Logo Unige DIBRIS Logo CSEC Logo CLUSIT Logo

2015 CSecLab Workshop on Security of Mobile Applications

The Computer Security Lab Research Group ad DIBRIS - University of Genoa. in collaboration with CLUSIT (The Italian Association for Computer Security) is proud to organize the "2015 CSecLab Workshop on Security of Mobile Applications". The event is organized within the framework of the European Cyber Security Month (ECSM).

Date: November 12th, 2015.

Schedule: From 9:30 to 13:00 am.

Location: DIBRIS - room 326bis, Via Dodecaneso 35, 16146,  Genova.


Schedule: 9:30 am - 9:45 am

Welcome & Opening

Alessio Merlo (Assistant Professor at DIBRIS - University of Genoa)


: 9:45 am - 10:30 am

Title: Android Permissions Unleashed

Abstract: The Android Security Framework controls the executions of applications through permissions which are statically granted by the user during installation. However, the definition of security policies over permissions is not supported. Security policies must be therefore manually encoded into the application by the developer, which is a dangerous practice and may cause security breaches. The Safe Component Provider (SCP) improves the Android permission system by supporting the specification and enforcement of fine-grained security policies. Enforcement is achieved by reducing policy decision problems to propositional satisfiability and leveraging a state-of-the-art SAT solver. Unlike alternative proposals, SCP does not require changes in the operating system and, therefore, it can be readily deployed in any commercial device.
Gabriele Costa
(Assistant Professor at DIBRIS - University of Genoa)

: 10:30 am -  11:15 am

Title: MAVeriC: the Mobile Application Verification Cluster

Abstract: The success of the mobile application model is mostly due to the ease with which new applications are uploaded by developers, distributed through the application markets (e.g. Google Play), and installed by users. Yet, the very same model is cause of serious security concerns, since users have no or little means to ascertain the trustworthiness of the applications they install on their devices. Such concerns grows up when dealing with professional scenarios like the use of mobile devices within organisations. To protect their customers, Poste Italiane has defined the Mobile Application Verification Cluster (MAVeriC), a process for the systematic security analysis of third-party mobile apps leveraging their online services (e.g. home banking, parcel tracking). At the core of the MAVeriC project lay the Static Analysis Module (SAM) and the Dynamic Analysis Module (DAM). These toolkits support the analysis of mobile applications by automating a number of operations.
Andrea Valenza
(Computer Security Lab at DIBRIS)


Schedule: 11:15 am - 12:00 am

Title: Trusted Host-based Card Emulation

Abstract: Near Field Communication (NFC) promises to boost mobile transactions and payments. Indeed, NFC-enabled devices can emulate smartcards, so allowing payments, loyalty programs, card access, transit passes and other custom services, through a mobile phone. Although many modern mobile devices mount a NFC transceiver, card emulation is still a rare feature. The main reason is that the two available card emulation frameworks, namely Card Emulation and Host-based Card Emulation, have known limitations in terms of usability and security (respectively). This talk presents a novel approach to card emulation called Trusted Host-based Card Emulation (THCE). THCE relies on the Trusted Execution Environment, currently deployed on most of the CPUs for mobile devices, and implements a secure and usable card emulation framework.
Luca Verderame
(Ph.D. Student at DIBRIS)


: 12:00 pm - 12:45 pm

Title: Usage Control on Cloud and Mobile Devices: the Coco Cloud Approach.

Abstract:The Usage Control model extends traditional access control to continuously enforce security policies while resources or data are accessed, in order to interrupt such accesses when the related rights do not hold any more. The Coco Cloud project exploits the Usage Control model to define Data Sharing Agreements, i.e., usage control policies embedded within data which regulate their sharing on the Cloud, and defines a framework for the enforcement of such policies on mobile devices.
Paolo Mori
(First Researcher at IIT-CNR, Pisa)


: 12:45 pm - 1:00 pm

Discussion & Closing Remarks

Moderator: Alessio Merlo (Assistant Professor at DIBRIS - University of Genoa)