Student Projects
List of MSc Projects
Sensor-based attacks via native, web, hybrid, and IoT apps
Description: Sensor side channel attacks on native apps have been studied widely, while there is limited research on browser access and hybrid apps. Hybrid apps have established an increasing share in the market since they offer full functionality at an affordable development cost; writing web code once and recompiling it to cross-platform apps (Android, iOS, Windows). They are built using several libraries in platforms such as PhoneGap, Cordova, and Ionic. Proper configuration of hybrid apps is an important but often neglected task. Risky default settings and rushed configurations cause several privacy and security breaches. While there are limited efforts in exploring some of the major security and privacy issues of hybrid apps, there isn’t any study focusing on sensor access. In this project, you will perform novel sensor attacks via browsers and hybrid apps on users private information. In particular, you will perform side-channel attacks on motion sensors, NFC, and ambient sensors via hybrid apps. These ideas can be applied on multiple platforms such as mobile, web, and IoT.
Papers: CordovaConfig: A Tool for Mobile Hybrid Apps' Configuration, Stealing PINs via mobile sensors: actual risk versus user perception, NFC Payment Spy: A Privacy Attack on Contactless Payments, The Web’s Sixth Sense: A Study of Scripts Accessing Smartphone Sensors,
Skills: Android/Web/IoT programming, Data analysis via Machine Learning (e.g. Matlab, Python)
Security and privacy evaluation of mobile apps
Description: In this project, you will choose a subset of Android apps (e.g. 50 apps in agri-tech apps, children apps, FemTech, healthcare, etc.) and study them via static analysis, dynamic analysis, privacy policy review (with a focus on the GDPR).
Static analysis is the evaluation of the app program code, without actually executing it. You will use advanced methods to carry out reverse engineering to retrieve the app bytecode and infer how permissions are handled i.e. declared permissions from the manifest, declared permissions used in bytcode, not declared but used, declared and not used. Open-source tools such as RiskInDroid and Androwarn (github.com/maaaaz/androwarn) will be modified and used to analyse the permission usage of the apps for over-privileges, and identify potential misbehaviours and information collection.
Dynamic analysis is the observation of the app's behaviour on execution, its processes, created files, and network activities. For this, a customised kernel can be run to record app access to sensitive resources e.g. GPS, browsing history, photos and other sensors. Apps such as Lumen Privacy Monitor (haystack.mobi) can be used to closely observe how apps transmit information. A data interception experiment environment needs to be setup for this study.
The technical analysis will be completed by reviewing the privacy policies of these apps. This can be done manually or via natural language processing techniques to verify whether these apps comply with any law (e.g. GDPR) and/or inform users of potential tracking activities.
Papers: RiskInDroid: machine learning based risk analysis on Android, Android permissions remystified: A field study on contextual integrity, “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale
Skills: Web/IoT programming, Familiar with Linux and Android programming, Rooting an Android mobile phone or tablet (the device will be provided), Setting up a data interception experiment environment (e.g. see https://privacyinternational.org/node/2732#methodology ).
Evaluation of sensor protection mechanisms in mobile OSs, browsers, and IoT systems
Description: In practice, there exist a few different approaches and permission models for mobile OS resources and sensors. These approaches are not united across vendors, OSs, browsers, resources, and sensors. For example, while run-time permission model clearly increases security, in our previous studies, some of the participants expressed that they had a better security experience with install-time permission model. On the other hand, our research suggested that users generally have conflicting views about such permissions. The permission methods currently offered by industry and literature will be comprehensively studied, specifically different mobile platforms such as Android and iOS, different mobile browsers such as Chrome, Safari, Firefox, and Opera, as well as IoT platforms. These include install vs. run-time permissions, individual vs. group permissions, one-time vs. continuous monitoring, explicit user permission vs. implicit notifications, opt-in vs. opt-out, limiting sampling rate, global and pre-origin access control, page information dialogs, location bar indicators, and any other disclosure user interface elements The focus of this study will be: (a) to categorise these protection mechanisms and list their pros and cons from security, usability, and functionality perspectives, (b) to identify those methods that involve user engagement (implicit or explicit), and (c) compare them.
Papers: Stealing PINs via mobile sensors: actual risk versus user perception, What Is This Sensor and Does This App Need Access to It?, W3C Generic Sensor API, Risks of Mobile Ambient Sensors and User Awareness, Concerns, and Preferences
Skills: Android/Web/IoT programming, User studies (in person, interview, Amazon Mechanical Turk, Prolific, etc.).
Selected Projects
MSC
2023 (RHUL): Enhancing Cyber Threat Intelligence with Artificial Intelligence and Machine Learning, Rubab Anjum
2023 (RHUL): Practical Live Laser Microphone Injection Attacks on Voice Assistants, Rachel Robin
2022 (Newcastle): Analysis of the User’s Environment based on Mobile Ambient Light Sensor via JavaScript, Bangyi Zhang
2022 (Newcastle): Evaluating the Sensor Access on Android via Hybrid Apps, Shuning Yang
2022 (Newcastle): Usage Patterns of Privacy-enhancing Technologies in China, Xuanming Zhang
2021 (Newcastle): Privacy and Security Analysis of 3rd-party Smart Home Products, Stephen Cook
2021 (Newcastle): Visual Impairments and Privacy-enhancing Technologies, James Clarke
Output:
Invisible, Unreadable, and Inaudible Cookie Notices: An Evaluation of Cookie Notices for Users with Visual Impairments, ACM Transactions on Accessible Computing, 2023
2021 (Newcastle): A Privacy Analysis of Children’s Mobile Applications, Anamaria Dragulin
2020 (Newcastle): User Privacy in Smart Buildings, Scott Harper (Supervisory team)
Output:
User Privacy Concerns and Preferences in Smart Buildings, STAST'21
User Privacy Concerns in Commercial Smart Buildings, Journal of Computer Security'22
2020 (Newcastle): A Privacy-Preserving ML-based Face Mask Recognition System, Zeynep Aki
2020 (Newcastle): An Android Game App for Sensor Security and Privacy, Rory Jones
2019 (Newcastle): Information Leakage via Mobile Ambient Sensors, Chris Makarouna
Output:
2019 (Newcastle): Privacy Analysis of Popular Android Apps in India, Adi Vaidya
BSC/MSci
2022 (RHUL): An Analysis of Bluetooth Low Energy Beacon Libraries, Aisha Sandia
2022 (RHUL): Security Issues in Serverless Functions Final Report, Bruce Lay
2022 (RHUL): A Chat Bot to Manage Security Services, Christopher Rodipe
2022 (RHUL): Implementation and Analysis of Silencing Attacks on Bluetooth low energy beacons, Connor Kirk