Morning Keynote Speech by Dr. XiaoFeng Wang
Destructive Research on Mobile Security: Rethinking Security by Construction
Mobile operating systems are designed with security in mind. For example, Android adds a new layer of protection on top of Linux, which involves application sandbox and permission-based access control. With many implementation flaws discovered, utility issues raised and malware concerns studied on those mobile systems, still less clear is whether the security design itself is sound. In this talk, I report our recent studies on this issue, particularly our findings of surprising security weaknesses on Android and iOS, including their limited protection of phone users’ web resources, privacy implications of Android public resources and inadequate access control on Android external devices. Specifically, our research shows that Android and iOS apps can be triggered by malicious URLs from the web to act on the adversary’s behalf, a phone user’s identity, locations, health/financial information can be identified by malicious apps without any permissions, and also her health data collected by Bluetooth medical sensors can be stolen or even tampered with by unauthorized apps running on her phone. All these problems are caused primarily by design limitations, particularly the widening gap between what the security mechanisms of mobile devices are designed to protect and how those devices are actually used in practice. We further discuss the limitations of the “security-by-construction” approach for an open system and new directions that need to be explored to build a securer system.
Dr. XiaoFeng Wang is a professor in the School of Informatics and Computing at Indiana University, Bloomington. He received his Ph.D. in Electrical and Computer Engineering from Carnegie Mellon University in 2004, and has since been a faculty member at IU. Dr. Wang is a well-recognized researcher on system and network security. His work focuses on cloud and mobile security, and data privacy. He is a recipient of 2011 Award for Outstanding Research in Privacy Enhancing Technologies (the PET Award) and the Best Practical Paper Award at the 32nd IEEE Symposium on Security and Privacy. His work frequently receives attention from media, including CNN, MSNBC, Slashdot, CNet, PC World, etc. Examples include his discovery of security-critical vulnerabilities in payment API integrations (http://money.cnn.com/2011/04/13/technology/ecommerce_security_flaw/) and his recent study of the security flaws on the Apple platform (http://money.cnn.com/2015/06/18/technology/apple-keychain-passwords/). His research is supported by the NIH, NSF, Department of Homeland Security, the Air Force and Microsoft Research. He is the director of IU’s Center for Security Informatics.
Afternoon Keynote Speech by David Strom
The Great Debate: Security vs. Privacy
We are living in an era where we run up against trade-offs in our privacy that create greater security risks. Should Apple unlock criminals’ iPhones? Was Snowden a traitor or a patriot? What information should our children divulge on social media? Should our browsing preferences be available to the world? This talk by security expert David Strom, a nationally published author and speaker, will address these and other issues that are at the forefront of the fight between security and privacy.
Featured presenter: David Strom, internationally known expert on networking and communications technologies.