| Title: Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations Time: 2016年1月27日(周三), 上午10:00-11:30 Speaker: 陈恺, 中科院信工所 Venue: 中科院计算所446会议室,北京市海淀区科学院南路6号 Organizer: 中科院计算所 武成岗老师,wucg[AT]ict.ac.cn |
 |
报告摘要:
We report a large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new tool, called Seminal. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victim’s apps in the name of trusted parties and intercept her private messages.
主讲人简介:
陈恺:2010年于中国科学院研究生院获博士学位,
