apps are also seen to get more permission hungry over time.

These observations motivate the question of whether users can feasibly replace undesirable apps, since app stores contain many groups of functionally-similar apps. As a case study, we focus on replacing general-purpose apps that are permission-hungry. We study 50,000 Google Play Store search results for 2500 general-purpose searches each yielding 20 functionally-similar apps. We describe a framework, called SecuRank, which exploits contextual permission usage analysis to identify and penalise over-privileged apps. We show that SecuRank can be used to recommend safer alternative apps to users. Moreover, we show that run-time permissions do not necessarily solve the problem of permission-hungry apps.

Many users do not realise that one or more of the apps they use leave them at risk. We describe a system that can be used to identify apps from only their (encrypted) network traffic. This system can be used to transparently and non-invasively identify apps that are potentially undesirable so that their users can be notified. We test our system using a sample of 110 apps and show that apps can be accurately fingerprinted and later re-identified by their network traffic.

Bio:

Vincent read for his bachelor’s and master’s degrees at the University of the West Indies, Mona. As an undergraduate, he did a double-major in Computer Science and Electronics and focused on network security during his master’s degree. He is now reading for his D.Phil. in Cyber Security at the University of Oxford. Vincent is interested in smartphone privacy/security, networking and network security at Layer 2/3 of the OSI model. He holds Cisco CCENT /CCNA/CCNP certifications in Routing and Switching. He has experience in web server administration and web application penetration testing. Vincent enjoys communicating via amateur radio and builds and maintains websites for non-profit organizations pro bono in his spare time.

This talk is part of the Computer Laboratory Security Seminar series.

This talk is included in these lists:

• All Talks (aka the CURE list)
• Cambridge talks
• Computer Laboratory Security Seminar
• Department of Computer Science and Technology talks and seminars
• Interested Talks
• LT2, Computer Laboratory, William Gates Building
• School of Technology
• Security-related talks
• Trust & Technology Initiative - interesting events
• bld31

Note that ex-directory lists are not shown.