Alexios Mylonas

Delegate the smartphone user? Security awareness in smartphone platforms

Smartphone users increasingly download and install third-party applications from official application repositories. Attackers may use this centralized application delivery architecture as a security and privacy attack vector. This risk increases since application vetting mechanisms are often not in place and the user is delegated to authorize which functionality and protected resources are accessible by third-party applications. In this paper, we mount a survey to explore the security awareness of smartphone users who download applications from official application repositories (e.g. Google Play, Apples App Store, etc.). The survey findings suggest a security complacency, as the majority of users trust the app repository, security controls are not enabled or not added, and users disregard security during application selection and installation. As a response to this security complacency we built a prediction model to identify users who trust the app repository. The model is assessed, evaluated and proved to be statistically significant and efficient.

An insider threat prediction model

Information systems face several security threats, some of which originate by insiders. This paper presents a novel, interdisciplinary insider threat prediction model. It combines approaches, techniques, and tools from computer science and psychology. It utilizes real time monitoring, capturing the users technological trait in an information system and analyzing it for misbehavior. In parallel, the model is using data from psychometric tests, so as to assess for each user the predisposition to malicious acts and the stress level, which is an enabler for the user to overcome his moral inhibitions, under the condition that the collection of such data complies with the legal framework. The model combines the above mentioned information, categorizes users, and identifies those that require additional monitoring, as they can potentially be dangerous for the information system and the organization.

A Risk Assessment Method for Smartphones

Smartphones are multi-purpose ubiquitous devices, which face both, smartphone-specific and typical security threats. This paper describes a method for risk assessment that is tailored for smartphones. The method does not treat this kind of device as a single entity. Instead, it identifies smartphone assets and provides a detailed list of specific applicable threats. For threats that use application permissions as the attack vector, risk triplets are facilitated. The triplets associate assets to threats and permission combinations. Then, risk is assessed as a combination of asset impact and threat likelihood. The method utilizes user input, with respect to impact valuation, coupled with statistics for threat likelihood calculation. Finally, the paper provides a case study, which demonstrates the risk assessment method in the Android platform.

Smartphone sensor data as digital evidence

The proliferation of smartphones introduces new opportunities in digital forensics. One of the reasons is that smartphones are usually equipped with sensors (e.g. accelerometer, proximity sensor, etc.), hardware which can be used to infer the users context. This context may be useful in a digital investigation, as it can aid in the rejection or acceptance of an alibi, or even reveal a suspects actions or activities. Nonetheless, sensor data are volatile, thus are not available in post-mortem analysis. Thus, the only way to timely acquire them, in case such a need arises during a digital investigation, is by software that collects them when they are generated by the suspects actions. In this paper we examine the feasibility of ad-hoc data acquisition from smartphone sensors by implementing a device agent for their collection in Android, as well as a protocol for their transfer. Then, we discuss our experience regarding the data collection of smartphone sensors, as well as legal and ethical issues that arise from their collection. Finally, we describe scenarios regarding the agents preparation and use in a digital investigation.

Assessing Privacy Risks in Android: A User-Centric Approach

The increasing presence of privacy violating apps in app marketplaces poses a significant privacy risk for smartphone users. Current approaches assessing privacy risk lack user input, assuming that the value of each smartphone sub-asset (e.g. contact list, usage history) is perceived similarly across users. Thus, per user privacy risk assessment is not achievable. This paper refines our previous work on smartphone risk assessment by proposing an approach for assessing the privacy risk of Android users. Its cornerstone is impact valuation from users, as well as their usage profiles, which enables assessment of per user risk. Threat likelihood is assessed based on the presence of specific permission combinations, which we consider vulnerabilities that enable privacy threat scenarios. These permission combinations correspond to users’ app profiles, i.e. to the app categories of Google Play that each user regularly visits. Finally, the proposed method is demonstrated through a case study.

Smartphone Forensics: A Proactive Investigation Scheme for Evidence Acquisition

Smartphones constantly interweave into everyday life, as they accompany individuals in different contexts. Smartphones include a combination of heterogeneous data sources, which can prove essential when combating crime. In this paper we examine potential evidence that may be collected from smartphones. We also examine the available connection channels for evidence transfer during a forensic investigation. We propose a Proactive Smartphone Investigation Scheme that focuses on ad hoc acquisition of smartphone evidence. We also, take into consideration the legal implications of the proposed scheme, as it is essential that the scheme includes prevention mechanisms, so as to protect individuals from misuse by investigators or malicious entities.

Security Busters

URL blacklists are used by the majority of modern web browsers as a means to protect users from rogue web sites, i.e. those serving malware and/or hosting phishing scams. There is a plethora of URL blacklists/reputation services, out of which Googles Safe Browsing and Microsofts SmartScreen stand out as the two most commonly used ones. Frequently, such lists are the only safeguard web browsers implement against such threats. In this paper, we examine the level of protection that is offered by popular web browsers on iOS, Android and desktop (Windows) platforms, against a large set of phishing and malicious URL. The results reveal that most browsers - especially those for mobile devices - offer limited protection against such threats. As a result, we propose and evaluate a countermeasure, which can be used to significantly improve the level of protection offered to the users, regardless of the web browser or platform they are using.

Mobile devices: A phisher's paradise

Mobile devices - especially smartphones - have gained widespread adoption in recent years, due to the plethora of features they offer. The use of such devices for web browsing and accessing email services is also getting continuously more popular. The same holds true with other more sensitive online activities, such as online shopping, contactless payments, and web banking. However, the security mechanisms that are available on smartphones and protect their users from threats on the web are not yet mature, as well as their effectiveness is still questionable. As a result, smartphone users face increased risks when performing sensitive online activities with their devices, compared to desktop/laptop users. In this paper, we present an evaluation of the phishing protection mechanisms that are available with the popular web browsers of Android and iOS. Then, we compare the protection they offer against their desktop counterparts, revealing and analyzing the significant gap between the two.

On the Feasibility of Malware Attacks in Smartphone Platforms

Smartphones are multipurpose devices that host multiple and heterogeneous data. Their user base is constantly increasing and as a result they have become an attractive target for conducting privacy and security attacks. The attacks’ impact increases, when smartphone users tend to use their devices both for personal and business purposes. Moreover, application development in smartphone platforms has been simplified, in the platforms developers’ effort to attract more developers and increase its popularity by offering more attractive applications. In this paper we provide a comparative evaluation of the security level of well-known smartphone platforms, regarding their protection against simple malicious applications. We then study the feasibility and easiness of smartphone malware development by average programmers via an implementation case study. Our study proved that, under certain circumstances, all examined platforms could be used by average developers as privacy attack vector, harvesting data from the device without the users knowledge and consent.

A Secure Smartphone Applications Roll-out Scheme

The adoption of smartphones, devices transforming from simple communication devices to smart and multipurpose devices, is constantly increasing. Amongst the main reasons for their vast pervasiveness are their small size, their enhanced functionality, as well as their ability to host many useful and attractive applications. Furthermore, recent studies estimate that application installation in smartphones acquired from official application repositories, such as the Apple Store, will continue to increase. In this context, the official application repositories might become attractive to attackers trying to distribute malware via these repositories. The paper examines the security inefficiencies related to application distribution via application repositories. Our contribution focuses on surveying the application management procedures enforced during application distribution in the popular smartphone platforms (i.e. Android, Black-Berry, Apple iOS, Symbian, Windows Phone), as well as on proposing a scheme for an application management system suited for secure application distribution via application repositories.