Lecture Type
Full-day course (“Blockveranstaltung”)
Prof. Dr. Michael Backes
Sven Bugiel
Kick-off Meeting
Monday, 6th October from 9:30AM – 10:00AM, E1.1 Room 2.06
Lecture period
Monday, 6th October to Friday, 17th October, each day from 9:30AM – 4:30PM in E1.1 Room 2.06
Project period
Monday, 20th October to Friday, 14th November (independent work)

Latest News

  • 15.07.2014: The lab website is online


In this practical course, the students deal with different aspects of smartphone security at the example of the open-source Android OS. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn how to extend Android with new security features to tackle current security and privacy issues.

The course is split into two parts:

  • Lecture period (Monday 6 Oct – Friday 17 Oct): In this first part, the lab is offered as a full-day course (“Blockveranstaltung”) on 10 consecutive days. In the first week, the students become in supervised lab sessions familiar with the Android OS internals and in particular with its security architecture and how it can be extended. Every day starts with a short lecture on Android-specific design and security concepts and afterwards the students will apply this knowledge in a supervised exercise. In the second week, the students will develop and implement in supervised group-based project work a selected small security extension to Android.
  • Project period (Monday 20 Oct – Friday 14 Nov): In the second part of this course, the students will apply their new knowledge by implementing in independent group-based project work a selected security extension or ethical proof-of-concept attack. This work should be documented in a short report and also presented to the teaching staff and other participants at the end of the course.

The project tasks specifically target the open-source Android OS and include the following areas:

  • Design and implementation of selected software attacks (ethical hacking)
  • Design and implemenation of security extensions to the Android Middleware and Kernel (e.g., access control, end-user privacy protection, etc.)
  • Android system programming in general

Exemplary project topics:

  • Extending Android with Mandatory Access Control
  • Inlined Reference Monitoring to enforce fine-grained policies on non-rooted devices
  • Ethical hacking: Intelligent malware design and implementation
  • Security-enhanced install process
  • Usable integration of cryptographic services into communication services such as the system SMS app


The official registration for the seminar will occur at the kick-off meeting. The students are encouraged to pre-register before this initial meeting by sending an e-mail to bugiel(aeht)cs.uni-saarland.de . Pre-registration is not binding and is no longer necessary for the students who have already contacted us regarding the course (this effectively counts as pre-registering). For your final registration you have to show up in the kick-off meeting. Places for the final registration will be provided in the order of pre-registration until all places are taken.

The tasks are solved in teams of 2 students. Thus, please indicate in your mails who your partners are!

Please note that the number of participants is limited to 12!


There are no formal requirements for participation. Students who want to participate in the course should

  • have basic knowledge of OS concepts/architectures
  • be familiar with programming in C/C++ and Java

Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.

Requirements for obtaining credit points (Scheinvergabe)

The programming tasks are solved in teams of 2 students. Each team has to choose one topic, either from a given list or propose their own topic, and work on this topic during the second half of the course. At the end of the course a final report (PDF, 8-10 pages) as well as the source code of the project work has to be submitted. Morever, a concluding lab-session is held in which every team has to shortly present its work and results.

Participation in the kick-off meeting and all the lecture sessions during the first half of the course is required for obtaining the credit points!

Project catalogue

The proposed project topics and instructions to writing the final report/handing in your solution can be found in the following document: ProjectProposals .

Lecture Sessions

All lecture sessions take place 9:30AM-4:30PM in E1.1 Room 2.06. For the independent project work, the students can use their own resources (laptop, workstation) or the machines provided in E1.1 Room 2.06.

List of references for the slides can be downloaded here .

Date 9:30AM – 12:00PM 2:00PM – 4:30PM
2014-10-06 Lecture: Organisational matters and motivation
Lecture: Application layer
Lecture: Secure Architecture Principles and Android Security Architecture
2014-10-07 Exercise 1: Basic application programming Exercise 2: Android Permission System
2014-10-08 Lecture: Android Insecurity Exercise 2: Android Permission System (continued)
2014-10-09 Lecture: Selected security extensions Exercise 3: Extending the Android middleware
2014-10-10 Exercise 3: Extending the Android middleware (continued) Optional slot for work on exercises
2014-10-13 to 2014-10-17 Supervised project: Access control based domain isolation on Android
Alternative project: Secure inter-app communication