Prof. William Enck (http://www.enck.org)
From 11.30 until 12.30
At CNB/F/110, ETH Zurich
Universitätstrasse 6, 8092 Zurich
Abstract:
Mobile platforms such as Android and iOS have become a primary form of computing for millions of users. These modern platforms are built around the notion of "apps," providing rich runtime environments that provide application developers easy access to sensors (e.g., location, camera), user information (e.g., contacts, social networks), and device functionality (e.g., voice and SMS communication). Correspondingly, the security architectures of these platforms treat apps as first-class security principals, assigning each app its own set of privileges. As a result, to understand the security of mobile platforms, we must first understand the security of the apps.
Mobile app security has several dimensions. Since mobile platforms access control is based on least privilege, a key challenge is determining what a given app can and should do. Program analysis can determine what an app can do; however, what an app should do is often ill-defined. Security researchers often define a blacklist of domain-specific rules (e.g., an app that records phone calls in the background) and raise alarms whenever those rules are matched. However, these rules lack the context of the user's expectations. For example, the user may want to use an app to record their phone calls.
This talk describes how text analytics provides a promising primitive to enhance mobile applications security. A key observation is that natural language text often influences the user's expectations of an app's functionality, and therefore can act as a proxy for it. Natural language text appears in descriptions of apps in app stores, as well as within the user interfaces displayed at runtime. We discuss the challenges and limitations of using text analytics to aid security analysis of mobile applications as well as two approaches, Whyper and UiRef, that do so. We conclude with observations for future directions and applications of text analytics to aid security problems.