Destructive Research on Mobile Security: Rethinking Security by Construction

  • 发布者: 高丽丽
  • 日期:2016-10-09
  • 795

报告人:Xiaofeng Wang

时间:  2016年9月29日(星期四)下午4:30 – 5:30

地点:  雁栖湖校区,教1-115


Mobile operating systems are designed with security in mind. For example, An
droid adds a new layer of protection on top of Linux, which involves application sandbox and permission-based access control. With many implementation flaws discovered, utility issues raised and malware concerns studied on those mobile systems, still less clear is whether the security design itself is sound. In this talk, I report our recent studies on this issue, particularly our findings of surprising security weaknesses on Android and iOS, including their limited protection of phone users’ web resources, privacy implications of Android public resources and inadequate access control on Android external devices. Specifically, our research shows that Android and iOS apps can be triggered by malicious URLs from the web to act on the adversary’s behalf, a phone user’s identity, locations, health/financial information can be identified by malicious apps without any permissions, and also her health data collected by Bluetooth medical sensors can be stolen or even tampered with by unauthorized apps running on her phone. All these problems are caused primarily by design limitations, particularly the widening gap between what the security mechanisms of mobile devices are designed to protect and how those devices are actually used in practice. We further discuss the limitations of the “security-by-construction” approach for an open system and new directions that need to be explored to build a securer system.


Dr. XiaoFeng Wang is a professor in the School of Informatics and Computing at Indiana University, Bloomington. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in 2004, and has since been a faculty member at IU. Dr. Wang is a recognized active researcher on system and network security. His work focuses on cloud and mobile security, and data privacy (particularly the privacy challenges in large-scale analysis and dissemination of human genomic data). He is a recipient of 2011 Award for Outstanding Research in Privacy Enhancing Technologies (the PET Award) and the Best Practical Paper Award at the 32nd IEEE Symposium on Security and Privacy. His work frequently receives attention from the media, including CNN, MSNBC, Slashdot, CNet, PC World, etc. His research is supported by the NIH, NSF, Department of Homeland Security, the Air Force and Microsoft Research. He served as the director for the Security Informatics program at IU in 2010.