Mobile devices such as smartphones and Internet tablets have achieved computing and networking capabilities comparable to traditional personal computers. Their successful consumerization has also become a source of pain for adopting users and organizations. For example, the widespread presence of information-stealing applications raises substantial security and privacy concerns. The operating systems supporting these new devices have both advantages and disadvantages with respect to security. On one hand, they use application sandboxing to contain exploits and limit privileges given to malware. On the other hand, they routinely collect and organize many forms of security- and privacy-sensitive information and make that information easily accessible to third-party applications.
Recognizing smartphone security and privacy as an emerging area, this workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. Topics of interest include (but are not limited to) the following subject categories:
- Device/hardware security
- OS/middleware security
- Application security
- Authenticating users to devices and services
- Mobile web browsers
- Usability
- Privacy
- Rogue application detection and recovery
- Vulnerability detection and remediation
- Secure application development
- Cloud support for mobile security
- Mobile device management
- Mobile ads
- Dual persona management and isolation
We also encourage novel paradigms and controversial ideas that are not on the above list. The workshop is to act as a venue for creative debate and interaction in security- and privacy-sensitive areas of computing and communication impacted by smartphones. We will favor submissions that are radical, forward-looking, and open-ended, as opposed to mature work on the verge of conference or journal publication. Submissions that discuss a real-world problem without a solution are encouraged.
Important Dates
Manuscript submission | Wednesday, July 27, 2016 (11:59 PM Samoa Time UTC-11) |
Acceptance notification | Friday, September 2, 2016 |
Final manuscript due | Tuesday, September 13, 2016 |
Workshop date | Monday, October 24, 2016 |
Submissions
Authors are invited to submit either
- Full papers (8-10 pages including references) that present relatively mature research results on security and privacy in smartphones and mobile devices;
- Short papers (4-6 pages including references) that define new problems in security and privacy related to smartphones and mobile devices, or provide inspiring visions; or
- Discussion panel proposals (4-6 pages including references) that include a proposed topic and list of panel members who are willing to attend and participate.
Submissions must be in double-column ACM format (available at the ACM Website) with a font no smaller than 9 point. Only PDF files will be accepted. Submissions need to have their pages numbered and should not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All authors and their affiliations must be listed. Each accepted paper must be presented by one registered author. Submissions not meeting these guidelines risk rejection without consideration of their merits. Accepted papers will be published by the ACM Press and/or the ACM Digital Library.
The submission website is SPSM 2016 in Easychair.
Organizing Committees
Program Co-chairs
- Long Lu, Stony Brook University
- Mohammad Mannan, Concordia University
Technical Program Committee
- Konstantin Beznosov, University of British Columbia
- Mihai Christodorescu, Qualcomm Research Silicon Valley
- Jeremy Clark, Concordia University
- Lucas Davi, Technische Universität Darmstadt
- Manuel Egele, Boston University
- Ragib Hasan, University of Alabama at Birmingham
- Urs Hengartner, University of Waterloo
- Suman Jana, Columbia University
- Xiapu Luo, Hong Kong Polytechnic University
- Ian Molloy, IBM TJ Watson Research Center
- Muhammad Naveed, University of Southern California
- Damien Octeau, University of Wisconsin-Madison
- Xinming Ou, University of South Florida
- Sebastian Porst, Google
- Ahmad-Reza Sadeghi, Technische Universität Darmstadt
- Kapil Singh, IBM TJ Watson Research Center
- Julie Thorpe, University of Ontario Institute of Technology
- Tao Wan, Huawei, Canada
- Glenn Wurster, BlackBerry
- Mingyuan Xia, McGill University
- Xiaoyong Zhou, Samsung Research America
- Yajin Zhou, Qihoo 360
Steering Committee
- N. Asokan, Aalto University and University of Helsinki
- William Enck, North Carolina State University
- Xuxian Jiang, North Carolina State University
- Patrick Traynor, University of Florida
Registration
To register for the SPSM 2016 workshop, please visit the CCS2016 Registration website. Registering for the Monday workshops is sufficient to register for SPSM 2016.
Technical Program - Monday, October 24th, 2016
The below schedule is based on the ACM CCS schedule. Each technical presentation is scheduled for 17 minutes (10 minutes for short papers) plus 5 minutes for questions. Please see the CCS speaker info page for the presentation setup.
9:00 - 9:15 | Welcome: Long Lu (Stony Brook University), Mohammad Mannan (Concordia University) and William Enck (North Carolina State University) |
---|---|
9:15 - 10:30 | Keynote: Jan-Erik Ekberg (Trustonic) |
Hardware Isolation for Trusted Execution Abstract: For more than a decade, Trusted Execution Environments (TEEs), found primarily in mobile phone and tablets, have been used to implement operator and third-party secure services like payment clients, electronic identities, rights management and device-local attestation. For many years, ARM TrustZone-A™ (TZA) primitives were more or less the only available hardware mechanism to build a TEE, but recently alternative hardware security solutions have emerged for the same general purpose --- some are more tailored to the upcoming Internet of Things (IoT) device market whereas we also now have hardware that potentially can bring TEEs into the cloud infrastructure. In my talk, I will introduce the contemporary TEE as is being deployed in today's devices, but one focal point of the presentation is on a functional comparison between the hardware support provided by TZA and the recently released and deployed Intel SGX™ and ARM TrustZone-M™ architectures. Each solution has its relative strengths and drawbacks that reflects its main deployment purpose, and as a result, the software stack that completes the TEE environment will have to significantly adapt to each individual hardware platform. The final part of the talk will present a few conducted tests and research prototypes where we have gone beyond the TEE as it typically is set up today -- e.g., exploring problems emerging in a cloud environment with migrating workloads as well as policy enforcement in IoT devices. Bio: Jan-Erik Ekberg is Director of Advanced Development at Trustonic. His background is in the telecom industry, where he worked for 18 years at Nokia Research Center. His primary interests are with issues related to platform security, TPMs and TEEs, but he has also background in (securing) network protocols and telecom systems, as well with short-range communication technologies like NFC, BT-LE and WLAN. In his latest role his main focus is in trusted execution environments for mobile devices as well as IoT endpoints and servers. Jan-Erik received his doctorate in Computer Science from Aalto University. |
|
10:30 - 11:00 | Coffee Break |
11:00 - 12:30 |
Technical Session: Studies and Analyses Session Chair: Konstantin Beznosov |
Secure Containers in Android: the Samsung KNOX Case Study Uri Kanonov (Tel Aviv University), Avishai Wool (Tel Aviv University) |
|
White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones Shinjo Park (TU Berlin/Telekom Innovation Labs), Altaf Shaik (TU Berlin/Telekom Innovation Labs), Ravishankar Borgaonkar (Oxford University), Jean-Pierre Seifert (TU Berlin/Telekom Innovation Labs) |
|
What You See Isn't Always What You Get: A Measurement Study of Usage Fraud on Android Apps Wei Liu (Tsinghua University), Yueqian Zhang (Tsinghua University), Zhou Li (ACM Member), Haixin Duan (Tsinghua University) |
|
CRiOS: Toward Large-Scale iOS Application Analysis Damilola Orikogbo (Boston University), Manuel Egele (Boston University), Matthias Buchler (Boston University) |
|
12:30 - 14:00 | Lunch |
14:00 - 15:30 |
Technical Session: Privacy Session Chair: Manuel Egele |
SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis Vincent Taylor (University of Oxford), Ivan Martinovic (University of Oxford) |
|
Securing Recognizers for Rich Video Applications Christopher Thompson (University of California, Berkeley), David Wagner (University of California, Berkeley) |
|
On a (Per)Mission: Building Privacy Into the App Marketplace Hannah Quay-De La Vallee (Brown University), Paige Selby (Brown University), Shriram Krishnamurthi (Brown University) |
|
Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks Srishti Gupta (Indraprastha Institute of Information Technology, Delhi), Payas Gupta (School of Information Systems, Singapore Management University), Mustaque Ahamad (Georgia Institute of Technology & New York University Abu Dhabi), Ponnurangam Kumaraguru (IIITD) |
|
15:30 - 16:00 | Coffee Break |
16:00 - 17:40 |
Technical Session: Attacks and Defenses Session Chair: William Enck |
Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking Claudio Marforio (ETH Zurich), Ramya Masti (ETH Zurich), Claudio Soriente (Telefonica), Kari Kostiainen (ETH Zurich), Srdjan Capkun (ETH Zurich) |
|
Picasso: Lightweight Device Class Fingerprinting for Web Clients Elie Bursztein (Google), Artem Malyshev (Google), Tadek Pietraszek (Google), Kurt Thomas (Google) |
|
Detecting Misuse of Google Cloud Messaging in Android Badware Mansour Ahmadi (University of Cagliari), Battista Biggio (University of Cagliari), Steven Arzt (Technische Universitat Darmstadt), Davide Ariu (University of Cagliari), Giorgio Giacinto (University of Cagliari) |
|
[Short Paper] On the CCA (in)security of MTProto Jakob Jakobsen (Aarhus University), Claudio Orlandi (Aarhus University) |
|
[Short Paper] Breaking TETRA Location Privacy and Network Availability Martin Pfeiffer (Secure Mobile Networking Lab, TU Darmstadt), Jan-Pascal Kwiotek (Secure Mobile Networking Lab, TU Darmstadt), Jiska Classen (Secure Mobile Networking Lab, TU Darmstadt), Robin Klose (Secure Mobile Networking Lab, TU Darmstadt), Matthias Hollick (Secure Mobile Networking Lab, TU Darmstadt) |