LEVERAGING MULTIMODAL SENSING FOR ENHANCING THE SECURITY AND PRIVACY OF MOBILE SYSTEMS

Habiba Farrukh (13969653)

26 July 2023

<p>Mobile systems, such as smartphones, wearables (e.g., smartwatches, AR/VR headsets),<br> and IoT devices, have come a long way from being just a method of communication to<br> sophisticated sensing devices that monitor and control several aspects of our lives. These<br> devices have enabled several useful applications in a wide range of domains ranging from<br> healthcare and finance to energy and agriculture industries. While such advancement has<br> enabled applications in several aspects of human life, it has also made these devices an<br> interesting target for adversaries.<br> In this dissertation, I specifically focus on how the various sensors on mobile devices can<br> be exploited by adversaries to violate users’ privacy and present methods to use sensors<br> to improve the security of these devices. My thesis posits that multi-modal sensing can be<br> leveraged to enhance the security and privacy of mobile systems.<br> In this, first, I describe my work that demonstrates that human interaction with mobile de-<br> vices and their accessories (e.g., stylus pencils) generates identifiable patterns in permissionless<br> mobile sensors’ data, which reveal sensitive information about users. Specifically, I developed<br> S3 to show how embedded magnets in stylus pencils impact the mobile magnetometer sensor<br> and can be exploited to infer a users incredibly private handwriting. Then, I designed LocIn<br> to infer a users indoor semantic location from 3D spatial data collected by mixed reality<br> devices through LiDAR and depth sensors. These works highlight new privacy issues due to<br> advanced sensors on emerging commodity devices.<br> Second, I present my work that characterizes the threats against smartphone authentication<br> and IoT device pairing and proposes usable and secure methods to protect against these threats.<br> I developed two systems, FaceRevelio and IoTCupid, to enable reliable and secure user and<br> device authentication, respectively, to protect users’ private information (e.g., contacts,<br> messages, credit card details) on commodity mobile and allow secure communication between<br> IoT devices. These works enable usable authentication on diverse mobile and IoT devices<br> and eliminate the dependency on sophisticated hardware for user-friendly authentication.</p>

Data and information privacy

System and network security

Mobile computing

Multimodal sensing

Mobile Security & Privacy

<b>USER-CENTERED DATA ACCESS CONTROL TECHNIQUES FOR SECURE AND PRIVACY-AWARE MOBILE SYSTEMS</b>

Reham Mohamed Sa Aburas (18857674)

25 June 2024

<p dir="ltr">The pervasive integration of mobile devices in today’s modern world, e.g., smartphones, IoT, and mixed-reality devices, has transformed various domains, enhancing user experiences, yet raising concerns about data security and privacy. Despite the implementation of various measures, such as permissions, to protect user privacy-sensitive data, vulnerabilities persist. These vulnerabilities pose significant threats to user privacy, including the risk of side-channel attacks targeting low-permission sensors. Additionally, the introduction of new permissions, such as the App Tracking Transparency framework in iOS, seeks to enhance user transparency and control over data sharing practices. However, these framework designs are accompanied by ambiguous developer guidelines, rendering them susceptible to deceptive patterns. These patterns can influence user perceptions and decisions, undermining the intended purpose of these permissions. Moreover, the emergence of new mobile technologies, e.g., mixed-reality devices, presents novel challenges in ensuring secure data sharing among multiple users in collaborative environments, while preserving usability.</p><p dir="ltr">In this dissertation, I focus on developing user-centered methods for enhancing the security and privacy of mobile system, navigating through the complexities of unsolicited data access strategies and exploring innovative approaches to secure device authentication and data sharing methodologies.</p><p dir="ltr">To achieve this, first, I introduce my work on the iStelan system, a three-stage side-channel attack. This method exploits the low-permission magnetometer sensor in smartphones to infer user sensitive touch data and application usage patterns. Through an extensive user study, I demonstrate the resilience of iStelan across different scenarios, surpassing the constraints and limitations of prior research efforts.</p><p dir="ltr">Second, I present my analysis and study on the App Tracking Transparency permission in iOS. Specifically, my work focuses on analyzing and detecting the dark patterns employed by app developers in the permission alerts to obtain user consent. I demonstrate my findings on the dark patterns observed in permission alerts on a large-scale of apps collected from Apple’s store, using both static and dynamic analysis methods. Additionally, I discuss the application of a between-subject user study to evaluate users’ perceptions and understanding when exposed to different alert patterns.</p><p dir="ltr">Lastly, I introduce StareToPair, a group pairing system that leverages multi-modal sensing technologies in mixed-reality devices to enable secure data sharing in collaborative settings. StareToPair employs a sophisticated threat model capable of addressing various real-world scenarios, all while ensuring high levels of scalability and usability.</p><p dir="ltr">Through rigorous investigation, theoretical analysis and user studies, my research endeavors enhance the field of security and privacy for mobile systems. The insights gained from these studies offer valuable guidance for future developments in mobile systems, ultimately contributing to the design of user-centered secure and privacy-aware mobile ecosystems.</p>

Data security and protection

System and network security

Mobile computing

Mobile Security & Privacy

Usable Security

Analyzing Secure and Attested Communication in Mobile Devices

Muhammad Ibrahim (19761798)

01 October 2024

<p dir="ltr">To assess the security of mobile devices, I begin by identifying the key entities involved in their operation: the user, the mobile device, and the service or device being accessed. Users rely on mobile devices to interact with services and perform essential tasks. These devices act as gateways, enabling communication between the user and the back-end services. For example, a user may access their bank account via a banking app on their mobile device, which communicates with the bank’s back-end server. In such scenarios, the server must authenticate the user to ensure only authorized individuals can access sensitive information. However, beyond user authentication, it is crucial for connected services and devices to verify the integrity of the mobile device itself. A compromised mobile device can have severe consequences for both the user and the services involved.</p><p dir="ltr">My research focuses on examining the methods used by various entities to attest and verify the integrity of mobile devices. I conduct a comprehensive analysis of mobile device attestation from multiple perspectives. Specifically, I investigate how attestation is carried out by back-end servers of mobile apps, IoT devices controlled by mobile companion apps, and large language models (LLMs) accessed via mobile apps.</p><p dir="ltr">In the first case, back-end servers of mobile apps must attest to the integrity of the device to protect against tampered apps and devices, which could lead to financial loss, data breaches, or intellectual property theft. For instance, a music streaming service must implement strong security measures to verify the device’s integrity before transmitting sensitive content to prevent data leakage or unauthorized access.</p><p dir="ltr">In the second case, IoT devices must ensure they are communicating with legitimate companion apps running on attested mobile devices. Failure to enforce proper attestation for IoT companion apps can expose these devices to malicious attacks. An attacker could inject malicious code into an IoT device, potentially causing physical damage to the device or its surroundings, or even seizing control of the device, leading to critical safety risks, property damage, or harm to human lives.</p><p dir="ltr">Finally, in the third case, malicious apps can exploit prompt injection attacks against LLMs, leading to data leaks or unauthorized access to APIs and services offered by the LLM. These scenarios underscore the importance of secure and attested communication between mobile devices and the services they interact with.</p>

Software and application security

System and network security

Mobile computing

Android app interface

Android Forensics

Mobile Security & Privacy

IOT SECURITY

AI Security