CPSC 601.93: Mobile Security and Privacy (Winter 2019)
| General Information
Jan 28: paper review website is on-line
Instructor: Joel Reardon, ICT 642,
e-mail joel.reardon [at] ucalgary [dot] ca
Lectures: T 12:30--15:15 in EEEL 151
from 2019.01.15 to 2019.04.09
paper review website
This course does a full stack investigation on how to work with the Android Open
Source Project and associated components to do security and privacy research on
mobile devices. The first four lectures will combine theory and practice and
focus on different layers in the Android platform.
Lectures occur weekly and will have a duration of 2.5 hours with a break in the
middle. The first four lectures will be presented by the instructor, who will
first give an hour long research talk on some prior work on Android phones.
After the break, the class will become more workshop-like, where the instructor
will lead a tutorial session showing in more detail and at the low level
actually how to build the systems that were described in the research talk. In a
sense, this will be a guided walk through the Android platform stack.
Students are encouraged to bring a laptop along to class to fully participate in
the workshop component.
The first lecture will cover basics of Android: adding logging, finding
components in the code, and flashing new operating systems to the phone.
The second lecture will go futher, and introduce fundamental components such as
content providers, intent broadcasting, and how managers and services interact.
The third lecture will introduce app decompiling and how to navigate through
decompiled code and run them in an instrumented environment.
The fourth lecture will look at the Linux kernel and instrumenting aspects of
it, such as the file system.
After the mid-term break, the course proceeds to the student-driven component.
Students will present a paper of their chosing (under some restrictions) as though it were their own
research, and then lead a discussion with the class. The presentations should be
30 to 40 minutes in duration with a discussion of approximately 30 minutes.
There will be two such presentations each lecture. All students are expected to read
the paper before class and will submit a review of it. Students will also
anonymously review the presentation. One quarter of the grade
is the paper presentation, another quarter is all-semester-long participation in
discussion and reviews.
There will also be a course project, done in groups of two, and worth half of
the grade. Students will
pick a topic related to course's theme, for example, building an
instrumentation of the Android platform and using it to collect data. The
project will be delivered in two formats: (i) as a conference-style paper
describing the research, (ii) as a 20-minute presentation given in the final two
lectures. A non-graded project proposal will be due one month into the course to
ensure that students are on track, having a focus and topic for their research
project, and to give an initial template from which to expand out the final
- 25% participation
- 25% paper presentation
- 25% project paper
- 25% project presentation
Jan 15: introduction [slides]
Jan 15: Android permission system [slides]
Jan 22: Android system and platform [slides]
Jan 29: Apps and reverse engineering [slides]
Jan 29: Smali cheatsheet [slides]
Feb 5: Automated Analysis of Privacy Requirements for Mobile Apps
Feb 5: Context-Based Access Control Systems for Mobile Devices [slides]
Feb 12: Deep Specification Mining
Feb 12: Network and device forensic analysis of Android social-messaging applications
Feb 19: [no classes]
Feb 26: An Empirical Study of Cryptographic Misuse in Android Applications [slides]
Feb 26: Bug Fixes Improvements ... and Privacy Leaks
Mar 5: SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android
Mar 5: Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications
Mar 12: Android Rooting: An Arms Race between Evasion and Detection
Mar 12: Enter Sandbox: Android Sandbox Comparison
Mar 19: ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic
Mar 19: Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis
Mar 26: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
Mar 26: ASM: A Programmable Interface for Extending Android Security
Apr 2: Should You Use the App for That? Comparing the Privacy Implications of Web- and App-based Online Services
Apr 9: project presentations
This list is provisionary. The students can also suggest a paper and not all
these papers will be presented.
The course is open to graduate students in the computer science department.
Graduate students in any department at the University of Calgary are welcome to
attend with consent of the instructor, and will be expected to be able to read
and understand published research papers on the topic.
Undergraduate students at the University of Calgary are also welcome to attend
with consent of the instructor and the same expectations as graduate students.
These admissions will be space permitting with priority given first to graduate
students in the department of Computer Science and second to those with high