Visible to the public Biblio

Filters: First Letter Of Last Name is W  [Clear All Filters]
A B C D E F G H I J K L M N O P Q R S T U V [W] X Y Z   [Show ALL]
W
Waqar Ahmad, Joshua Sunshine, Christian Kästner, Adam Wynne.  2015.  Enforcing Fine-Grained Security and Privacy Policies in an Ecosystem within an Ecosystem. Systems, Programming, Languages and Applications: Software for Humanity (SPLASH).

Smart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is taking may have serious security and privacy consequences for home users and potential legal implications for providers of home automation and IoT platforms. We envision that a new ecosystem within an existing smartphone ecosystem will be a suitable platform for distribution of apps for smart home and IoT devices. Android is increasingly becoming a popular platform for smart home and IoT devices and applications. Built-in security mechanisms in ecosystems such as Android have limitations that can be exploited by malicious apps to leak users' sensitive data to unintended recipients. For instance, Android enforces that an app requires the Internet permission in order to access a web server but it does not control which servers the app talks to or what data it shares with other apps. Therefore, sub-ecosystems that enforce additional fine-grained custom policies on top of existing policies of the smartphone ecosystems are necessary for smart home or IoT platforms. To this end, we have built a tool that enforces additional policies on inter-app interactions and permissions of Android apps. We have done preliminary testing of our tool on three proprietary apps developed by a future provider of a home automation platform. Our initial evaluation demonstrates that it is possible to develop mechanisms that allow definition and enforcement of custom security policies appropriate for ecosystems of the like smart home automation and IoT.

Waqar Ahmad, Christian Kästner, Joshua Sunshine, Jonathan Aldrich.  2016.  Inter-app Communication in Android: Developer Challenges. 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories. :177-188.

The Android platform is designed to support mutually untrusted third-party apps, which run as isolated processes but may interact via platform-controlled mechanisms, called Intents. Interactions among third-party apps are intended and can contribute to a rich user experience, for example, the ability to share pictures from one app with another. The Android platform presents an interesting point in a design space of module systems that is biased toward isolation, extensibility, and untrusted contributions. The Intent mechanism essentially provides message channels among modules, in which the set of message types is extensible. However, the module system has design limitations including the lack of consistent mechanisms to document message types, very limited checking that a message conforms to its specifications, the inability to explicitly declare dependencies on other modules, and the lack of checks for backward compatibility as message types evolve over time. In order to understand the degree to which these design limitations result in real issues, we studied a broad corpus of apps and cross-validated our results against app documentation and Android support forums. Our findings suggest that design limitations do indeed cause development problems. Based on our results, we outline further research questions and propose possible mitigation strategies.

Welk, A., Zielinska, O., Tembe, R., Xe, G., Hong, K. W., Murphy-Hill, E., Mayhorn, C. B..  In Press.  Will the “Phisher-men” Reel you in? Assessing Individual Differences in a Phishing Detection Task International Journal of Cyber Behavior, Psychology, and Learning. .

Phishing is an act of technology-based deception that targets individuals to obtain information. To minimize the number of phishing attacks, factors that influence the ability to identify phishing attempts must be examined. The present study aimed to determine how individual differences relate to performance on a phishing task. Undergraduate students completed a questionnaire designed to assess impulsivity, trust, personality characteristics, and Internet/security habits. Participants performed an email task where they had to discriminate between legitimate emails and phishing attempts. Researchers assessed performance in terms of correctly identifying all email types (overall accuracy) as well as accuracy in identifying phishing emails (phishing accuracy). Results indicated that overall and phishing accuracy each possessed unique trust, personality, and impulsivity predictors, but shared one significant behavioral predictor. These results present distinct predictors of phishing susceptibility that should be incorporated in the development of anti-phishing technology and training.

West, Andrew, Aviv, Adam.  2014.  Measuring Privacy Disclosures in URL Query Strings. IEEE Internet Computing. 18(6)
West, Andrew G, Aviv, Adam J.  2014.  On the Privacy Concerns of URL Query Strings. W2SP'14: Proceedings of the 8th Workshop on Web 2.0 Security and Privacy .