Identifying Server Side Vulnerabilities via Automated Mobile App Analysis
Today mobile apps are everywhere. Typically, they have to connect to remote services to be really useful. Unfortunately, both the mobile apps and the remote services can be poorly engineered and they may contain various vulnerabilities that undermine users’ security and privacy. A significant amount of research efforts in the community has focused on vetting the vulnerabilities in the mobile apps. However, little attention has targeted on the remote services. In this talk, I will present a line of research that automatically identifies the vulnerabilities of remote services through mobile app analysis. In particular, I will first present AutoForge that is able to automatically generate server request messages even with cryptographic constraints such that authentication vulnerabilities can be identified. Then, I will describe AuthScope that identifies the authorization vulnerabilities via differential analysis. Finally, I will talk about LeakScope that identifies the data leakage vulnerabilities in the cloud from mobile apps. With these tools and techniques, tens of thousands of vulnerabilities in the remote services
个人简介： Dr. Zhiqiang Lin is an Associate Professor of Computer Science at The Ohio State University. His research interests are systems and software security, with an emphasis on developing program analysis techniques and applying them to secure both the application programs including mobile apps and the underlying system software such as OS kernels and hypervisors. Dr. Lin earned his Ph.D. in Computer Science from Purdue University. He is a recipient of both the NSF CAREER Award and the AFOSR Young Investigator Award.