BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Improving the Impact of Smartphone Apps - Vincent Taylor\, Univers
 ity of Oxford
DTSTART:20170523T130000Z
DTEND:20170523T140000Z
UID:TALK72437@talks.cam.ac.uk
CONTACT:Laurent Simon
DESCRIPTION:*Abstract:*\n\nSmartphones continue their explosive growth to 
 ubiquity\, and as their popularity increases\, so does the attention they 
 attract from adversaries. Adversaries need not be the typical attacker on 
 the network. App developers\, malicious or not\, and third-party library d
 evelopers also contribute to security concerns.\n\nSeveral classes of Andr
 oid vulnerabilities have been highlighted in the literature but it remains
  unclear whether Android app developers heed warnings and write secure app
 s. Additionally\, it is not known how permission usage or the vulnerabilit
 ies contained within apps change as apps get updated. We statically analys
 e a corpus of 30\,000 apps for which we have app versions two years apart\
 , to understand how vulnerabilities in apps and the permissions apps use h
 ave changed over the period. Worryingly\, we show that many popular apps c
 ontain vulnerabilities\, and that in many cases\, app updates only serve t
 o increase the number of vulnerabilities contained within apps. Apps are a
 lso seen to get more permission hungry over time.\n\nThese observations mo
 tivate the question of whether users can feasibly replace undesirable apps
 \, since app stores contain many groups of functionally-similar apps. As a
  case study\, we focus on replacing general-purpose apps that are permissi
 on-hungry. We study 50\,000 Google Play Store search results for 2500 gene
 ral-purpose searches each yielding 20 functionally-similar apps. We descri
 be a framework\, called SecuRank\, which exploits contextual permission us
 age analysis to identify and penalise over-privileged apps. We show that S
 ecuRank can be used to recommend safer alternative apps to users. Moreover
 \, we show that run-time permissions do not necessarily solve the problem 
 of permission-hungry apps.\n\nMany users do not realise that one or more o
 f the apps they use leave them at risk. We describe a system that can be u
 sed to identify apps from only their (encrypted) network traffic. This sys
 tem can be used to transparently and non-invasively identify apps that are
  potentially undesirable so that their users can be notified. We test our 
 system using a sample of 110 apps and show that apps can be accurately fin
 gerprinted and later re-identified by their network traffic.\n\n\n*Bio:*\n
 \nVincent read for his bachelor's and master's degrees at the University o
 f the West Indies\, Mona. As an undergraduate\, he did a double-major in C
 omputer Science and Electronics and focused on network security during his
  master's degree. He is now reading for his D.Phil. in Cyber Security at t
 he University of Oxford. Vincent is interested in smartphone privacy/secur
 ity\, networking and network security at Layer 2/3 of the OSI model. He ho
 lds Cisco CCENT/CCNA/CCNP certifications in Routing and Switching. He has 
 experience in web server administration and web application penetration te
 sting. Vincent enjoys communicating via amateur radio and builds and maint
 ains websites for non-profit organizations pro bono in his spare time.
LOCATION:LT2\, Computer Laboratory\, William Gates Building
END:VEVENT
END:VCALENDAR