The School of Informatics, Computing, and Engineering (SICE) CS Colloquium Series
Speaker: Luyi Xing, Amazon Web Services Security
Where: Dogwood Room, Indiana Memorial Union
When: Tuesday December 05, 2017 04:00 PM
Topic: Logic Flaw in the Push Clouds: Security Hazards in Mobile Push-Messaging Services
Abstract: Push messaging is among the most important mobile-cloud services, offering critical supports to a wide spectrum of mobile apps. This service needs to coordinate complicated interactions between developer servers and their apps in a large scale, making it error prone. With its importance, little has been done, however, to understand the security risks of the service. In this paper, we report the first security analysis on those push-messaging services, which reveals the pervasiveness of subtle yet significant security flaws in them, affecting billions of mobile users. Through even the most reputable services like Google Cloud Messaging (GCM) and Amazon Device Messaging (ADM), the adversary running carefully crafted exploits can steal sensitive messages from a target device, stealthily install or uninstall any apps on it, remotely lock out its legitimate user or even completely wipe out her data. This is made possible by the vulnerabilities in those services’ protection of device-to-cloud interactions and the communication between their clients and subscriber apps on the same devices. Our study further brings to light questionable practices in those services, including weak cloud-side access control and extensive use of PendingIntent, as well as the impacts of the problems, which cause popular apps or system services like Android Device Manager, Facebook, Google+, Skype, PayPal etc. to leak out sensitive user data or unwittingly act on the adversary’s command. To mitigate this threat, we developed a technique that helps the app developers establish end-to-end protection of the communication with their apps, over the vulnerable messaging services they use.
Biography: Luyi Xing is a Software Engineer in AWS Security, Amazon. He received his Ph.D. from Indiana University Bloomington in 2017. His research interest includes finding previously unknown design and architecture problems in industry-leading systems, including iOS, OS X, Android, AWS, etc, and high-profile applications on them. With in-depth understanding of systems and their problems, he is also devoted to inventing solutions. His works were published in top-tier security conferences including IEEE S&P, ACM CCS, NDSS etc. and were widely covered by media including Time, CNN, Forbes, Fox News, Yahoo, etc.