No Arabic abstract
With the expansion of the market share occupied by the Android platform, security issues (especially application security) have become attention focus of researchers. In fact, the existing methods lack the capabilities to manage application permissions without root privilege. This study proposes a dynamic management mechanism of Android application permissions based on security policies. The paper first describes the permissions by security policies, then implementes permission checking code and request evaluation algorithm in Android framework layer. Experimental results indicate that the presented approach succeeds in permission management of Android applications, and its system overhead is low, which makes it an effective method for Android permission management.
Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called data-clone attack: once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victims account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks. In this paper, we develop VPDroid, a transparent Android OS-level virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroids isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environments show that VPDroids device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.
NuCypher KMS is a decentralized Key Management System (KMS) that addresses the limitations of using consensus networks to securely store and manipulate private, encrypted data. It provides encryption and cryptographic access controls, performed by a decentralized network, leveraging proxy re-encryption. Unlike centralized KMS as a service solutions, it doesnt require trusting a service provider. NuCypher KMS enables sharing of sensitive data for both decentralized and centralized applications, providing security infrastructure for applications from healthcare to identity management to decentralized content marketplaces. NuCypher KMS will be an essential part of decentralized applications, just as SSL/TLS is an essential part of every secure web application.
The ongoing digital transformation of the medical sector requires solutions that are convenient and efficient for all stakeholders while protecting patients sensitive data. One example involving both patients and health professionals that has already attracted design-oriented research are medical prescriptions. However, current implementations of electronic prescriptions typically create centralized data silos, leaving user data vulnerable to cybersecurity incidents and impeding interoperability. Research has also proposed decentralized solutions based on blockchain technology as an alternative, but privacy-related challenges have either been ignored or shifted to complex or yet non-standardized solutions so far. This paper presents a design and implementation of a system for the exchange of electronic prescriptions based on the combination of two blockchains and a digital wallet app. Our solution combines the bilateral, verifiable, and privacy-focused exchange of information between doctors, patients, and pharmacies based on a verifiable credential with a token-based, anonymized double-spending check. Our qualitative and quantitative evaluations suggest that this architecture can improve existing approaches to electronic prescription management by offering patients control over their data by design, a sufficient level of performance and scalability, and interoperability with emerging digital identity management solutions for users, businesses, and institutions.
Publishing physical activity data can facilitate reproducible health-care research in several areas such as population health management, behavioral health research, and management of chronic health problems. However, publishing such data also brings high privacy risks related to re-identification which makes anonymization necessary. One of the challenges in anonymizing physical activity data collected periodically is its sequential nature. The existing anonymization techniques work sufficiently for cross-sectional data but have high computational costs when applied directly to sequential data. This paper presents an effective anonymization approach, Multi-level Clustering based anonymization to anonymize physical activity data. Compared with the conventional methods, the proposed approach improves time complexity by reducing the clustering time drastically. While doing so, it preserves the utility as much as the conventional approaches.
Android introduces a new permission model that allows apps to request permissions at runtime rather than at the installation time since 6.0 (Marshmallow, API level 23). While this runtime permission model provides users with greater flexibility in controlling an apps access to sensitive data and system features, it brings new challenges to app development. First, as users may grant or revoke permissions at any time while they are using an app, developers need to ensure that the app properly checks and requests required permissions before invoking any permission-protected APIs. Second, Androids permission mechanism keeps evolving and getting customized by device manufacturers. Developers are expected to comprehensively test their apps on different Andro