Third-party applications have become an essential component of modern ecosystems such as Android and Facebook. These applications can be: web-based, desktop-based, or mobile-device-based applications. The number of third-party applications has grown tremendously in recent years, for instance, the average number of applications installed on Facebook each day is 20 million, and the number of Android applications in the market is 1.8 million. Although these applications provide users with better and more customized experience, they may also cause security and privacy risks. In most cases, third-party applications need to access restricted resources on these platforms, thus, platform providers have deployed access control mechanisms to control the privileges these applications can obtain. Nonetheless, malicious applications continue to find their ways to gain privileged access to users’ data and profiles. The success of these malicious attacks depends largely on the efficiency of the access control mechanisms and users’ awareness and comprehension. My research investigates the security and privacy risks of third-party applications by analyzing the access control mechanisms, finding possible vulnerabilities, implementing countermeasures, and studying users’ awareness and comprehension to the vulnerabilities and the countermeasures.
In the past, resource owners had to share their credentials with third-party applications in order to grant them access to their restricted resources. The approach has several problems and limitations, for example, third-party applications normally get broad access to the owner’s data, users can not revoke access to individual app, and a compromise of any third-party application can leak user’s credentials. On the other hand, using new standards for authentication and authorization such as OAuth has resolved the previous above problems. Open standard for Authorization (OAuth) is the industry-standard authorization method that allows end-users authorize third-party applications without sharing their credentials. The standard support two client types: confidential (e.g. web applications), and public (e.g. mobile applications). The standard was originally created by a community of web developers as a solution to the common problem of enabling delegated access to protected resources. OAuth has then been migrated to be used in mobile apps for gaining access to user’s resources on remote service providers. Implementing OAuth in mobile apps is challenging and careful implementation is needed to avoid any security and privacy risks. Un-careful implementation of OAuth in mobile apps can affect millions of users. Thus, hardening OAuth implementations in mobile phones will allow users to safely and confidentially benefit from the features and convenience offered by the third-party applications.
Android provides finer-grained security features through a ”permission” mechanism that puts limitations on the resources that each application can access. Upon installing a new Android application, a user is prompted to grant it a set of permissions. There are two typical assumptions made regarding permissions and mobile application security and privacy. The first one is that malicious applications need to retain much permission. Secondly, mobile devices users assume that installed applications do not access data if they are not in the foreground. In this project, we showed that malicious Android applications can still fulfill their objectives with minimum permissions and that they can access user data while in the background. This could happen with the help of another Android component, called broadcast receiver [P1]. We studied the evaluation of Android broadcast actions. We demonstrated an attack scenario made possible by the broadcast receivers. Moreover, we developed an app to aid user identify the broadcasts receivers that are registered by the apps on their own Android devices called Broadcasts Viewer.
In this project, we propose to build a secure search engine for Android third-party applications to aid users install the least intrusive applications. The suggested search engine matches the user query with the descriptions of the apps (unlike the current search engine that matches them with the title of the apps) to retrieve the most relevant apps and then re-rank them based on their security configurations. The advantage of this approach is that it does not count on users’ awareness and attention, which was proven to be very weak. Moreover, our approach is going to push applications developer towards asking for minimum permissions possible to guarantee high rankings for their apps. Reducing the number of permissions would definitely reduce the attack surface.
Android provides finer-grained security features through a ”permission” mechanism that puts limitations on the resources that each application can access. Upon installing a new Android application, a user is prompted to grant it a set of permissions. There are two typical assumptions made regarding permissions and mobile application security and privacy. The first one is that malicious applications need to retain much permission. Secondly, mobile devices users assume that installed applications do not access data if they are not in the foreground. In this project, we showed that malicious Android applications can still fulfill their objectives with minimum permissions and that they can access user data while in the background. This could happen with the help of another Android component, called broadcast receiver [P1]. We studied the evaluation of Android broadcast actions. We demonstrated an attack scenario made possible by the broadcast receivers. Moreover, we developed an app to aid user identify the broadcasts receivers that are registered by the apps on their own Android devices called Broadcasts Viewer.