The has had three papers accepted by the , a prestigious security conference that will take place this November in Scottsdale, Ariz. It is a notable achievement to have three research papers accepted from the same institution at such a well-regarded cybersecurity conference. Students and faculty will travel to the conference and present their work to an audience of computing professionals and researchers.
In their paper, “,” Professors and address the security concerns that arise as smartphone applications begin to rely more and more on HTML5. Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection attacks possible.
Du and Yin conducted a systematic study on such apps and found a new form of code injection attack, which inherits the fundamental cause of cross-site scripting attack (XSS), but uses many more channels to inject code than XSS. These channels, unique to mobile devices, include Contact, SMS, Barcode and MP3 files. To assess the prevalence of this, they developed a vulnerability detection tool and analyzed apps found in Google Play. Out of 15,510 apps, 478 apps were found to be vulnerable.
In another paper, “,” Yin highlights how the drastic increase of Android malware has necessitated automation of the malware analysis process. Existing automated detection and classification can be easily evaded In this paper, Yin proposes a semantic-based approach that classifies malware via dependency graphs. Using these, he and his team have developed methods to battle transformation attacks, malware variants and zero-day malware. They have also implemented a prototype system that can correctly label 93 percent of malware instances.
Finally, in “,” reveals his research that introduces a new way for adversaries to learn a smartphone user’s PIN. Instead of watching over a person’s shoulder, this method relies entirely on the spatio-temporal dynamics of a person’s hands as they enter their PIN. Essentially, that means that adversaries can determine your PIN without even being able to see your screen.
