时间:2013年11月29日(星期五)下午15:30
地点:仓山校区成功楼603教室
主讲:新加坡资讯通信研究院(I2R) 周建英研究员
主办:数学与计算机科学学院、福建省网络安全与密码技术重点实验室
专家简介:周建英,国际知名的信息安全专家,博士毕业于英国伦敦大学信息安全专业,现任新加坡资讯通信研究院信息通信安全部主任;主持和负责多项新加坡政府和企业的产学研项目,在国际学术期刊和会议上发表了200多篇学术论文,担任150多个国际学术会议的主席/程序委员会委员,是国际顶级安全学术会议ACNS的发起人之一;目前担任《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》编委,日本九州大学和上海交通大学兼职教授。
报告摘要:Smartphones become more and more popular. Android and iOS are two dominant mobile operating systems on the market. An interesting question is which one is more secure. We made a comparison by investigating applications that run on both Android and iOS and examining the difference in the usage of their security sensitive APIs (SS-APIs). We developed static analysis tools to perform massive static analysis for cross-platform applications on their SS-API usage. Our analysis showed that applications on iOS tend to use more SS-APIs compared to their counterparts on Android, and are more likely to access sensitive resources that may cause privacy breaches or security risks without being noticed.
We also proposed a generic attack vector that enables third-party applications to launch attacks on non-jailbroken iOS devices, and constructed multiple proof-of-concept attacks, such as cracking device PIN and taking snapshots without user's awareness. Our applications embedded with the attack codes passed Apple's vetting process and work as intended on non-jailbroken devices. Our proof-of-concept attacks have shown that Apple's vetting process and iOS sandbox have weaknesses which can be exploited by third-party applications. Our work helped Apple to fix the vulnerabilities in the latest release of iOS 7.