I have been teaching the Mobile Security Topics in CS463 and CS563 at the University of Illinois at Urbana-Champaign since 2014.

I usually lead two 75-minute lectures in the context of the “Computer Security II (CS463)” course at the University of Illinois at Urbana-Champaign. The goal of the lectures is to introduce students to security and privacy issues related with mobile devices and in particular smartphones. We draw a comparison between traditional computer security and how the attack surface transforms with the advent of mobile devices.

Topics covered in the first lecture include iOS security mechanisms and Android security models. In the second lecture we cover mobile advertising and risks on Android, side channel attacks on Android and defense mechanisms; bluetooth attacks on Android, attacks on external resources on Android, SELinux on Android. The lectures are commonly augmented with a machine problem to provide student with a hands on experience on the how adversaries can take advantage of mobile OS security limitations. In the past we have asked students to simulate a privacy attack by a malicious advertising library and perform a side-channel privacy attack from a userspace mobile application.

For this class I introduce state of the art papers in security and privacy in mobile advertising. Papers presented include but are not limited to the following: “Unsafe exposure analysis of mobile in-app advertisements” by Grace et. al; “AdSplit: separating smartphone advertising from applications” by Shekhar et. al; and “AdDroid: privilege separation for applications and advertisers in Android” by Pearce et. al.