Design and Evaluation of a Course Module on Android Cipher Programming (Abstract Only)
Pages 689 - 690
Abstract
Encryption is critical in protecting the confidentiality of users' data on mobile devices. However, research has shown that many mobile apps are not correctly using the ciphers, which makes them vulnerable to the attacks. The existing resources on cipher programming education do not provide enough practical scenarios to help students learn the cipher programming in the context of real world situations with programs that have complex interacting modules with access to networking, storage, and database. This poster introduces a course module that teaches students how to develop secure Android applications by correctly using Android's cryptography APIs. This course module is targeted to two areas where programmers commonly make many mistakes: password based encryption and SSL certificate validation. The core of the module includes a real world sample Android program for students to secure by implementing cryptographic components correctly. The course module will use open-ended problem solving to let students freely explore the multiple options in securing the application. The course module includes a lecture slide on Android's Crypto library, its common misuses, and suggested good practices. Assessment materials will also be included in the course module. This course module will be used and evaluated in a Network Security class. We will present the results of the evaluation in the conference.
References
[1]
Egele, M., Brumley, D., Fratantonia, Y., Kruegel, C., "An empirical study of cryptographic misuse in andoird applications," Proceedings of the 2013 SIGSAC conference on Computer & communications security, pp. 73--84, 2013.
[2]
Mettler, A., Raman, V., Zhang, Y., "SSL Vulnerabilities: Who listens when Android applications talk?", {Online}, Available: https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html
[3]
Fahl, S., Harbach, M., Muders, T., Baumgartner, L., Freisleben, B., Smith, M., "Why eve and mallory love android: an analysis of andoird SSL (in)security," Proceedings of the 2012 SIGSAC conference on Computer & communications security, pp. 50--61, 2012.
[4]
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., "The most dangerous code in the world: validating SSL certificates in non-browser software," Proceedings of the 2012 SIGSAC conference on Computer & communications security, pp. 38--49, 2012.
[5]
Storage Options, Android.com, Available: http://developer.android.com/guide/topics/data/data-storage.html, Accessed April, 25, 2015.
[6]
Cunningham, A., "Google quietly backs away from encrypting new Lollipop devices by default," {Online}, Available: http://arstechnica.com/gadgets/2015/03/02/google-quietly-backs-away-from-encrypting-new-lollipop-devices-by-default/, Accessed April, 25, 2015.
[7]
Certificate and Public Key Pinning, Wikipedia, Available: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning, Accessed April, 25, 2015.
[8]
Introducing nogotofail -- a network traffic security testing tool, Google, Available: http://googleonlinesecurity.blogspot.com/2014/11/introducing-nogotofaila-network-traffic.html, Accessed April, 25, 2015.
[9]
Association for Computing Machinery and IEEE-Computer Society Joint Task Force, "Computer Science Curricula 2013," Ironman Draft (Version 0.8), November 2012. Retrieved February 8, 2013, from http://ai.stanford.edu/users/sahami/CS2013//ironman-draft/cs2013-ironman-v0.8.pdf
[10]
Banas, D., Android Development Tutorial, Available: http://www.newthinktank.com/category/web-design/android-development-tutorial/, Accessed April, 25, 2015
Index Terms
- Design and Evaluation of a Course Module on Android Cipher Programming (Abstract Only)
Recommendations
Studying TLS Usage in Android Apps
CoNEXT '17: Proceedings of the 13th International Conference on emerging Networking EXperiments and TechnologiesTransport Layer Security (TLS), has become the de-facto standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of ...
Comments
Information & Contributors
Information
Published In
February 2016
768 pages
ISBN:9781450336857
DOI:10.1145/2839509
- General Chairs:
- Carl Alphonce,
- Jodi Tims,
- Program Chairs:
- Michael Caspersen,
- Stephen Edwards
Copyright © 2016 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 February 2016
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
- NSF
Conference
SIGCSE '16
Sponsor:
SIGCSE '16: The 47th ACM Technical Symposium on Computing Science Education
March 2 - 5, 2016
Tennessee, Memphis, USA
Acceptance Rates
SIGCSE '16 Paper Acceptance Rate 105 of 297 submissions, 35%;
Overall Acceptance Rate 1,595 of 4,542 submissions, 35%
Upcoming Conference
SIGCSE TS 2025
- Sponsor:
- sigcse
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 25 Jan 2025