PhD Proposal -- Antonio Bianchi

Date: 
Tuesday, August 29, 2017 - 10:30am
Location: 
HFH 1132
Title: 
Identifying and Mitigating Trust Violations in the Smartphone Ecosystem
Speaker: 
Antonio Bianchi
Committee: 
Christopher Kruegel (Co-Chair), Giovanni Vigna (Co-Chair), Tevfik Bultan

Smartphones are now the most common way users handle digital

information and interact with online services. The interaction with

these devices encompasses different actors, trusting each other in

different ways. Users interact with apps, trusting them to access

valuable and privacy-sensitive information. At the same time, apps

usually communicate with remote backends and mediate user

authentication to online services. Finally, all these interactions are

mediated on one side by the user interface and on the other by the

operating system.

 

During my PhD I studied how all these different actors trust each

other and how this trust can be unfortunately violated by attackers,

because of limitations on how the operating system, apps, and the user

interface are currently designed and implemented. To assist my work, I

developed automatic analysis tools to perform large-scale analyses of

Android apps. In this presentation I will describe both the tools I

have developed and my findings.

 

Specifically, I will first describe my work on how, in an Android

system, it is possible to lure users to interact with malicious apps

which "look like" legitimate ones. This completely violates the trust

relationship, mediated by the user interface, between users and apps.

As a countermeasure, we implemented modifications of the Android user

interface and we evaluated their effectiveness with a user study.

Then, I will explain how many apps unsafely authenticate their users

to remote backends, due to misplaced trust in the operating system.

Specifically, we identified different apps that only rely on values

provided by the operating system (such as the "device id" or the

"device MAC address") to perform authentication. For this reason, an

attacker can trivially spoof these values, and logins in behalf of a

legitimate user. Finally, I will introduce my ongoing research on how

new hardware-assisted technologies could help, if used correctly, in

mitigating the previously mentioned trust violations.


Everyone Welcome!

Everyone welcome!