Meng Luo will present her PhD proposal: Evaluating Mobile-browser Security with Dynamic Analysis Techniques
Recent market-share statistics show that mobile device traffic has overtaken that of traditional desktop computers. Users spend an increasing amount of time on their smartphones and tablets, while the Web continues to be the platform of choice for delivering new applications to users. This thesis explores the multi-layer security risks that mobile browsers and users of mobile browsers are exposed to, when browsing the Web.

We present three contributions: First, we conduct a longitudinal
study that investigates the evolution of UI-related vulnerabilities of hundreds of popular mobile Web browsers over a period of five years. To this end, we collect an extensive dataset of mobile browsers and design Hindsight, a browser-agnostic testing framework that can automatically expose browsers to attacks and evaluate their security posture. This work demonstrates that 98.6% of tested browsers are vulnerable to at least one of our attacks and
that, on average, mobile Web browsers are becoming less secure over time.

Second, we present the first study evaluating the support of popular Web-application security mechanisms (such as Content Security Policy, HTTP Strict Transport Security, and Referrer Policy) across mobile Web browsers. This work systematically discovers which mechanisms are supported by which browsers, tracks the evolution of mechanism support, and identifies design choices followed by the majority of browsers, which leave hundreds of popular Websites open to clickjacking attacks.

Moreover, this work finds the presence
of multi-year vulnerability windows between the time when popular Websites start utilizing a security mechanism and when mobile browsers are able to enforce it. Last, using our browser-agnostic, dynamic-analysis framework, we conduct a systematic measurement study to understand to what extent properties of mobile Web users (such as their browser, geographical location, and interests) affect the malicious advertisements to which they are exposed.

Overall, our findings highlight the need for continuous security testing of mobile Web browsers, server-side frameworks which can adapt to the level of security that each browser can guarantee, and security scanners that can emulate different mobile browsers in order to be able to identify mobile-specific malicious content.

For more Zoom details, please email: events [at] cs.stonybrook.eduid="ow625" __is_owner="true"