Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels. Side channels present in the implementation of the permission system allow apps to access the data without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy.
This talk presents research where we make use of our infrastructure that runs hundreds of thousands of apps in an instrumented environment. This testing environment includes mechanisms to monitor apps' runtime behaviour and network traffic. We look for evidence of side and covert channels being used in practice by searching for sensitive data being sent over the network for which the sending app did not have permissions to access it. We then reverse engineer the apps and third-party libraries responsible for this behaviour to determine how the unauthorized access occurred. We also measure the prevalence of the use of the technique in practice across other apps by using software fingerprinting methods.
Prof. Joel Reardon is an assistant professor at the University of Calgary. Prior to starting in Calgary, he did his Master's at the University of Waterloo, doctoral degree at the ETH Zurich, and a post-doctoral year at the UC Berkeley and the International Computer Science Institute (ICSI). His research interests relate to security and privacy including issues for storage and compliance as well as systems to make it easier to use. He also loves mountains, bicycles, and writing poetry.
800 - 6 Ave. S.W.
Plus-15 Conference Room
There is $2 parking after 16:00 one block north-east of the meeting location, in the underground parkade at McDougall Centre.
Snacks at 17:30. Meeting begins at 18:00.
Attendance is free for CUUG members, or $10 (cash only) at the door for non-CUUG members.
See the main CUUG web page for general information about CUUG.