Mobile devices such as smartphones and Internet tablets have achieved computing and networking capabilities comparable to traditional personal computers. Their successful consumerization has also become a source of pain for adopting users and organizations. For example, the widespread presence of information-stealing applications raises substantial security and privacy concerns. The operating systems supporting these new devices have both advantages and disadvantages with respect to security. On one hand, they use application sandboxing to contain exploits and limit privileges given to malware. On the other hand, they routinely collect and organize many forms of security- and privacy-sensitive information and make that information easily accessible to third-party applications.

Recognizing smartphone security and privacy as an emerging area, this workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. Topics of interest include (but are not limited to) the following subject categories:

We also encourage novel paradigms and controversial ideas that are not on the above list. The workshop is to act as a venue for creative debate and interaction in security- and privacy-sensitive areas of computing and communication impacted by smartphones. We will favor submissions that are radical, forward-looking, and open-ended, as opposed to mature work on the verge of conference or journal publication. Submissions that discuss a real-world problem without a solution are encouraged.

Important Dates

Manuscript submission Wednesday, July 27, 2016 (11:59 PM Samoa Time UTC-11)
Acceptance notification Friday, September 2, 2016
Final manuscript due Tuesday, September 13, 2016
Workshop date Monday, October 24, 2016


Authors are invited to submit either

Submissions must be in double-column ACM format (available at the ACM Website) with a font no smaller than 9 point. Only PDF files will be accepted. Submissions need to have their pages numbered and should not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All authors and their affiliations must be listed. Each accepted paper must be presented by one registered author. Submissions not meeting these guidelines risk rejection without consideration of their merits. Accepted papers will be published by the ACM Press and/or the ACM Digital Library.

The submission website is SPSM 2016 in Easychair.

Organizing Committees

Program Co-chairs

Technical Program Committee

Steering Committee


To register for the SPSM 2016 workshop, please visit the CCS2016 Registration website. Registering for the Monday workshops is sufficient to register for SPSM 2016.

Technical Program - Monday, October 24th, 2016

The below schedule is based on the ACM CCS schedule. Each technical presentation is scheduled for 17 minutes (10 minutes for short papers) plus 5 minutes for questions. Please see the CCS speaker info page for the presentation setup.

9:00 - 9:15 Welcome: Long Lu (Stony Brook University), Mohammad Mannan (Concordia University) and William Enck (North Carolina State University)
9:15 - 10:30 Keynote: Jan-Erik Ekberg (Trustonic)

Hardware Isolation for Trusted Execution

Abstract: For more than a decade, Trusted Execution Environments (TEEs), found primarily in mobile phone and tablets, have been used to implement operator and third-party secure services like payment clients, electronic identities, rights management and device-local attestation. For many years, ARM TrustZone-A™ (TZA) primitives were more or less the only available hardware mechanism to build a TEE, but recently alternative hardware security solutions have emerged for the same general purpose --- some are more tailored to the upcoming Internet of Things (IoT) device market whereas we also now have hardware that potentially can bring TEEs into the cloud infrastructure. In my talk, I will introduce the contemporary TEE as is being deployed in today's devices, but one focal point of the presentation is on a functional comparison between the hardware support provided by TZA and the recently released and deployed Intel SGX™ and ARM TrustZone-M™ architectures. Each solution has its relative strengths and drawbacks that reflects its main deployment purpose, and as a result, the software stack that completes the TEE environment will have to significantly adapt to each individual hardware platform. The final part of the talk will present a few conducted tests and research prototypes where we have gone beyond the TEE as it typically is set up today -- e.g., exploring problems emerging in a cloud environment with migrating workloads as well as policy enforcement in IoT devices.

Bio: Jan-Erik Ekberg is Director of Advanced Development at Trustonic. His background is in the telecom industry, where he worked for 18 years at Nokia Research Center. His primary interests are with issues related to platform security, TPMs and TEEs, but he has also background in (securing) network protocols and telecom systems, as well with short-range communication technologies like NFC, BT-LE and WLAN. In his latest role his main focus is in trusted execution environments for mobile devices as well as IoT endpoints and servers. Jan-Erik received his doctorate in Computer Science from Aalto University.

10:30 - 11:00 Coffee Break
11:00 - 12:30

Technical Session: Studies and Analyses

Session Chair: Konstantin Beznosov

Secure Containers in Android: the Samsung KNOX Case Study

Uri Kanonov (Tel Aviv University), Avishai Wool (Tel Aviv University)

White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphones

Shinjo Park (TU Berlin/Telekom Innovation Labs), Altaf Shaik (TU Berlin/Telekom Innovation Labs), Ravishankar Borgaonkar (Oxford University), Jean-Pierre Seifert (TU Berlin/Telekom Innovation Labs)

What You See Isn't Always What You Get: A Measurement Study of Usage Fraud on Android Apps

Wei Liu (Tsinghua University), Yueqian Zhang (Tsinghua University), Zhou Li (ACM Member), Haixin Duan (Tsinghua University)

CRiOS: Toward Large-Scale iOS Application Analysis

Damilola Orikogbo (Boston University), Manuel Egele (Boston University), Matthias Buchler (Boston University)

12:30 - 14:00 Lunch
14:00 - 15:30

Technical Session: Privacy

Session Chair: Manuel Egele

SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis

Vincent Taylor (University of Oxford), Ivan Martinovic (University of Oxford)

Securing Recognizers for Rich Video Applications

Christopher Thompson (University of California, Berkeley), David Wagner (University of California, Berkeley)

On a (Per)Mission: Building Privacy Into the App Marketplace

Hannah Quay-De La Vallee (Brown University), Paige Selby (Brown University), Shriram Krishnamurthi (Brown University)

Exploiting Phone Numbers and Cross-Application Features in Targeted Mobile Attacks

Srishti Gupta (Indraprastha Institute of Information Technology, Delhi), Payas Gupta (School of Information Systems, Singapore Management University), Mustaque Ahamad (Georgia Institute of Technology & New York University Abu Dhabi), Ponnurangam Kumaraguru (IIITD)

15:30 - 16:00 Coffee Break
16:00 - 17:40

Technical Session: Attacks and Defenses

Session Chair: William Enck

Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking

Claudio Marforio (ETH Zurich), Ramya Masti (ETH Zurich), Claudio Soriente (Telefonica), Kari Kostiainen (ETH Zurich), Srdjan Capkun (ETH Zurich)

Picasso: Lightweight Device Class Fingerprinting for Web Clients

Elie Bursztein (Google), Artem Malyshev (Google), Tadek Pietraszek (Google), Kurt Thomas (Google)

Detecting Misuse of Google Cloud Messaging in Android Badware

Mansour Ahmadi (University of Cagliari), Battista Biggio (University of Cagliari), Steven Arzt (Technische Universitat Darmstadt), Davide Ariu (University of Cagliari), Giorgio Giacinto (University of Cagliari)

[Short Paper] On the CCA (in)security of MTProto

Jakob Jakobsen (Aarhus University), Claudio Orlandi (Aarhus University)

[Short Paper] Breaking TETRA Location Privacy and Network Availability

Martin Pfeiffer (Secure Mobile Networking Lab, TU Darmstadt), Jan-Pascal Kwiotek (Secure Mobile Networking Lab, TU Darmstadt), Jiska Classen (Secure Mobile Networking Lab, TU Darmstadt), Robin Klose (Secure Mobile Networking Lab, TU Darmstadt), Matthias Hollick (Secure Mobile Networking Lab, TU Darmstadt)