• Professor Simone Aonzo

    EURECOM, France

    Talk title: Trust, But Verify: A Longitudinal Analysis Of Android OEM Compliance and Customization

    Abstract: Nowadays, more than two billion mobile devices run Android OS. At the core of this success are the open source nature of the Android Open Source Project and vendors’ ability to customize the code base and ship it on their own devices. While the possibility of customizations is beneficial to vendors, they can potentially lead to compatibility and security problems. To prevent these problems, Google developed a set of requirements that must be satisfied for a vendor to brand its devices as "Android" and recently introduced Project Treble as an effort to partition vendor customizations. These requirements are encoded as part of a textual document (called Compatibility Definition Document, or CDD) and various automated tests. In this talk I present our longitudinal study on Android OEM customizations over a dataset of 2,907 ROMs, spanning across 42 different vendors, and covering Android versions from 1.6 to 9.0 (years 2009–2020). Some of our findings suggest that vendors often go out of their way to bypass or “comment out” safety nets added by the Android security team. In other cases, we found ROMs that modify init scripts to launch at boot outdated versions (with known CVEs and public POCs) of programs as root and reachable from a remote attacker (e.g., tcpdump).

    Bio: Simone Aonzo is an assistant professor at EURECOM (France) in the Software and System Security Group. He received his Ph.D. degree in Computer Science and Systems Engineering from the University of Genoa (Italy) in 2020 with the thesis “Novel Attacks and Defenses in the Userland of Android.” His research interests are system security and privacy. In particular, the areas of malware analysis (on Windows and Android operating systems), reverse engineering, and mobile security.

  • Professor Antonio Bianchi

    Purdue University, Indiana, USA

    Talk title: From the analysis of mobile apps to the analysis of the mobile ecosystem.

    Abstract: Mobile devices have become the cornerstone of our digital life. In modern usage scenarios, a single device and the apps running on it typically control a significant number of other devices (e.g., IoT devices), hardware components (e.g., sensors, Trusted Execution Environments, ...), communication interfaces (e.g., Bluetooth, WiFi, ...), and cloud endpoints. Consequently, mobile security research has shifted from the analysis of the code of single apps to the analysis of the entire ecosystem running around them. In this talk, I will present recent research we have conducted in this area, showcasing how automated analysis of mobile apps can be used as a starting point for studying and securing other devices in the mobile ecosystem. Specifically, I will discuss how, starting from the analysis of the mobile apps, we were able to find vulnerabilities in IoT devices, debloat Bluetooth stack implementations, and identify issues in authentication protocols used by remote backend servers. Additionally, I will highlight currently open research challenges and potential future directions.

    Bio: Antonio Bianchi is an Assistant Professor at Purdue University. His research interest covers the fields of software and system security. Specifically, his current research areas are: emerging security threats in mobile platforms, automatic vulnerability detection in mobile apps, program analysis, binary analysis, reverse engineering, binary hardening, binary patching, and security of embedded and IoT devices. His research focuses on designing and developing novel automated approaches and tools to identify vulnerabilities in existing software, fix them, and prevent them.