App-enabled ecosystems have taken over most of the ways we interact with devices and the internet. Users can now find and install apps on their smart devices (phones, watches, TVs, etc.), browsers (as extensions and webapps) or within other applications (suites, productivity tools, etc.). The huge popularity of these ecosystems along with poor privacy and security privacy practices has led to a proliferation of malware and apps that don’t handle the user’s information in a transparent and secure manner.
Research at the Information Security Group in this area has already covered ecosystems such as Android in detail. We have been involved in malware and app analysis for the Android ecosystem and are expanding to other app-based ecosystems such as those for IoT platforms and browser extensions. Initial results show that despite many efforts in these areas, apps with poor security and privacy practices are widespread and downloaded by users.
We are seeking students to expand our efforts in these new platforms and how they interconnect. This project has three goals: characterisation, generalisation, and automation.
In the characterisation phase, we aim to study commonalities and divergences in different ecosystems and how it might impact their security and privacy, allowing apps to be compromised by malware. The characterisation phase is largely exploratory using a combination manual and automated analysis which is specific to the ecosystem.
In the generalisation phase, we propose an abstract model of an ecosystem and a core set of issues using which this abstract model could be breached. We show that our abstract model is flexible enough to cover a wide spectrum of ecosystems. Then, we show how a breach can occur in this abstract model through programming anti-patterns, unchecked I/O, misprogramming of APIs or permission misuse.
The final part of the PhD is about building the tooling to automatically analyse an arbitrary ecosystem for weaknesses. The first part of the tool translates ecosystems into variants of the abstract model developed in the generalisation phase. The second part of the tool checks the variants for potential weaknesses by running static checks for the core set of issues identified in the generalisation phase that may lead to a compromised system.
The deliverable for the project is a tool that is parametric in the software ecosystem allowing unprecedented opportunities in understanding security issues and fortifying a wide spectrum of ecosystems.
Applications should have a background in Computer Science or a related discipline with interests in security, privacy and static analysis techniques. Prospective applicants are welcome to discuss with Dr Jorge Blasco ([Email Address Removed])