In this practical course, the students deal with different aspects of smartphone security at the example of the open-source Android OS. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn how to extend Android with new security features to tackle current security and privacy issues.
The course is split into two parts:
- Lecture period (Monday 6 Oct – Friday 17 Oct): In this first part, the lab is offered as a full-day course (“Blockveranstaltung”) on 10 consecutive days. In the first week, the students become in supervised lab sessions familiar with the Android OS internals and in particular with its security architecture and how it can be extended. Every day starts with a short lecture on Android-specific design and security concepts and afterwards the students will apply this knowledge in a supervised exercise. In the second week, the students will develop and implement in supervised group-based project work a selected small security extension to Android.
- Project period (Monday 20 Oct – Friday 14 Nov): In the second part of this course, the students will apply their new knowledge by implementing in independent group-based project work a selected security extension or ethical proof-of-concept attack. This work should be documented in a short report and also presented to the teaching staff and other participants at the end of the course.
The project tasks specifically target the open-source Android OS and include the following areas:
- Design and implementation of selected software attacks (ethical hacking)
- Design and implemenation of security extensions to the Android Middleware and Kernel (e.g., access control, end-user privacy protection, etc.)
- Android system programming in general
Exemplary project topics:
The official registration for the seminar will occur at the kick-off meeting. The students are encouraged to pre-register before this initial meeting by sending an e-mail to bugiel(aeht)cs.uni-saarland.de . Pre-registration is not binding and is no longer necessary for the students who have already contacted us regarding the course (this effectively counts as pre-registering). For your final registration you have to show up in the kick-off meeting. Places for the final registration will be provided in the order of pre-registration until all places are taken.
The tasks are solved in teams of 2 students. Thus, please indicate in your mails who your partners are!
There are no formal requirements for participation. Students who want to participate in the course should
- have basic knowledge of OS concepts/architectures
- be familiar with programming in C/C++ and Java
Requirements for obtaining credit points (Scheinvergabe)
The programming tasks are solved in teams of 2 students. Each team has to choose one topic, either from a given list or propose their own topic, and work on this topic during the second half of the course. At the end of the course a final report (PDF, 8-10 pages) as well as the source code of the project work has to be submitted. Morever, a concluding lab-session is held in which every team has to shortly present its work and results.
The proposed project topics and instructions to writing the final report/handing in your solution can be found in the following document: ProjectProposals .
All lecture sessions take place 9:30AM-4:30PM in E1.1 Room 2.06. For the independent project work, the students can use their own resources (laptop, workstation) or the machines provided in E1.1 Room 2.06.
List of references for the slides can be downloaded here .
|Date||9:30AM – 12:00PM||2:00PM – 4:30PM|
Organisational matters and motivation
Lecture: Application layer
|Lecture: Secure Architecture Principles and Android Security Architecture|
|2014-10-07||Exercise 1: Basic application programming||Exercise 2: Android Permission System|
|2014-10-08||Lecture: Android Insecurity||Exercise 2: Android Permission System (continued)|
|2014-10-09||Lecture: Selected security extensions||Exercise 3: Extending the Android middleware|
|2014-10-10||Exercise 3: Extending the Android middleware (continued)||Optional slot for work on exercises|
|2014-10-13 to 2014-10-17||
Access control based domain isolation on Android
Alternative project: Secure inter-app communication