|
Mobile cloud technologies have begun to rely heavily on services known as Mobile Back-end as a Service (MBaaS), including push messaging, data synchronization, and mobile identity management. Many of today's popular apps have already integrated push messaging services such as Google Cloud Messaging (GCM), Amazon Device Messaging (ADM), and third parties like Baidu, to enable the apps to receive notifications such as private messages, financial secrets or family members' locations. Prior research has demonstrated significant security weaknesses inside such services, endangering the information assets of billions of mobile users. By exploiting flaws in services like GCM and ADM, and their integration within popular apps such as Facebook, Google+, Skype, PayPal etc., an attacker could steal a mobile user's sensitive messages, install or uninstall apps on her device, remotely lock out the user or even wipe out her data. This project is studying security risks in such services in order to significantly improve the security assurance of the new MBaaS computing paradigm. The team is collaborating with industry to facilitate the transfer of research outcomes to practical protections.
To identify the security properties needed in individual components of mobile cloud technologies, the researchers are modeling different MBaaS services. The models enable the development of novel static and dynamic security analysis techniques, tailored to the unique features of different service types. These techniques will allow mobile cloud service providers to automatically verify security properties on both cloud and device fronts, find problems within their systems, and improve the security quality of their services. The researchers are also developing new techniques to enable app vendors, users and app stores to automatically detect threats to mobile clouds and protect their communication against the attempts to exploit those services' weaknesses. The research covers push messaging for Android, Apple, and mobile browsers, as well as other MBaaS services (e.g., identity management, data synchronization, and the platforms integrating them.)
|
TWC: Small: Safeguarding Mobile Cloud Services: New Challenges and Solutions