Imperial College London

  • CO447H: Advanced Security in Smartphone and IoT Systems (Spring 2019)

Class Website (for Imperial College students)

This module is motivated by security and privacy problems in popular, emerging real-world systems, addressing many application domains, including smartphones (e.g. Android and iOS), smarthome platforms (e.g. Samsung Smartthings), Voice Assistants (e.g. Amazon Alexa), drones and autonomous vehicles. The module uses the more mature and widespread Android OS as a use case to perform an in-depth analysis of the attack surfaces and defense strategies on contemporary, mobile, connected systems. Then it analyzes the security of emerging IoT systems drawing comparisons and highlighting differences with smartphone security. Classroom sessions include traditional lectures, discussions, a workshop and one tutorial. Lectures and reading material are based on classical and state of the art research papers on security and privacy of those systems. Each 2-hour lecture-session will dedicate 15-20 minutes for discussion on the introduced topics. This aims to help you develop critical thinking skills (REMEMBER: no system is flawless) by focusing on security, privacy, performance, usability and ethical trade-offs.

We will ask you to put your white hat on and dedicate a 1-hour tutorial to train you in writing SELinux security policies for Android phones. We will also ask you to put a black hat on to work on a coursework assignment. This aims to help you practice with reverse engineering Android apps and developing malware for Android. Reverse engineering is a useful technique for application analysis; understanding how malware work helps you better design defense systems (REMEMBER: a defense system is as strong as its adversary model). The coursework has a guided section to help you understand the Android app development tools, and a discovery-based section where you will use you creativity to attack Android. The most creative attacks will earn black-hat bragging rights and a prize.

We will also have a 2-hour hands-on workshop delivered by an Amazon engineer to teach you how to build programs/apps with a Voice User Interface. We will be using the Alexa Skills Kit (ASK) and the Alexa Voice Service (AVS).

ASSESSMENT: There will one assessed coursework (you will be guided in developing an Android malware) undertaken in groups of 2-3 people. The assignment counts for 15% of the marks for the module. Discussion participation counts for 5% of the overall module mark. This is to incentivize participation and SPEAKING UP! There will be a final paper-based exam, testing knowledge and critical thinking on an individual basis. This exam counts for the remaining 80% of the marks for the module. Since this is the first time this module is taught, during revision week you will be exposed to types of questions you might encounter during the final.

University of Illinois at Urbana-Champaign

I was teaching the Mobile Security Topics in CS463 and CS563 at the University of Illinois at Urbana-Champaign (2014-2018).

I usually lead two 75-minute lectures in the context of the “Computer Security II (CS463)” course at the University of Illinois at Urbana-Champaign. The goal of the lectures is to introduce students to security and privacy issues related to mobile devices with a focus on smartphones. We draw a comparison between traditional computer security and how the attack surface transforms with the advent of smart mobile devices.

Topics covered in the first lecture include iOS security mechanisms and Android security models. In the second lecture we cover mobile advertising and risks on Android, side channel attacks on Android and defense mechanisms; bluetooth attacks on Android, attacks on external resources on Android, SELinux on Android. The lectures are commonly augmented with a machine problem to provide students with a hands on experience on how adversaries can take advantage of mobile OS security limitations. In the past we have asked students to develop a side-channel privacy attack from a userspace mobile application and to simulate a privacy attack by a malicious mobile advertising library .

For this class I introduce state of the art papers in security and privacy in mobile advertising. Papers presented include but are not limited to the following: “Unsafe exposure analysis of mobile in-app advertisements” by Grace et. al; “AdSplit: separating smartphone advertising from applications” by Shekhar et. al; and “AdDroid: privilege separation for applications and advertisers in Android” by Pearce et. al.

In Fall 2017, I presented a lecture on IoT Security, introducing all academic work and articles reported on the WWW from 2010 until 2017. I classified the papers into attack and defense papers. Next I discussed each paper with respect to five main problem areas in IoT, different solution approaches and a variety of security assessment properties.