Android Security Lab WS 14/15

• 15.07.2014: The lab website is online

In this practical course, the students deal with different aspects of smartphone security at the example of the open-source Android OS. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn how to extend Android with new security features to tackle current security and privacy issues.

The course is split into two parts:

• Lecture period (Monday 6 Oct – Friday 17 Oct): In this first part, the lab is offered as a full-day course (“Blockveranstaltung”) on 10 consecutive days. In the first week, the students become in supervised lab sessions familiar with the Android OS internals and in particular with its security architecture and how it can be extended. Every day starts with a short lecture on Android-specific design and security concepts and afterwards the students will apply this knowledge in a supervised exercise. In the second week, the students will develop and implement in supervised group-based project work a selected small security extension to Android.
• Project period (Monday 20 Oct – Friday 14 Nov): In the second part of this course, the students will apply their new knowledge by implementing in independent group-based project work a selected security extension or ethical proof-of-concept attack. This work should be documented in a short report and also presented to the teaching staff and other participants at the end of the course.

The project tasks specifically target the open-source Android OS and include the following areas:

• Design and implementation of selected software attacks (ethical hacking)
• Design and implemenation of security extensions to the Android Middleware and Kernel (e.g., access control, end-user privacy protection, etc.)
• Android system programming in general

Exemplary project topics:

• Extending Android with Mandatory Access Control
• Inlined Reference Monitoring to enforce fine-grained policies on non-rooted devices
• Ethical hacking: Intelligent malware design and implementation
• Security-enhanced install process
• Usable integration of cryptographic services into communication services such as the system SMS app

The official registration for the seminar will occur at the kick-off meeting. The students are encouraged to pre-register before this initial meeting by sending an e-mail to bugiel(aeht)cs.uni-saarland.de . Pre-registration is not binding and is no longer necessary for the students who have already contacted us regarding the course (this effectively counts as pre-registering). For your final registration you have to show up in the kick-off meeting. Places for the final registration will be provided in the order of pre-registration until all places are taken.

The tasks are solved in teams of 2 students. Thus, please indicate in your mails who your partners are!

Please note that the number of participants is limited to 12!

There are no formal requirements for participation. Students who want to participate in the course should

• have basic knowledge of OS concepts/architectures
• be familiar with programming in C/C++ and Java

Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.

The programming tasks are solved in teams of 2 students. Each team has to choose one topic, either from a given list or propose their own topic, and work on this topic during the second half of the course. At the end of the course a final report (PDF, 8-10 pages) as well as the source code of the project work has to be submitted. Morever, a concluding lab-session is held in which every team has to shortly present its work and results.

Participation in the kick-off meeting and all the lecture sessions during the first half of the course is required for obtaining the credit points!

The proposed project topics and instructions to writing the final report/handing in your solution can be found in the following document: ProjectProposals .

All lecture sessions take place 9:30AM-4:30PM in E1.1 Room 2.06. For the independent project work, the students can use their own resources (laptop, workstation) or the machines provided in E1.1 Room 2.06.

List of references for the slides can be downloaded here .

Date	9:30AM – 12:00PM	2:00PM – 4:30PM
2014-10-06	Lecture: Organisational matters and motivation Lecture: Application layer	Lecture: Secure Architecture Principles and Android Security Architecture
2014-10-07	Exercise 1: Basic application programming	Exercise 2: Android Permission System
2014-10-08	Lecture: Android Insecurity	Exercise 2: Android Permission System (continued)
2014-10-09	Lecture: Selected security extensions	Exercise 3: Extending the Android middleware
2014-10-10	Exercise 3: Extending the Android middleware (continued)	Optional slot for work on exercises
2014-10-13 to 2014-10-17	Supervised project: Access control based domain isolation on Android Alternative project: Secure inter-app communication