Identifying and Mitigating Trust Violations in the Mobile Ecosystem

Antonio Bianchi, University of California, Santa Barbara
Host: Abhishek Jain

Mobile devices are now the most common way users handle digital information and interact with online services. Different actors, trusting each other in different ways, compose the mobile ecosystem. Users interact with apps, trusting them to access valuable and privacy-sensitive information. At the same time, apps usually communicate with remote backends and authenticate users to online services. Finally, all these interactions are mediated, on one side, by the user interface and, on the other, by the operating system.

In my research, I studied how all these different actors trust each other, and how this trust can be unfortunately violated by attackers, due to limitations on how the mobile operating systems, apps, and user interfaces are currently designed and implemented. To assist my work, I developed automated systems to perform large-scale analyses of mobile apps.

In this talk, I will describe both the tools I have developed and my findings. Specifically, I will first describe my work on how, in an Android system, it is possible to lure users to interact with malicious apps which “look like” legitimate ones. This attack completely violates the trust relationship, mediated by the user interface, between users and apps. Then, I will explain how many apps unsafely authenticate their users to remote backends, due to misplaced trust in the operating system. Finally, I will show how many apps misuse hardware-backed authentication devices, such as trusted execution environments and fingerprint readers, making them vulnerable to a variety of authentication bypass attacks. I will finish my talk presenting current open issues in the field and outlining future directions for my research.

Speaker Biography

Antonio Bianchi is a Ph.D. candidate at University of California, Santa Barbara (UCSB). His main research interest is in the area of Computer Security, with a focus on Mobile Systems. During his Ph.D., he worked on discovering, studying, and fixing novel security issues in the ecosystem of mobile devices and applications. He also explored research interests in other fields of computer security, such as binary program analysis and hardening, hardware-assisted authentication, and security of the Internet of Things.