Mobile devices are the center of our daily life, and they have become the virtual representations of us in the online world. While it may be natural for mobile service providers to trust any network requests as coming from users, that may not be the case. In general, service providers face a difficult challenge of identifying whether service requests are being made by real users and devices, or potentially malicious scripts trying to manipulate the system.
We study this problem at large, and consider the use of difficult-to-forge behavioral signatures as ways to distinguish real users from software scripts. In this talk, I’ll first discuss projects focused on understanding user behavior on multiple online platforms, including anonymous social networks and personal live-streaming services. I’ll then discuss the mobile authentication problem and the possible dangers of software mimicking users, using Google’s Waze navigation system as an example. Finally, I’ll discuss possible defenses by service providers, using Wi-Fi tethering challenges to defeat attackers.