Lecture Type
Full-day course (“Blockveranstaltung”)
Dr.-Ing. Sven Bugiel
Lecture period
Monday, 5th September to Friday, 16th September, each day from 10:00 – 17:00 in E9.1 Rooms 0.06 (lecture) and 3.17 / 1.17 (exercises) with lunch break 12:00-13:30
Project period
Monday, 19th September to Friday, 30th September (independent work)
Wednesday, 5th October, 14:00-16:00 in E1.3 HS001

Latest News

  • 18.08.2016: Changed lecture room and time
  • 18.08.2016: Exam date and place announced
  • 19.04.2016: Increased number of places to 24
  • 18.04.2016: Increased number of places to 18
  • 05.04.2016: The lab website is online


In this practical course, the students deal with different aspects of smartphone security at the example of the open-source Android OS. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn to tackle current security and privacy issues on smartphones from the perspectives of different actors in the smartphone ecosystem (e.g., end-users, app developers, market operators, etc.). The focus of this course is on the application-layer of Android and leaves the system-specific parts (i.e., middleware and kernel) for a separate lecture on system security.

The course is split into two parts:

  • Lecture period (Monday 05 Sep – Friday 16 Sep): In this first part, the lab is offered as a full-day course (“Blockveranstaltung”) on 10 consecutive days. Most days start with a lecture on Android-specific design and security concepts, problems identified for those concepts, and techniques (from research) to solve those problems and improve the end-users’ security and privacy. Afterwards, the students will apply this knowledge in supervised exercised to implement their own solutions (e.g., securing apps, implementing code-rewriting-based solutions, analysing apps) or to take on the role of an attacker and try to exploit known problems in Android’s security and ecosystem.
  • Project period (Monday 19 Sep – Friday 30 Sep): In the second part of this course, the students will apply their new knowledge by implementing in independent group-based project work a selected security solution and ethical proof-of-concept attack. This work should be documented in a short report and also presented to the teaching staff and other participants at the end of the course. Students are expected to work in this period with the same time and labor as during the lecture period!


The official registration for the seminar will occur at the kick-off meeting. The students are encouraged to pre-register before this initial meeting by sending an e-mail to bugiel(aeht)cs.uni-saarland.de . Pre-registration is not binding and is no longer necessary for the students who have already contacted us regarding the course (this effectively counts as pre-registering). For your final registration you have to show up in the kick-off meeting. Places for the final registration will be provided/repeated in the order of pre-registration until all places are taken.

The project tasks are solved in teams of 2 students. Thus, please indicate in your mail who your preferred project partner is!

Please note that because of the close individual supervision the number of participants is limited to 24!


There are no formal requirements for participation. Students who want to participate in the course should

  • have worked with a smartphone before (e.g., own an Android-based phone, iPhone, etc.)
  • be familiar with programming in Java (and C/C++)

Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.

Background in security is also an advantage (e.g., prior participation in the Foundations of Cybersecurity lecture or Security core lecture), however, the necessary background on system design, access control, and network security will be provided in this lecture in order to better put Android’s design choices into context.

Requirements for obtaining credit points (Scheinvergabe)

The programming tasks are solved in teams of 2 students. At the end of the course a final report (PDF, 8-10 pages) as well as the source code of the project work has to be submitted. Morever, a concluding lab-session is held in which every team has to shortly present its work and results.

Participation in the kick-off meeting and all the lecture sessions during the first half of the course is required for obtaining the credit points!

Lecture and Exercise Sessions

All lecture sessions take place in E9.1 room 0.06 and exercises in rooms 1.17 and 3.17. For the independent project work, the students can use their own resources (laptop, workstation) or the machines provided in E9.1 Rooms 1.17 and 3.17.

Bibliography for the lecture references can be downloaded here .

Date Morning session (10-12) Afternoon session (13:30-17:00)
05-09-2016 Lecture 1: Motivation
Lecture 2: Android concepts
Exercise 1: Android Intro
06-09-2016 Lecture 3: Android Security Basics Exercise 2: Permission Enforcement
07-09-2016 Lecture 4: Network Security Exercise 3: TLS/SSL and WebViews
08-09-2016 Lecture 5: Android InSecurity Exercise 3: TLS/SSL and WebViews (cont.)
09-09-2016 Lecture 6: Advanced Android Security APIs Exercise 4: Selected Android Security APIs
12-09-2016 No lecture!
13-09-2016 No lecture!
14-09-2016 Lecture 7: App Analysis Exercise 5: App Analysis
15-09-2016 Exercise 5: App Analysis (cont.) Lecture 8: Application layer security extensions
16-09-2016 Exercise 6: Application layer security extensions Exercise 6: Application layer security extensions (cont.)
19-09-2016 Course project: Description , Chipper app , Chipper server