Smartphone Security: Attacks and Defenses

Friday, 10 October 2014 - 11:00am - 1:00pm
Dr. Wenliang (Kevin) Du/Professor Department of Electrical Engineering and Computer Science Syracuse University, New York

Dr. Wenliang (Kevin) Du, Professor

This talk consists of two parts: In the first part, I will give a brief tutorial on smartphone security, covering some of the key security features in iOS and Android, as well as how they can be attacked. In the second part, I will focus on our research in Android security, which consists of attacks and defense. For the attack part, I will present the attacks against mobile apps that use WebView.

These include the HTML5-based apps that have become increasingly popular among developers, mostly because they are portable among different mobile platforms. We have conducted a systematic study on the risk of HTML5-based mobile apps. We found a new form of code injection attack, which inherits the fundamental cause of Cross-Site Scripting attack (XSS), but it uses many more channels to inject code than XSS.

These channels, unique to mobile devices, include Contact, SMS, Barcode, MP3, etc. For instance, by simply scanning a 2D barcode using a vulnerable HTML5-based app, your device can be attacked.

For the defense side, our research focuses on developing better access control systems for the Android operating system. In particular, we focus on providing fine-grained access control for Android to protect against untrusted third-party code, such as advertisement code, code in third-party plugins, and JavaScript code loaded into WebView.

About the Professor

Dr. Wenliang (Kevin) Du received his Bachelor's degree from the University of Science and Technology of China in 1993 and Ph.D. degree from Purdue University in 2001, all in Computer Science.

Kevin is currently a professor in the Department of Electrical Engineering and Computer Science at Syracuse University. His background is in computer and network security. His current research interests include web security and mobile system security.

He is also interested in developing instructional laboratories for security education, and the labs that he developed have been used by over two hundred universities worldwide.

His research has been sponsored by grants from National Science Foundation, Army Research Office, JP Morgan Chase, and Google. He is a recipient of the ACM CCS Test-of-Time Award in 2013.