자료유형  

 학위논문

Control Number  

0016933700

International Standard Book Number  

9798379566715

Dewey Decimal Classification Number  

004

Main Entry-Personal Name  

Kumar, Renuka.

Publication, Distribution, etc. (Imprint  

[S.l.] : University of Michigan., 2023

Publication, Distribution, etc. (Imprint  

Ann Arbor : ProQuest Dissertations & Theses, 2023

Physical Description  

1 online resource(167 p.)

General Note  

Source: Dissertations Abstracts International, Volume: 84-12, Section: B.

General Note  

Advisor: Ensafi, Roya;Prakash, Atul.

Dissertation Note  

Thesis (Ph.D.)--University of Michigan, 2023.

Restrictions on Access Note  

This item must not be sold to any third party vendors.

Restrictions on Access Note  

This item must not be added to any third party search indexes.

Summary, Etc.  

요약Billions of users worldwide access essential Internet services such as banking, education, and healthcare through mobile apps on their phones. This growth in mobile use is fueled by the rise of large platforms that provide a common backend infrastructure to provide free services to users. These platforms drive entire ecosystems by allowing competing app developers to integrate their apps with their shared backends for users worldwide to consume and carry out billions of dollars in transactions. However, security and privacy vulnerabilities in these widely deployed ecosystems compromise millions worldwide. This dissertation raises this question and asserts that there is, in fact, a practice gap in the security and privacy offerings of widely deployed mobile ecosystems.This thesis presents and discusses the security analysis of two of the world's largest mobile ecosystems: (i) Google Play for app distribution and (ii) the Unified Payments Interface (UPI) for free bank-to-bank micropayments. We make significant contributions by demonstrating how security analysis and measurements of these black-box systems can be made feasible at scale even within the confines of a severely fragmented ecosystem, despite having no sophisticated tools or access to their backend infrastructure. We reverse-engineer these security-hardened ecosystems across nation-state boundaries from the point of view of an attacker (or user) having access to multiple vantage points, specifically, multiple versions of highly-rated apps integrated with these platforms.This thesis exposes critical and foundational flaws in these mobile ecosystems that expose millions of users to significant security and privacy threats, even when using highly-rated apps from official app markets. In our study of the UPI ecosystem (which first emerged as a regional ecosystem in India for payments), we expose severe flaws in the design of UPI's multi-factor authentication protocol as well as the payment apps integrated with UPI which, when combined with region-specific vulnerabilities, can enable an attacker to remotely launch large-scale attacks even without any knowledge of its user. Our disclosures led to the Indian Government acknowledging and addressing the core vulnerabilities we found, releasing an upgraded 2.0 version of the payments infrastructure. We also obtained several CVEs for our vulnerability disclosures on payment apps.Through our empirical investigation of thousands of highly-rated, essential apps on Google Play from vantage points in 26 countries, we show how users in some countries are at a higher risk of attack because developers selectively release apps with weaker security settings or privacy disclosures. We uncover a significant amount of geoblocking of essential apps on Google Play that disproportionately isolates some countries; we root cause the actor responsible for it. We open-source our code and dataset, the largest multi-country app dataset, to foster further research. The concerns raised by this research were acknowledged by the highest levels of Google's privacy teams and covered by over 25 news websites worldwide.Thus, this thesis shows how complex black-box ecosystems can be analyzed end-to-end despite the barriers to measuring them. Our experience with app disclosures reveals that the vulnerabilities we uncovered may take years to resolve. We provide several actionable recommendations for platform owners and developers to address the issues we find, such as removing barriers for the security community to audit these ecosystems, vetting apps for compliance with MITRE's recommendations for app developers, and performing end-to-end testing of apps from multiple vantage points.

Subject Added Entry-Topical Term  

Computer science.

Subject Added Entry-Topical Term  

Computer engineering.

Subject Added Entry-Topical Term  

Information technology.

Index Term-Uncontrolled  

Security analysis

Index Term-Uncontrolled  

Geodifferences

Index Term-Uncontrolled  

End-to-end testing

Index Term-Uncontrolled  

Privacy risks

Index Term-Uncontrolled  

Unified payments interface

Index Term-Uncontrolled  

Security risks

Index Term-Uncontrolled  

Google Play

Added Entry-Corporate Name  

University of Michigan Computer Science & Engineering

Host Item Entry  

Dissertations Abstracts International. 84-12B.

Host Item Entry  

Dissertation Abstract International

Electronic Location and Access  

로그인을 한후 보실 수 있는 자료입니다.

Control Number  

joongbu:643722