Material Type  

 학위논문

 

0016933700

Date and Time of Latest Transaction  

20240214101325

ISBN  

9798379566715

DDC  

004

Author  

Kumar, Renuka.

Title/Author  

Exploiting App Differences for Security Analysis of Multi-Geo Mobile Ecosystems - [electronic resource]

Publish Info  

[S.l.] : University of Michigan., 2023

Publish Info  

Ann Arbor : ProQuest Dissertations & Theses, 2023

Material Info  

1 online resource(167 p.)

General Note  

Source: Dissertations Abstracts International, Volume: 84-12, Section: B.

General Note  

Advisor: Ensafi, Roya;Prakash, Atul.

학위논문주기  

Thesis (Ph.D.)--University of Michigan, 2023.

Restrictions on Access Note  

This item must not be sold to any third party vendors.

Restrictions on Access Note  

This item must not be added to any third party search indexes.

Abstracts/Etc  

요약Billions of users worldwide access essential Internet services such as banking, education, and healthcare through mobile apps on their phones. This growth in mobile use is fueled by the rise of large platforms that provide a common backend infrastructure to provide free services to users. These platforms drive entire ecosystems by allowing competing app developers to integrate their apps with their shared backends for users worldwide to consume and carry out billions of dollars in transactions. However, security and privacy vulnerabilities in these widely deployed ecosystems compromise millions worldwide. This dissertation raises this question and asserts that there is, in fact, a practice gap in the security and privacy offerings of widely deployed mobile ecosystems.This thesis presents and discusses the security analysis of two of the world's largest mobile ecosystems: (i) Google Play for app distribution and (ii) the Unified Payments Interface (UPI) for free bank-to-bank micropayments. We make significant contributions by demonstrating how security analysis and measurements of these black-box systems can be made feasible at scale even within the confines of a severely fragmented ecosystem, despite having no sophisticated tools or access to their backend infrastructure. We reverse-engineer these security-hardened ecosystems across nation-state boundaries from the point of view of an attacker (or user) having access to multiple vantage points, specifically, multiple versions of highly-rated apps integrated with these platforms.This thesis exposes critical and foundational flaws in these mobile ecosystems that expose millions of users to significant security and privacy threats, even when using highly-rated apps from official app markets. In our study of the UPI ecosystem (which first emerged as a regional ecosystem in India for payments), we expose severe flaws in the design of UPI's multi-factor authentication protocol as well as the payment apps integrated with UPI which, when combined with region-specific vulnerabilities, can enable an attacker to remotely launch large-scale attacks even without any knowledge of its user. Our disclosures led to the Indian Government acknowledging and addressing the core vulnerabilities we found, releasing an upgraded 2.0 version of the payments infrastructure. We also obtained several CVEs for our vulnerability disclosures on payment apps.Through our empirical investigation of thousands of highly-rated, essential apps on Google Play from vantage points in 26 countries, we show how users in some countries are at a higher risk of attack because developers selectively release apps with weaker security settings or privacy disclosures. We uncover a significant amount of geoblocking of essential apps on Google Play that disproportionately isolates some countries; we root cause the actor responsible for it. We open-source our code and dataset, the largest multi-country app dataset, to foster further research. The concerns raised by this research were acknowledged by the highest levels of Google's privacy teams and covered by over 25 news websites worldwide.Thus, this thesis shows how complex black-box ecosystems can be analyzed end-to-end despite the barriers to measuring them. Our experience with app disclosures reveals that the vulnerabilities we uncovered may take years to resolve. We provide several actionable recommendations for platform owners and developers to address the issues we find, such as removing barriers for the security community to audit these ecosystems, vetting apps for compliance with MITRE's recommendations for app developers, and performing end-to-end testing of apps from multiple vantage points.

Subject Added Entry-Topical Term  

Computer science.

Subject Added Entry-Topical Term  

Computer engineering.

Subject Added Entry-Topical Term  

Information technology.

Index Term-Uncontrolled  

Security analysis

Index Term-Uncontrolled  

Geodifferences

Index Term-Uncontrolled  

End-to-end testing

Index Term-Uncontrolled  

Privacy risks

Index Term-Uncontrolled  

Unified payments interface

Index Term-Uncontrolled  

Security risks

Index Term-Uncontrolled  

Google Play

Added Entry-Corporate Name  

University of Michigan Computer Science & Engineering

Host Item Entry  

Dissertations Abstracts International. 84-12B.

Host Item Entry  

Dissertation Abstract International

Electronic Location and Access  

로그인을 한후 보실 수 있는 자료입니다.

소장사항  

202402 2024

Control Number  

joongbu:643722