Home Contact

Atif Memon's Home Page

Office Location: 4113 A.V.Williams Building; Phone: +1-301-405-3071

Dept. of Computer Science, University of Maryland, College Park, MD, USA.

Current Projects
Vetting Android Applications for Security Using Graphical User Interface Logic (funded by DARPA)
COMET - Community Event-based Testing (funded by NSF)
Algorithms and Software for the Assembly of Metagenomic Data (funded by NIH)
Research in Science and Public Policy for the U.S. National Security Agency (funded by NSA)
EDU: Competing to Build Secure Systems (funded by NSF)
GUITAR - GUI Testing Framework (funded by NSF)

Vetting Android Applications for Security Using Graphical User Interface Logic

Currently, it is not possible to confirm the absence of hidden malice in Android apps. As a result, organizations that require high security standards, such as government agencies and banks, often take the pessimistic approach of assuming most of the apps are unsafe unless proven otherwise. Employees of these organizations are restricted to only a handful of apps vetted by security analysts. This restriction has adverse effects on employee productivity and happiness. An employee may want to use a newly released app that offers many attractive timesaving features to boost productivity. Another employee may want to use an email app she is familiar and happy with rather than using the one officially sanctioned. Both employees must seek approval from security analysts but both are likely to be disappointed. An organization may not have enough security analysts to vet every single app employees want to use. Third-party app developers may not always cooperate by providing source code for security analysts to examine. “Your approval request is denied due to security concerns” is often the most convenient and safest response, at the unfortunate loss in productivity and happiness.

In this project, we are developing a suite of specialized analysis techniques for vetting Android apps to confirm the absence of malice. These techniques aim to enable security analysts to quickly vet any given Android app even if the source code is unavailable. These techniques will make it possible to vet a large number of Android apps in a timely and cost-effective manner. Organizations will no longer need to tradeoff productivity and happiness for security.

People

  • Khalid Alharbi (Univ. of Colorado)
  • Sam Blackshear (Univ. of Colorado)
  • Evan Chang (Univ. of Colorado)
  • Emily Kowalczyk (Univ. of Maryland)
  • Atif Memon (Univ. of Maryland)
  • Tom Yeh (Univ. of Colorado)

Funding

This material is based upon work supported in part by the US Defense Advanced Research Projects Agency (DARPA) via award FA8750-14-2-0039. Any opinions, findings and conclusions or recomendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the US Defense Advanced Research Projects Agency (DARPA).