 All right, so thanks for that great introduction. So a little bit of background about me. I spent nine wonderful years at UC Santa Barbara here Yes, so it's literally says UC Santa Barbara is surrounded by water on two sides this let's see Think my lab was like here Here you can actually see the ocean from the lab And so I did a Did my undergrad at UC Santa Barbara and I did they have like we have it at least since it see a four plus one program So an undergrad plus an extra year for masters So I did my masters there and I like maybe most of our students was like I am done with school I cannot wait to go work. So I got a job at Microsoft. I went up there as a software developer for a year but during that time I Wrote a paper for my masters and that paper got of course like lots of papers do rejected And so I was working on this paper on my free time And I remember I was on the way home from Microsoft on a bus like reading this paper What must have been like the 30th or 40th time and it kind of hit me that like wow the thing that I'm doing at Microsoft I'm doing something new and interesting to me You know I'm solving cool problems and developing things, but I'm not really doing something new right like the research like this paper I'm actually doing something new that nobody's ever done before so I emailed my advisor like Hey, what do you think about me coming back for a PhD and it was like the quickest email I've ever gotten a response from from him and so we talked about it I applied and so I spent a year at Microsoft came back did four years for my PhD at Santa Barbara And was lucky enough to get a job here at ASU. I started well in 2014 So this is I've been here for two years. It feels like it's gone by incredibly quickly And so yeah, I'm really excited to be here. So this is a little bit about my background while I was there Competed on a hacking team called shellfish So they actually are doing it's kind of sad as soon as I left they started doing really really good in a bunch of hacking competitions There was recently this cyber grand challenge from DARPA where they developed autonomous systems to try to hack into each other And so they actually won third place in that competition that was held in Las Vegas. I think last month And so now I'm you know case you know, I'm sure you've seen it Tempe campus. It looks a lot different than West campus as I'm finding out and so moved here I'm super excited to be at ASU I started my own or resurrected an old hacking group called the poem devils and we meet actually Thursdays from four to six So I'm meeting missing today's meeting We meet and we're trying to get them up to the level where we can compete in these pretty intense hacking competitions So that's a little bit about my background and I think we're not a ton of people here So we can keep this pretty informal if you have any questions or anything as I'm going along and talking and I know we're a very diverse bunch Right, so any questions or something or I use weird terminology or jargon, please stop me Just you say something raise your hand. I don't really care. I'm very very open Cool. So our laboratory Seth com So I co-direct that with dr. Gail June on and so he very graciously offered to kind of join forces when I got here and create an Awesome strong lab. So we have this is from one of our meetings. We just have tons of students. It's a little overwhelming but PhD students master students some undergrad students and So that's kind of where our research focus is And I also want to talk a little bit about about so we Think as far as last January, we started the Center for Cybersecurity and Digital Forensics So and that's something that Gail is doing and it's kind of leading and so Seth com is kind of under that umbrella But this is part of the global security initiative And so the idea is there's kind of like three areas we work on education. We're working on research and entrepreneurship and So we're working with partners. We have I think PayPal is working with us Samsung and all state are kind of the This latest confirmed partners that we have working with us in the center So we have tons of people across all kinds of institutions. I guess I'm the one on the far left What's that cool is we also the center is very interdisciplinary. We have people from the business school who look at the kind of Cybercrime aspect from the sociological standpoint and kind of interviewing and trying to understand how crime happens tons of people lots of research activities and proposals These are from this the members here some of the cool things that I'm really excited about so I'm leading this on-demand cyber competitions so What I've done in my grad class is at the end of the semester I have a capture the flag and in class hacking competition And it's a lot of fun the students love it But it's a ton of work for me to set everything up and make sure that infrastructure is all ready to go so that they can hack Into each other have fun, but also not do any damage And so what we're doing is we're kind of we're going to create basically a website where you can go to and Say I want to do a security competition. I need three teams. These are the service These are the vulnerabilities I want to have and then we'll generate everything in the cloud for you this whole game So I have to do this play-go and everyone can play So I'm really excited about that. Hopefully well, I don't make any public statements on when that'll be done So yeah, we have lots of research here And so this is kind of just like background of where I am Where kind of cyber like security is in Sid C? And so now I want to talk about the computer that's in our pocket, right? It's kind of weird to think about I mean I Not that yeah, I'm not that old, but I'm also not that young compared to our students So I remember not having a network connected device with me at every moment of every day Right and even if you think about how useful these devices are I use it to it was giving me directions on my Drive-up here. I was listening to a podcast on the way here when I got here I was able to look up Jennifer's email and then find her phone number and give her a call So I knew where to go. She told me go to the library and it was by Starbucks I looked up where the Starbucks was on Google Maps so I can know where to go Yeah, but just this tiny little device actually I guess I'm lying because it's not actually in my pocket I put it away, but you know this it's a it's a computer right fundamentally these mobile devices mobile phones are computers Right and so we have many different. I guess maybe just a rough. Who is an Android phone? Can I see the majority of like three people I've I phones. That's me. Maybe I have a Windows phone Sad my brother had one for a while. I used to work at Microsoft. So I always feel like I Was on a route for them, right? They have enough they want to be everywhere they're already you know so the idea so What makes these mobile devices interesting from a security perspective, right? So I'm Fundamentally a heart. I'm really a hacker. I love breaking into things and exploiting vulnerabilities and part of that is Understanding so you in order to create defenses you need to have the offensive capabilities, right? You need to be able to know how bad guys think and how they're going to react and So especially coming from if you think about maybe early 2000s, right on a classic Windows machine Every program that you execute is executing as you right your user so when you downloaded the Melissa virus or some email attachment and you double-clicked on that and it executed on your computer now We could do anything you could do in access all of your data Right, it's pretty serious problem. So when we move to mobile applications One of the actually the key things I like to point to of security research is we actually learned from that and What we've done in all these different operating systems and devices is saying like okay It shouldn't be the case that this maps application should be able to access my music in the iTunes Right, those are completely separate things. They should never be able to do that or even worse What about my contact list? Do I want the? Weather app to be able to read my contact list should they be able to read my photos? And so we've kind of so this is what like the big switch to mobile devices is these Applications they can go to the Google Store. You can go to the iPhone the end of the iTunes store download one of these applications on your phone and it's running in its own little tiny sandbox and really It's difficult to break out with that and mess with other applications So this really I see this as a big win in the direction of security of mobile applications and They're everywhere, right? They're exploding. This is a report from a year ago That said that there's 1.4 billion Active Android devices right not just Android devices sold, but around the world 1.4 billion Android devices being used to me that's crazy right all of these running these software running these apps on all of these devices and How many apps are there so I just pulled this up So there was 1.2 million free apps in the Android marketplace, and there's about only 200,000 apps that are currently like paid applications And so there's a lot of apps out there that are running on a lot of people's phones So some of the questions we ask as security researchers are a are any of these apps may be bad Right are they doing malicious things? Are they stealing your contact information? Are they trying to? Get more access to all your sensitive information on your phone And we also think are any of these applications vulnerable, right? so vulnerability is a Software a weakness in the code of the application that allows a malicious either user or other app to Influence and change the behavior of that application so the way to think about it is a Vulnerability would be in your house if you left let's say easy one the front door open Right, you don't want anybody to get into your house, but they just come twist the door down get into your house right and so Other things would be an open window even if it's on the second story where there's a tree nearby So I could scale the tree to get into your house on the second story, right? That could be another vulnerability and so a lot of what my research has been is I started during my phd on web applications is can we automatically find vulnerabilities in web applications and so I've kind of extended that to mobile applications and say can we find Applications that have that are vulnerable and have vulnerabilities And this way we can actually contact the developers try to show either that hey, there's a big problem out there So how can we try to fix that? and so that's really the core of what I'm going to talk about today is two projects that look into Trying to analyze all these free apps to try to understand You know our developers writing good secure apps They're humans like I tell my security class So there's bound to be problems, but we want to know what those problems are so that we can identify how to fix and prevent Them from happening in the future Any questions? Cool. Okay, so This may be this may seem like a pretty fine distinction But when you have an app on your phone, right Android or iPhone and Usually go to an app store you install it on your device and that contains some What they call code so it's usually a native application. So that's running code on your device It's running usually in the case of let's say Java code on your device Unfortunately what this means we saw there's three different app manufacturers So if you want to make an app that works on the iPhone and Android and Microsoft You now need to code your app in Java for Android C sharp for the iPhone and No, no C Objective C for the iPhone there you go and C sharp for the For Microsoft Windows, right? And so the maintenance overhead there now you have three different copies of your app So anytime you make one fix you have to propagate that fix to the other apps You're duplicating a lot of functionality and a lot of resources. It's really very wasteful and so What people have done is they realized wow actually web browsers are very good at rendering and showing content So what they we've noticed a trend in that people are Writing what we call mobile web apps as opposed to a mobile app so the idea is When you open up click on that app instead of it running native like Java code on your browser it basically embeds a web browser like Chrome or Firefox into that app and But it looks to you like you're using an app and So it's using web technologies to make this application So it's using JavaScript and HTML and CSS to load this web page to show you this awesome cat club thing And so you so from the developer's perspective, this is awesome because I can write one app And I can sell it on all the three marketplaces and that core logic remains the same But I can deploy it to all these three different marketplaces but isn't that more vulnerable than if it's using the web as a Platform so to speak. Yeah, so that's actually like exactly the key thing So when they kind of release this feature They kind of released it and we're like, okay Here it is it's just out there you can use this and people started using it But I think they developed like the Android team developed this without thinking through the security implications there And so that's really what we're gonna do here is look into okay Why what specifically makes this vulnerable and there's something that makes this really bad and then We study the prevalence across a large number of apps to say okay But you know how often does this actually happen right because for security, we're not we don't just care about problems We care about prevalent impactful problems, right? We want to find and fix bugs that affect 50% of those 1.4 billion Android users not point Well, still I guess they're even point one would maybe a lot of users but you know a small number of users That's not quite as as important and impactful So the idea so Browser-based web applications basically or what we call mobile web applications Now normally these are fine right you have a browser on your phone So what's the problem of having an app basically masquerade as a browser? right when you browse to Cat Club in your browser on Chrome on your Android device You're not really worried that cat clubs gonna steal your pictures and The same thing on your computer right when you're on your browser in Safari or whatever and you visit a website Most times you don't have to worry that it's gonna break out of the browser and start stealing and wrecking havoc So the same thing really does apply here. So if you're just using it like a normal website It's really fine. It's pretty much the same security concerns that you have when using the browser on your phone the problem then becomes well now I can't write an application that does the same things as a native Java application right my native Java application can do cool things right it can Make the call dialog box pop up to make a call automatically It can depending on your permissions. It could read your pictures or access, you know things that you tell it You want it to do but in the browser the browser can't do that. It has no way of doing this And so to get around that so these people want to write mobile web apps But they're not fundamentally not as expressive not as powerful as these native apps So rather than making them kind of a second-class citizen the Android team said aha We will create this job of this what they call this JavaScript bridge will build a bridge between the browser and the native part of the application and So essentially what happens is the Java code in The JavaScript code the JavaScript the Java code says So this is setting up the bridge the specifics aren't really important, but the ad JavaScript interface means that now JavaScript can access this Java object by using this variable app so it creates a bridge between the native functionality and The application code that should be sandbox and find in a browser now it can access all the native parts of the application So once again, we think well, this shouldn't be a problem because you're a developer you created this cat club app You're not gonna do anything bad with this you're explicitly turning on this bridge for yourself Right you want to cross this bridge and access the data and that's fine the user wants you to do that So it seems like it's fine but So anyway, so we can set that up then this JavaScript code can cross the bridge to access Java objects and As we said, this gives us fully featured mobile web apps And we can expose phone functionality to the JavaScript actually makes it very powerful and elevates these mobile web apps to the same functionality level as Any other application and on top of that there's all these frameworks that people can use so that that way you can write Your app to the framework so you get a fully featured web app on every single platform So you only have to write let's say a cordoba app as I think is what the framework is called And then it works on every single cross platform device So they take they take care of handling those low-level details of JavaScript bridge differences between iPhone and Android and all those Unfortunately, so from a security perspective, we want to know and answer some questions like who can access this bridge right you can think of this bridge as a link between This website code and your phone Right, we'd hope that that bridge is mediated and only good people can access those things I probably you know would not be talking about it. It's the case was everything is fine, right? So It turns out anyone can access this and we'll see exactly what I mean by anyone so Typically in a web browser you go to some random website All right, so here let's say this is the Huffington post and There's actually if you look You know really carefully You'll see that there's actually things on this page that are not from the Huffington post All right like this ad for Hulu plus All right like the Huffington post wants this ad to be there because they get paid for it But they don't actually control the content that's inside this ad The same thing with this hotel I think it's a Marriott hotel ad the Hulu ad and also even those little buttons up there of the Facebook like button Which told you how many people like that page 4.3 million? The Twitter follow button and the Google plus follow button that had 3.1 million all of those is little bits of code That actually comes from Facebook Twitter Hulu and Marriott So when your browser when you go visit this the browser I'm not gonna get in the details, but the browser knows to separate these things you wouldn't want to load an ad that suddenly changes the entire content of the page and Completely messes with the Huffington post Same as with these little light button you wouldn't want a light button to Know what other things you're clicking on and be able to steal information about what you're doing on this site So the browser is very good about keeping these things separated in a normal web browser that you use So really it gives complete isolation so everything is very isolated The Marriott hotels can't mess with Hulu and neither of them can mess with Huffington post This is why we can do very cool things like have ads on a website that the website doesn't control without all this everything falls apart So on back to our mobile devices When we open up, let's say this Huffington post in our mobile web app and Now we've added this bridge To make a bridge between this JavaScript code and this Java code Now Huffington post can cross this bridge after the bridge is established but so can Hulu and Marriott they can access this bridge because of the permission model that this bridge uses and So and to make matters even worse So let's think about this when you have two tabs open in your browser. Does anybody use multiple tabs? I use about 50 It's actually kind of embarrassing. I usually close it out before I teach so my students don't see how many tabs I have Right So as part of that isolation in the browser tabs can't mess with each other Right, you can open up whatever malicious bad site you want to and if you're on facebook.com They can't mess with each other or talk to each other The same thing when you click on a link You're on google.com You click on a link that takes you somewhere else that new page can't mess with anything from Google and Google can't mess with that page at all They're also completely separated from clicking on links Unfortunately here if you were to click on one of these links on Huffington post while this bridge is created and Let's say you went to YouTube the bridge is still available for this brand new YouTube page to access Yeah, it's really a terrible model And it causes a lot of problems and so now so now you're developing a mobile web app You want to make it secure So what do you have to do you have to ensure that on your app? You don't load any content from anybody else Right if you load any Hulu ads or any kind of ads that you don't control You don't know they could access this bridge and be accessing your users data, which you don't want Furthermore you need to make sure that on your mobile app any link that the user clicks that goes to a site. You don't control You disallow that otherwise that site could then access this bridge and so We came up we studied this problem We came up with some principles of what we think developers need to think about when they're writing mobile web apps And they want to write them securely to and these are kind of What we've been talking about here is to not render untrusted content so content from Hulu or Marriott preventing navigation or Framing content using HTTPS So the S and HTTPS stands for secure So this means there is a secure encrypted link between you and the server that you're talking to Otherwise if you don't have that anybody who's listening on that connection can change and inject content into your page Is especially something to think about when you're at Starbucks on a public Wi-Fi? Anybody else on that public Wi-Fi can a see what you're browsing and looking at if you're using HTTP and B if they're really bad, they can inject malicious things into that response So if you're developing a mobile web app It's even more imperative and you're using this JavaScript bridge that you use HTTPS because otherwise Anybody else can inject some JavaScript code that goes along that bridge and does bad things and Others that I won't get into And so after we kind of decided on okay, this is the problem and here's how we should do things correctly We wanted to ask the question well our developers actually doing this correctly and so to do this we We want to understand how many mobile web apps are vulnerable How many of them actually use the the web the bridge right nobody uses this feature then doesn't matter We don't talk about it, right? It's just a problem that some people do, but it's not a widespread issue And how many of them do this in a way that we consider vulnerable? and So we at that point we used 1.1 million free apps so we built a crawler that's crawling apps from the Google Play Store downloaded a bunch of free apps and We analyzed every single app and developed a bunch of different analyses to try to answer these questions to try to understand What URLs are they opening like what URL is shown in this mobile browser? Is it a local file? Is it from a remote server? Are they using HTTPS or HTTP? And then we tried to understand all these different things So we some of the cool results a lot of applications a significant amount use a browser to show content That's was something that really surprised us and this This is kind of you can think of this as an over-approximation, right? Because a single app could let's say for its ULA the end user license and end user license agreement could use a mobile Embedded browser. It doesn't necessarily have to be the entire app uses this but we found that 359,000 use the JavaScript bridge so a significant amount We're using this Really to in my mind fundamentally flawed feature. It's really different so You know you can always code something or write something in a secure or insecure way But if you're using a technology where the default is to write it in secure or that it's hard to make it secure You're gonna have a lot of problems people are going developers are just like you know us. They're humans They do the easiest possible thing that works and we found that 279,000 had at least one security violation from the one that we talked about So we found that a lot of these apps are actually doing this incorrectly and so some of the highlights so this is something I really like so Zooming in on one facet so the s in so HTTPS uses SSL, which is the secure socket library. This is a really acronym heavy-day for me and The idea here is this is the low-level protocol that makes the connection to the server now a Key problem is how do you know when you go to HTTPS colon slash slash google.com that the server? You're talking to is actually google.com and Not Adam pretending to be Google.com or big scary government agency Pretending to be Google.com Right and so SSL has a way of verifying this And so part of what as an app developer what you can do is you can write a little function a little method that says What do you do if you receive an error? Right, and if you want to be secure, what should you do if you receive an error? Yeah, you should like kill the connection. Stop. Don't go any further. Right? This is bad we should not do that and So what we did is we looked at this and we said okay You can either proceed just like keep going with what you're doing you can cancel or you can load a different URL And we found that a significant amount of apps so two hundred sixty nine thousand implemented a function of what to do if there was an SSL error and 29% of those ignore every single error Completely negating the benefits of using HTTPS and So we kind of dug a little bit more and we tried to understand why The big culprit was stack overflow So we actually found so stack overflow is a developer Website where developers can ask questions and other people answered so people ask questions like I'm writing an Android app And I'm getting this SSL error And so somebody says oh how to fix this you write this on receive SSL error method and ignore all errors And that was the exact similar code we saw in multiple apps So we think that developers just they run into these problems, right? They don't really understand why the app is not working and that by doing this They're deliberately making their apps less secure, but they just know that it works Exactly instead of understanding why is this error occurring and it could happen because you're using a private you know an SSL certificate that's private to use but Still you know the easy way to fix it is just like not ever think about that problem anymore, right? And it's natural. It's like you know, I I'm not disparaging developers I was this developer before I was in security, so I understand their mindset and where they're coming from Cool. Oh, yeah, so we saw all the posts. So yeah, that's why I did more on this So we had 128 posts included this and 117 ignored all errors on all code paths, so there's a lot of Misinformation, let's say be generous out there Yeah, so it was just like hey, here's what you do fix everything awesome Cool. Oh and as a little case study of this, so we wrote this up in a paper that we published last year We also tested a lot of different Android devices and what we found anybody have an Amazon fire tablet Yeah, so we found out so the default browser in here is this one the silk browser. Yeah, which is like a special It's a fork of so Amazon of the fire OS is a fork of the Android operating system So it still uses that base internals there So they developed their own browser what we found out was that this silk browser Was created a JavaScript bridge in every single page that it loaded on the internet So literally any page that you could go to and it was actually even worse than this because for this version I didn't get into this but There was a vulnerability in if you even had JavaScript bridge you could execute arbitrary code on the device So we wrote really cool Websites where you could go to and you could just like break your phone Like you click one thing on a website and just like your phone's dead You have the hardware you started or you we could download something and steal all the cookies in your browser and do all Kind of cool stuff so we talked to Amazon and They fixed it. They're actually really good about this. They Released a patch. I think it's been like one or two weeks and They're able to like force upgrade all of these things. So they had like a 99% patch rate in a matter of days So really good and they sent me a free Amazon fire tablet. So now I have one too Cool okay, so that's the work we've done on kind of mobile web apps And this is really what got me started in working on Android because I Have the web background. So I really like this area because it's a combination of web stuff and mobile stuff So this kind of helped me get my feet wet. So for the follow-up project We've then tried to say, okay, we have a lot of apps. What are other security questions we can ask and answer and so we found out and this is always so If you ever want to this might sound like students do if you ever want to like find vulnerabilities or problems Read the specifications very carefully and think about if I was super lazy, which a lot of people are how would I do this wrong? Right, and what would an easy way to be to do this wrong? And so I'm some digging what we found out was on Android. So every Android app Specifies a minimum what they call SDK number. We can think of this as just operating system version number So this is a number that just specifies. Hey, I can only I have to be installed on at least Android 7 I actually don't Maybe bad that bit this in public, but I actually don't use an Android phone. I use the iPhone So I don't remember all the marshmallows and jelly bellies and different versions here, but basically that's what you're saying is I only want my app My app only works on 4.4 and above. So that's what the minimum sets is the minimum The target SDK number says I've tested it on this version. This is the version that I'm targeting So you could have a low minimum, right? You could work on let's say any Android device 2.0 or greater But you've tested on 4.4 and So we'll see how this target SDK number is actually used but This is one of the choices you make as an app developer and it makes sense Right, you don't want your app to be installed on devices that can't run it because you're using newer features and This target SDK allows you to say hey, I've tested it against this latest Whatever version you've actually tested it against and so the developer reference is filled with language like if the device is running Android 6.0 or higher and Your app's target SDK is 6.0 or higher the app must request each dangerous permission that it needs while the app is running and so This is a recent change in Android 6.0. So why is this important Android made a big deal about in the new version of Android apps have to request Each dangerous permission that it needs while the app is running This is a cool security feature. It's very good. The key problem here is in this and Right if it applied to any device running Android 6.0 Then you as a user you want to be more secure you want to take advantage of this awesome new feature You just upgrade your OS to Android 6.0 and now you're good Yes, but the problem is the random app that you install has to also have a target SDK of 6.0 or higher And it makes sense when you think about it from the Android people's perspective because they don't want to break apps Right if you upgrade your operating system, you don't want then all of your apps to break when you try to run them But the problem is is they make some functionality changes in this target SDK with security changes So you as a user don't actually have control over getting the latest and greatest security benefits You're at the mercy of app developers saying yes, I target the later version and this problem Well, and so there's other types of areas So Yeah, so basically the key problem is this these compatibility behaviors So Android 6.0 if you're running an app that targets Android 1 It will disable all the security features that have been implemented from 1 to 6 for your application and so we Used a similar data set where we had a little bit more data So we had 1.2 million Android apps. So once we found this out. We're like this is crazy But if developers are using it correctly, then it's not really a problem, right? And so we need to understand is this actually a problem So we had a lot of metadata about each of the applications We collected them collected for a long time A little update on this I guess we are Think we're current we were at like 1.4 million Android apps And then we decided a lot of them are old because some of them were from May 2012 So I should say these are distinct apps. So different apps by different developers Yeah, so not multiple copies of the same app And so what we're doing now is we're going through and doing a brand new crawl of all of the Android apps and getting the latest Version of every single app so we have a fresh data set to work with then over time We want to do cool things like how things change over time and all that But we're still dealing with the massive amounts of storage this needs. That's fun things for a PhD student So the question is how do we actually measure? This right so we know this is a problem We know the fact that you can target a super old version of Android But one of the key questions is how do we actually quantify that to try to measure it? And so we use a measure we're going to call outdatedness so the idea is if We have an app that we've collected and it targets Android 5.0 But by the time we collected it Android 6.0 was already released Really the developer Should have updated it within this time to target this new operating system. I mean I did an ideal world That's what we would want and so we use the amount of days in between the Android 5.0 and the Android 6.0 release as saying like Hey, this is how out of date your app is is or was When we downloaded it. Yes So this is kind of for each app is the snapshot of when we got this app how out of date is it? and so this is CDF of all of the graphs of all of the apps that we had and their outdatedness and You can actually see that there's a lot of apps about 50 I think about 50% is probably about here It's like about a 50% about about 500 days out of date and targeting old old Android versions And so then we tried to say well is it maybe just a problem with less popular apps right because it's Popular apps are not having this problem then we don't worry about it as much So this graph breaks down the download count and so this blue line on the far left So the way to read this CDF is the more left The line is the better it is right so that means that for a given percentage number 50% there. They've had less Outdatedness as opposed to other apps, but there's not a huge difference. So the blue is greater than 10 million But it's not significantly far over right these are still these apps are still Frequently out of date And then we just tried to see is there a difference in time because we're using the collection of the apps to determine this And so we compared a January 2014 data set with our December 2015 data set and they're Roughly equivalent right there's not any huge surprising differences here so it seems like this is a problem that is throughout then throughout the lifetime of the app store and Affects all apps regardless of popularity, but it's kind of unfair right because We collected this app here, but what if it was updated maybe right after Android 1 5 0 in between 5 1 Right, so the developer would be penalized because they never released an update of their app in two years Right, they're busy people Maybe they don't have time to develop to release these apps. So What we did is we use what we call it. This is a little bit of shaming me Negligent outdatedness is saying like hey you you pushed a new version of your app to the app store Yet you still target Android 5 0 even though there was Android 5 1 that was already released So if you were really on top of your game, we're not gonna fault you for the fact that we collected it here For all this time But really if we if you updated it you should really target the latest version of Android at the time So it turns out it's not the same It's still it's a little bit better, but still there's a lot of apps that are not Either and it's hard to tell right we can't really get in the mindset of these developers I don't know if they're just they I think you know the probably the simplest explanation is they just don't know the importance of doing this Right, they don't know that by not updating their target SDK version because to them the app still works Right, why would I change something on the app that could make it break? Right, even though I get these awesome security benefits and my users get these security benefits You as a user don't know because you don't know which thing it's targeting So which security features it gets or it doesn't get and so Well our kind of core argument when we started looking at this is hey mixing security features and security updates to the Android platform with this target SDK version is crazy Because you're putting you're making the developers make this choice of man. Do I just keep this working app or do I? Target this latest version, but now maybe there was other changes that change the functionality of my app in my app They break so you know what I'm just gonna stick with this latest one and nobody's gonna get any of those security benefits and the By coupling security and non-security changes. That's a huge issue and a huge problem Because now and I think it's a bad model because really you know ideal if you want to do this correctly You have kind of two different routes right you have maybe security updates and another one of feature updates or something And you could choose one or the other And so yeah, I don't like this model and so we just published this paper earlier this year Cool, that's right about on time. So this is Overview of some of the work we've done on mobile security So I'll be happy to take questions and talk with everyone. Yeah No Very distinct peaks is that I mean Yeah Points I never do peaks like that. So my guess is that has something to do with the day a particular System upgrade was done and because you have three systems and really you only have So yeah, this is so yeah those peaks are basically agree exactly because we are doing time deltas in between the target version of the app and The latest depending on the time of the Android release So each of those is like fixed offsets in some sense right so it depends on the delta between each of the release dates of Android So yeah, they're going to fall into those buckets and some of them are going to be worse than others basically So can that be used as a hint on how to get people to adopt things faster? I mean it definitely shows something as a huge influence on behavior, right I don't know I would love to Think about that and you know I would love the Google people to change how they do these things and I think it's I think the other matters education by not educating So the other problem that we found that I didn't get into here is you can actually when you're writing your app You can leave off minimum SDK and target SDK and then both of them default to one the very first Android release Which gets crazy because you're missing out on all this stuff and we found that a good person not all of them It's not all due to that fact that they're all so outdated, but there are a lot of them that Target the very first Android version. Could it not be an education issue, but more so a business decision Which would I mean which would stink? If people really knew that but since not everybody is is privy to this kind of information and They just Nobody complains about it. Yeah, I think it's a combination. I think it's exactly like I think there's developers because the other thing at the Android marketplace, right? You have professional, you know Google Microsoft Facebook writing these apps and then you have average developers like Students doing in their spare time just having fun and so I think there's Definitely an unawareness parts and I like I guess maybe I'm thinking I'm biased because I want that to be the answer because I Can do something about educating them or at least try to Whereas like it's hard for me to change their mind about business if they know and they're making the rational decision that No, I want to keep this target and not do any of that Then my response would be Google should take that decision out of their hands Well, but see what you've presented up there that statement of hey here are these great new security features Me reading that would be like oh, that's great. I have no idea what an SDK, but I'm cool great I'm sorry. I guess I'm more of a suspicious person. I tend to think that they do know what they're doing I think so from Google's perspective. Yes, I I think Google has definitely made the conscious decision So it's about they don't want to break backwards or forwards compatibility, right? They don't want an app that works on Android 5 to fail on Android 6 and that's I think the main their main goal I mean Microsoft was famous for this. I don't know if you've heard this stories But they think when they were doing was it Windows 95 the one after XP or one of the ones they ran through and ran every single app they could find and so they put specific Shims and little changes in that said if you're running SimCity because SimCity has this bug on this other operating system We need to actually emulate that bug on the new version of Windows So that SimCity continues to work I think of Vista or is it Vista? Yeah, there's been I have that's like Microsoft's thing is we want any app that has ever been written from Windows should continue working Was It's It's actually what I tell especially in my grad students This is one of the best things about working at a university because I have the cover of research Behind me and I have the weight of the university behind me if something would happen But it is something so there's a couple things there one thing I'm always thinking about when we do these so for this right? I'm downloading the app and I'm running it in my own environment Right, so I know here. I'm not affecting anybody else Some of the web stuff we do is we do go out there and crawl and look for vulnerabilities on the web Because we need to measure those kinds of things, but we try to do that in a way That's not gonna cause harm to people and so I've I've gotten all kinds of feedback no legal threats, but I did I wrote a tool to find bugs and Unrails apps and I emailed all the developers I found that I found problems with and there was one person that Absolutely refused to believe and wrote me a really long mean email about why I was wasting his time and like spamming him And it's clearly not a vulnerability and then I look because sometimes the tools make mistakes I looked and I'm like no actually like you know, I proved to myself. Yes, it is vulnerable And so I you know explained to him exactly how to be vulnerable as stuff and then another huge long reply about how I was wrong and I should never bother him and Even though his email is publicly available. It's actually a github account. So You know people there's all kinds of people so you just you help the ones that you can help But you do have to do it in a responsible manner the way you're you know telling people and reporting to them So I personally I don't have any problems, but I definitely heard horror stories