| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | June 3, 2016 |
| Latest Amendment Date: | June 3, 2016 |
| Award Number: | 1618493 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Jeremy Epstein
CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | September 1, 2016 |
| End Date: | August 31, 2021 (Estimated) |
| Total Intended Award Amount: | $499,968.00 |
| Total Awarded Amount to Date: | $499,968.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
107 S INDIANA AVE BLOOMINGTON IN US 47405-7000 (317)278-3473 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
150 South Woodlawn Avenue Bloomington IN US 47405-7104 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Mobile cloud technologies have begun to rely heavily on services known as Mobile Back-end as a Service (MBaaS), including push messaging, data synchronization, and mobile identity management. Many of today's popular apps have already integrated push messaging services such as Google Cloud Messaging (GCM), Amazon Device Messaging (ADM), and third parties like Baidu, to enable the apps to receive notifications such as private messages, financial secrets or family members' locations. Prior research has demonstrated significant security weaknesses inside such services, endangering the information assets of billions of mobile users. By exploiting flaws in services like GCM and ADM, and their integration within popular apps such as Facebook, Google+, Skype, PayPal etc., an attacker could steal a mobile user's sensitive messages, install or uninstall apps on her device, remotely lock out the user or even wipe out her data. This project is studying security risks in such services in order to significantly improve the security assurance of the new MBaaS computing paradigm. The team is collaborating with industry to facilitate the transfer of research outcomes to practical protections.
To identify the security properties needed in individual components of mobile cloud technologies, the researchers are modeling different MBaaS services. The models enable the development of novel static and dynamic security analysis techniques, tailored to the unique features of different service types. These techniques will allow mobile cloud service providers to automatically verify security properties on both cloud and device fronts, find problems within their systems, and improve the security quality of their services. The researchers are also developing new techniques to enable app vendors, users and app stores to automatically detect threats to mobile clouds and protect their communication against the attempts to exploit those services' weaknesses. The research covers push messaging for Android, Apple, and mobile browsers, as well as other MBaaS services (e.g., identity management, data synchronization, and the platforms integrating them.)
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
The project aims at understanding the security and privacy risks in various mobile cloud environments (e.g., mobile IoT services), including those introduced by mobile applications, their cloud-side backend services and their interactions. The research further contributed to the development of innovative technologies to help app developers and mobile cloud service providers detect and mitigate such risks, and protect various mobile systems (including mobile control of IoT systems) against potential attacks and abuse.
Intellectual Merit. In the project, we systematically analyzed the security weaknesses of today's mobile cloud systems from the aspects of protection on the mobile client side, the mobile backend in the cloud and their interactions. More specifically, on the mobile client, we found that cross-app URL invocations on mobile systems can be exploited for a large-scale infection on mobile devices from the cloud end. The new attacks, dubbed Cross-App WebView Infection (XAWI), enables a series of multi-app, colluding attacks never thought before, with significant real-world impacts (on popular systems like Facebook, Twitter, Amazon, etc.). Also discovered in our research are the significant security risks in emerging app-in-app systems, which run native app-like software modules, called sub-apps, in popular mobile applications (e.g., Wechat, Alipay, Baidu, TikTok and Chrome) supported by their cloud back-ends to enrich the host app's functionalities and to form an "all-in-one app" ecosystem. Our results brought to light the prevalence of the security flaws in these systems, jeopardizing the security guarantee of mobile cloud systems. On the cloud backend, we studied emerging mobile-cloud platforms for supporting IoT devices, such as Samsung's SmartThings, Amazon and Google's Virtual Personal Assistant (VPA) like Alexa and Assistant. Particularly, we discovered the pervasiveness of over-privilege problems in SmartApps running on the cloud side, and also the significant risks caused by the lack of authentication in the voice channel for interacting with VPA services on the mobile cloud. These weaknesses can potentially lead to yielding device controls to malicious code running in the mobile cloud. The findings have been reported by Forbes and other public media. When it comes to the interactions between the mobile client and the mobile cloud backend, we investigated the communication between an IoT device's companion app with the device through the mobile cloud, which helps identify the vulnerable components inside 324 devices from 73 vendors; also we brought to light that the cloud credentials carried by many mobile apps are actually over-privileged, allowing the unauthorized party to utilize them to cause significant information leaks and other damages to the mobile cloud provider's information assets. Our studies have helped hundreds of app vendors to fix their security issues and enhance protection of mobile cloud systems. Another issue we looked into is the abuse of mobile cloud systems for illicit activities, including contamination of the data stored in the cloud backend for illicit promotion and use of the mobile devices to serve as unauthorized proxies.
Based upon the security analysis on popular mobile cloud systems, we further developed innovative technologies to mitigate the security risks those systems are exposed to. We proposed OS-level protection to defend against the threat of XAWI and a set of strategies to help avoid faulty designs of app-in-app systems. For the protection on mobile cloud backend, we built a suite of new techniques, including SmartAuth that collects information from SmartApps to help users determine access policies on the backend and enhances the protection on the mobile cloud to enforce such policies, and the tools that can help VPA providers detect and vet third-party code running on their platforms. In addition to new detection platforms that automate the analysis of mobile apps for finding vulnerable IoT components and capturing over-privileged cloud credentials, we also designed and implemented wireless router based protection that enables the user to set through her smartphone security policies to be enforced by the router for protecting the mobile cloud's interactions with IoT devices.
Broader Impacts. The outcomes of this project have been widely disseminated through our presentations at leading security venues and numerous invited visits around the world. Also, the project involved HBCU students through summer interns, who have received research training on mobile-cloud security.
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Last Modified: 12/28/2021
Modified by: Xiaofeng Wang
Please report errors in award information by writing to: awardsearch@nsf.gov.
