In this practical course, the students deal with different aspects of smartphone security at the example of the open-source Android OS. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn to tackle current security and privacy issues on smartphones from the perspectives of different actors in the smartphone ecosystem (e.g., end-users, app developers, market operators, etc.). The focus of this course is on the application-layer of Android and leaves the system-specific parts (i.e., middleware and kernel) for a separate lecture on system security.
The course is split into two parts:
- Lecture period (Monday 05 Sep – Friday 16 Sep): In this first part, the lab is offered as a full-day course (“Blockveranstaltung”) on 10 consecutive days. Most days start with a lecture on Android-specific design and security concepts, problems identified for those concepts, and techniques (from research) to solve those problems and improve the end-users’ security and privacy. Afterwards, the students will apply this knowledge in supervised exercised to implement their own solutions (e.g., securing apps, implementing code-rewriting-based solutions, analysing apps) or to take on the role of an attacker and try to exploit known problems in Android’s security and ecosystem.
- Project period (Monday 19 Sep – Friday 30 Sep): In the second part of this course, the students will apply their new knowledge by implementing in independent group-based project work a selected security solution and ethical proof-of-concept attack. This work should be documented in a short report and also presented to the teaching staff and other participants at the end of the course. Students are expected to work in this period with the same time and labor as during the lecture period!
The official registration for the seminar will occur at the kick-off meeting. The students are encouraged to pre-register before this initial meeting by sending an e-mail to bugiel(aeht)cs.uni-saarland.de . Pre-registration is not binding and is no longer necessary for the students who have already contacted us regarding the course (this effectively counts as pre-registering). For your final registration you have to show up in the kick-off meeting. Places for the final registration will be provided/repeated in the order of pre-registration until all places are taken.
The project tasks are solved in teams of 2 students. Thus, please indicate in your mail who your preferred project partner is!
There are no formal requirements for participation. Students who want to participate in the course should
- have worked with a smartphone before (e.g., own an Android-based phone, iPhone, etc.)
- be familiar with programming in Java (and C/C++)
Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.
Requirements for obtaining credit points (Scheinvergabe)
The programming tasks are solved in teams of 2 students. At the end of the course a final report (PDF, 8-10 pages) as well as the source code of the project work has to be submitted. Morever, a concluding lab-session is held in which every team has to shortly present its work and results.
Lecture and Exercise Sessions
All lecture sessions take place in E9.1 room 0.06 and exercises in rooms 1.17 and 3.17. For the independent project work, the students can use their own resources (laptop, workstation) or the machines provided in E9.1 Rooms 1.17 and 3.17.
Bibliography for the lecture references can be downloaded here .
|Date||Morning session (10-12)||Afternoon session (13:30-17:00)|
Lecture 1: Motivation
Lecture 2: Android concepts
|Exercise 1: Android Intro|
|06-09-2016||Lecture 3: Android Security Basics||Exercise 2: Permission Enforcement|
|07-09-2016||Lecture 4: Network Security||Exercise 3: TLS/SSL and WebViews|
|08-09-2016||Lecture 5: Android InSecurity||Exercise 3: TLS/SSL and WebViews (cont.)|
|09-09-2016||Lecture 6: Advanced Android Security APIs||Exercise 4: Selected Android Security APIs|
|14-09-2016||Lecture 7: App Analysis||Exercise 5: App Analysis|
|15-09-2016||Exercise 5: App Analysis (cont.)||Lecture 8: Application layer security extensions|
|16-09-2016||Exercise 6: Application layer security extensions||Exercise 6: Application layer security extensions (cont.)|
|19-09-2016||Course project: Description , Chipper app , Chipper server|