Near Field Communication (NFC) is a technology widely used for security-critical applications like access control or payment systems. Many of these systems rely on the security assumption that the card has to be in cl...
详细信息
ISBN:
(纸本)9781450336239
Near Field Communication (NFC) is a technology widely used for security-critical applications like access control or payment systems. Many of these systems rely on the security assumption that the card has to be in close proximity to communicate with the reader. We developed NFCGate, an Android application capable of relaying NFC communication between card and reader using two rooted but otherwise unmodified Android phones. This enables us to increase the distance between card and reader, eavesdrop on, and even modify the exchanged data. The application should work for any system built on top of ISO 14443-3 that is not hardened against relay attacks, and was successfully tested with a popular contactless card payment system and an electronic passport document.
Randomized Aggregatable privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow ...
详细信息
ISBN:
(纸本)9781450329576
Randomized Aggregatable privacy-Preserving Ordinal Response, or RAPPOR, is a technology for crowdsourcing statistics from end-user client software, anonymously, with strong privacy guarantees. In short, RAPPORs allow the forest of client data to be studied, without permitting the possibility of looking at individual trees. By applying randomized response in a novel manner, RAPPOR provides the mechanisms for such collection as well as for efficient, high-utility analysis of the collected data. In particular, RAPPOR permits statistics to be collected on the population of client-side strings with strong privacy guarantees for each client, and without linkability of their reports. This paper describes and motivates RAPPOR, details its differential-privacy and utility guarantees, discusses its practical deployment and properties in the face of different attack models, and, finally, gives results of its application to both synthetic and real-world data.
Research on effective and efficient mobile threat analysis becomes an emerging and important topic in cybersecurity research area. Static analysis and dynamic analysis constitute two of the most popular types of techn...
详细信息
ISBN:
(纸本)9781450336239
Research on effective and efficient mobile threat analysis becomes an emerging and important topic in cybersecurity research area. Static analysis and dynamic analysis constitute two of the most popular types of techniques for security analysis and evaluation; nevertheless, each of them has its strengths and weaknesses. To leverage the benefits of both approaches, we propose a hybrid approach that integrates the static and dynamic analysis for detecting security threats in mobile applications. The key of this approach is the unification of data states and software execution on critical test paths. The approach consists of two phases. In the first phase, a pilot static analysis is conducted to identify potential critical attack paths based on Android APIs and existing attack patterns. In the second phase, a dynamic analysis follows the identified critical paths to execute the program in a limited and focused manner. Attacks shall be detected by checking the conformance of the detected paths with existing attack patterns. The method will report the types of detected attack scenarios based on types of sensitive data that may be compromised, such as web browser cookie.
As privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the...
详细信息
ISBN:
(纸本)9781450329576
As privacy today is a major concern for mobile systems, network anonymizers are widely available on smartphones systems, such as Android. However, in many cases applications are still able to identify the user and the device by means different from the IP address. In this demo we show two solutions that address this problem by providing application-level anonymity. The first solution shadows sensitive data that can reveal the user identity. The second solutions dynamically revokes Android application permissions associated with sensitive information at run-time. In addition, both solutions offer protection from applications that identify their users through traces left in the application's data storage or by exchanging identifying data messages. We developed IdentiDroid, a customized Android operating system, to deploy these solutions, and built IdentiDroid Profile Manager, a profile-based configuration tool for setting different configurations for each installed Android application.
We present a non-probabilistic model for dynamic quantitative data flow tracking. Estimations of the amount of data stored in a particular representation at runtime - a file, a window, a network packet - enable the ad...
详细信息
ISBN:
(纸本)9781450322782
We present a non-probabilistic model for dynamic quantitative data flow tracking. Estimations of the amount of data stored in a particular representation at runtime - a file, a window, a network packet - enable the adoption of finegrained policies which authorize or prohibit partial leaks of data. We prove the correctness of the estimations, provide an implementation that we evaluate w.r.t. precision and performance, and analyze one instantiation at the OS level. Copyright is held by the owner/author(s).
暂无评论