Daniel R. Thomas

Security Metrics for the Android Ecosystem

The security of Android depends on the timely delivery of updates to fix critical vulnerabilities. In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities. We define the FUM security metric to rank the performance of device manufacturers and network operators, based on their provision of updates and exposure to critical vulnerabilities. Using a corpus of 20 400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators. This provides a comparison point for purchasers and regulators to determine which device manufacturers and network operators provide security updates and which do not. We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities and, across the ecosystem as a whole, assign a FUM security score of 2.87 out of 10. In our data, Nexus devices do considerably better than average with a score of 5.17; and LG is the best manufacturer with a score of 3.97.

Device analyzer: a privacy-aware platform to support research on the Android ecosystem

Device Analyzer is an Android app available from the Google Play store. It is designed to collect a large range of data from the handset and, with agreement from our contributors, share it with researchers around the world. Researchers can access the data collected, and can also use the platform to support their own user studies. In this paper we provide an overview of the privacy-enhancing techniques used in Device Analzyer, including transparency, consent, purpose, access, withdrawal, and accountability. We also demonstrate the utility of our platform by assessing the security of the Android ecosystem to privilege escalation attacks and determine that 88% of Android devices are, on average, vulnerable to one or more of these type of attacks.

The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface Transcript of Discussion

Security protocols like TLS often have a two-sided upgrade problem, it takes a long time to upgrade, as both the client and the server must be upgraded.

CrimeBB: Enabling Cybercrime Research on Underground Forums at Scale

Underground forums allow criminals to interact, exchange knowledge, and trade in products and services. They also provide a pathway into cybercrime, tempting the curious to join those already motivated to obtain easy money. Analysing these forums enables us to better understand the behaviours of offenders and pathways into crime. Prior research has been valuable, but limited by a reliance on datasets that are incomplete or outdated. More complete data, going back many years, allows for comprehensive research into the evolution of forums and their users. We describe CrimeBot, a crawler designed around the particular challenges of capturing data from underground forums. CrimeBot is used to update and maintain CrimeBB, a dataset of more than 48m posts made from 1m accounts in 4 different operational forums over a decade. This dataset presents a new opportunity for large-scale and longitudinal analysis using up-to-date information. We illustrate the potential by presenting a case study using CrimeBB, which analyses which activities lead new actors into engagement with cybercrime. CrimeBB is available to other academic researchers under a legal agreement, designed to prevent misuse and provide safeguards for ethical research.

Ethical issues in research using datasets of illicit origin

We evaluate the use of data obtained by illicit means against a broad set of ethical and legal issues. Our analysis covers both the direct collection, and secondary uses of, data obtained via illicit means such as exploiting a vulnerability, or unauthorized disclosure. We extract ethical principles from existing advice and guidance and analyse how they have been applied within more than 20 recent peer reviewed papers that deal with illicitly obtained datasets. We find that existing advice and guidance does not address all of the problems that researchers have faced and explain how the papers tackle ethical issues inconsistently, and sometimes not at all. Our analysis reveals not only a lack of application of safeguards but also that legitimate ethical justifications for research are being overlooked. In many cases positive benefits, as well as potential harms, remain entirely unidentified. Few papers record explicit Research Ethics Board (REB) approval for the activity that is described and the justifications given for exemption suggest deficiencies in the REB process.

Better Authentication: Password Revolution by Evolution

We explore the extent to which we can address three issues with passwords today: the weakness of user-chosen passwords, reuse of passwords across security domains, and the revocation of credentials. We do so while restricting ourselves to changing the password verification function on the server, introducing the use of existing key-servers, and providing users with a password management tool. Our aim is to improve the security and revocation of authentication actions with devices and end-points, while minimising changes which reduce ease of use and ease of deployment. We achieve this using one time tokens derived using public-key cryptography and propose two protocols for use with and without an online rendezvous point.

Incentivising software updates

Internet of Things devices will need software updates to fix the security vulnerabilities that are found after they are sold. Even when using development practices that make producing updates easy, there is still a cost to doing so. Hence, incentives to provide updates are required. This incentive can only be provided by monitoring the relative performance of different companies at supplying software updates to their customers.

Better Authentication Password Revolution by Evolution (Transcript of Discussion)

The problem is that passwords are a rubbish way of authenticating, and there has been a lot of work trying to deal with this. One of the problems is that if you have a shared secret scheme then you need a different secret for every pair of things. For every user they need a different secret per thing they are authenticating to. If they have several of devices then they need one set of these per device as well, so that if one of them is compromised then you don’t lose everything. However revocation and key management are then difficult. The problem with passwords is that you still have to use them because lots of things require a password input, and it’s hard to change that.