A Multi-Tier Security Analysis of Official Car Management Apps for Android

Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work contributes the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinised statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the, in some cases, excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitised input, and weak user password policies, to mention just a few.

Download Full-text

Automatic Security Assessment for Next Generation Wireless Mobile Networks

Mobile Information Systems ◽

10.1155/2011/404328 ◽

2011 ◽

Vol 7 (3) ◽

pp. 217-239 ◽

Cited By ~ 17

Author(s):

Francesco Palmieri ◽

Ugo Fiore ◽

Aniello Castiglione

Keyword(s):

Mobile Networks ◽

Security Analysis ◽

Mobile Node ◽

Malicious Code ◽

Third Party ◽

Security Assessment ◽

Security Risk ◽

Concept Model ◽

Reliable Knowledge ◽

Automated Support

Wireless networks are more and more popular in our life, but their increasing pervasiveness and widespread coverage raises serious security concerns. Mobile client devices potentially migrate, usually passing through very light access control policies, between numerous and heterogeneous wireless environments, bringing with them software vulnerabilities as well as possibly malicious code. To cope with these new security threats the paper proposes a new active third party authentication, authorization and security assessment strategy in which, once a device enters a new Wi-Fi environment, it is subjected to analysis by the infrastructure, and if it is found to be dangerously insecure, it is immediately taken out from the network and denied further access until its vulnerabilities have been fixed. The security assessment module, that is the fundamental component of the aforementioned strategy, takes advantage from a reliable knowledge base containing semantically-rich information about the mobile node under examination, dynamically provided by network mapping and configuration assessment facilities. It implements a fully automatic security analysis framework, based on AHP, which has been conceived to be flexible and customizable, to provide automated support for real-time execution of complex security/risk evaluation tasks which depends on the results obtained from different kind of analysis tools and methodologies. Encouraging results have been achieved utilizing a proof-of-concept model based on current technology and standard open-source networking tools.

Download Full-text

DCSS Protocol for Data Caching and Sharing Security in a 5G Network

Network ◽

10.3390/network1020006 ◽

2021 ◽

Vol 1 (2) ◽

pp. 75-94

Author(s):

Ed Kamya Kiyemba Edris ◽

Mahdi Aiash ◽

Jonathan Loo

Keyword(s):

Mobile Networks ◽

Service Providers ◽

Security Analysis ◽

Mobile Network ◽

End Users ◽

Third Party ◽

Control Mechanisms ◽

Security Measures ◽

Data Caching ◽

Pi Calculus

Fifth Generation mobile networks (5G) promise to make network services provided by various Service Providers (SP) such as Mobile Network Operators (MNOs) and third-party SPs accessible from anywhere by the end-users through their User Equipment (UE). These services will be pushed closer to the edge for quick, seamless, and secure access. After being granted access to a service, the end-user will be able to cache and share data with other users. However, security measures should be in place for SP not only to secure the provisioning and access of those services but also, should be able to restrict what the end-users can do with the accessed data in or out of coverage. This can be facilitated by federated service authorization and access control mechanisms that restrict the caching and sharing of data accessed by the UE in different security domains. In this paper, we propose a Data Caching and Sharing Security (DCSS) protocol that leverages federated authorization to provide secure caching and sharing of data from multiple SPs in multiple security domains. We formally verify the proposed DCSS protocol using ProVerif and applied pi-calculus. Furthermore, a comprehensive security analysis of the security properties of the proposed DCSS protocol is conducted.

Download Full-text

Blockchain as a CA: A Provably Secure Signcryption Scheme Leveraging Blockchains

Security and Communication Networks ◽

10.1155/2021/6637402 ◽

2021 ◽

Vol 2021 ◽

pp. 1-13

Author(s):

Tzung-Her Chen ◽

Ting-Le Zhu ◽

Fuh-Gwo Jeng ◽

Chien-Lung Wang

Keyword(s):

Security Analysis ◽

Third Party ◽

Maintenance Cost ◽

Communication Overhead ◽

Operational Cost ◽

Computational Costs ◽

The Past ◽

Certificate Chain ◽

Signcryption Scheme ◽

Provably Secure

Although encryption and signatures have been two fundamental technologies for cryptosystems, they still receive considerable attention in academia due to the focus on reducing computational costs and communication overhead. In the past decade, applying certificateless signcryption schemes to solve the higher cost of maintaining the certificate chain issued by a certificate authority (CA) has been studied. With the recent increase in the interest in blockchains, signcryption is being revisited as a new possibility. The concepts of a blockchain as a CA and a transaction as a certificate proposed in this paper aim to use a blockchain without CAs or a trusted third party (TTP). The proposed provably secure signcryption scheme implements a designated recipient beforehand such that a sender can cryptographically facilitate the interoperation on the blockchain information with the designated recipient. Thus, the proposed scheme benefits from the following advantages: (1) it removes the high maintenance cost from involving CAs or a TTP, (2) it seamlessly integrates with blockchains, and (3) it provides confidential transactions. This paper also presents the theoretical security analysis and assesses the performance via the simulation results. Upon evaluating the operational cost in real currency based on Ethereum, the experimental results demonstrate that the proposed scheme only requires a small cost as a fee.

Download Full-text

Security Analysis of Software Updates for Industrial Robots

Critical Infrastructure Protection XV - IFIP Advances in Information and Communication Technology ◽

10.1007/978-3-030-93511-5_11 ◽

2022 ◽

pp. 229-245

Author(s):

Chun-Fai Chan ◽

Kam-Pui Chow ◽

Tim Tang

Keyword(s):

Security Analysis ◽

Industrial Robots ◽

Software Updates

Download Full-text

A Risk Analysis Framework for Social Engineering Attack Based on User Profiling

Journal of Organizational and End User Computing ◽

10.4018/joeuc.2020070104 ◽

2020 ◽

Vol 32 (3) ◽

pp. 37-49

Author(s):

Ziwei Ye ◽

Yuanbo Guo ◽

Ankang Ju ◽

Fushan Wei ◽

Ruijie Zhang ◽

...

Keyword(s):

Risk Analysis ◽

Security Analysis ◽

Social Engineering ◽

Cloud Service ◽

User Profiling ◽

Assessment Instruments ◽

Security Assessment ◽

Analysis Framework ◽

Protection Mechanism ◽

The Social

Social engineering attacks are becoming serious threats to cloud service. Social engineering attackers could get Cloud service custom privacy information or attack virtual machine images directly. Existing security analysis instruments are difficult to quantify the social engineering attack risk, resulting in invalid defense guidance for social engineering attacks. In this article, a risk analysis framework for social engineering attack is proposed based on user profiling. The framework provides a pathway to quantitatively calculate the possibility of being compromised by social engineering attack and potential loss, so as to effectively complement current security assessment instruments. The frequency of related operations is used to profile and group users for respective risk calculation, and other features such as security awareness and capability of protection mechanism are also considered. Finally, examples are given to illustrate how to use the framework in actual scenario and apply it to security assessment.

Download Full-text

Evaluation of Interstate Work Zone Mobility using Probe Vehicle Data and Machine Learning Techniques

Transportation Research Record Journal of the Transportation Research Board ◽

10.1177/0361198119827936 ◽

2019 ◽

Vol 2673 (2) ◽

pp. 811-822 ◽

Cited By ~ 1

Author(s):

Mohsen Kamyab ◽

Stephen Remias ◽

Erfan Najmi ◽

Kerrick Hood ◽

Mustafa Al-Akshar ◽

...

Keyword(s):

Machine Learning ◽

Machine Learning Algorithms ◽

Work Zone ◽

Third Party ◽

Machine Learning Techniques ◽

Work Zones ◽

Vehicle Data ◽

Gps Devices ◽

Future Work ◽

The Impact

According to the Federal Highway Administration (FHWA), US work zones on freeways account for nearly 24% of nonrecurring freeway delays and 10% of overall congestion. Historically, there have been limited scalable datasets to investigate the specific causes of congestion due to work zones or to improve work zone planning processes to characterize the impact of work zone congestion. In recent years, third-party data vendors have provided scalable speed data from Global Positioning System (GPS) devices and cell phones which can be used to characterize mobility on all roadways. Each work zone has unique characteristics and varying mobility impacts which are predicted during the planning and design phases, but can realistically be quite different from what is ultimately experienced by the traveling public. This paper uses these datasets to introduce a scalable Work Zone Mobility Audit (WZMA) template. Additionally, the paper uses metrics developed for individual work zones to characterize the impact of more than 250 work zones varying in length and duration from Southeast Michigan. The authors make recommendations to work zone engineers on useful data to collect for improving the WZMA. As more systematic work zone data are collected, improved analytical assessment techniques, such as machine learning processes, can be used to identify the factors that will predict future work zone impacts. The paper concludes by demonstrating two machine learning algorithms, Random Forest and XGBoost, which show historical speed variation is a critical component when predicting the mobility impact of work zones.

Download Full-text

Matching Food Security Analysis to Context: the Experience of the Somalia Food Security Assessment Unit

Disasters ◽

10.1111/j.0361-3666.2005.00285.x ◽

2005 ◽

Vol 29 ◽

pp. S67-S91 ◽

Cited By ~ 4

Author(s):

Günter Hemrich

Keyword(s):

Food Security ◽

Security Analysis ◽

Security Assessment ◽

Assessment Unit

Download Full-text

The Analysis of Database Security Requirements for Cryptographic Algorithm

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.646.235 ◽

2013 ◽

Vol 646 ◽

pp. 235-239

Author(s):

Hana Do ◽

Hoon Jeong ◽

Eui In Choi

Keyword(s):

Access Control ◽

Key Management ◽

Database Security ◽

Third Party ◽

Security Requirements ◽

Security Assessment ◽

Storage Space ◽

Cloud Environment ◽

Variable Environment ◽

Cryptographic Algorithm

The cloud environment is recently emphasized when we save a large amount of data with a minimum of maintenance. But the cloud is a variable environment that data is likely to be changed when which is transferred, and even doesn't permanently store. Besides it has the risk of phishing from a third party. A scalable storage space as one of the features of the cloud has to consist as more proactive access control, secure encryption, and key management in the aspect of the size of the database and the number of users. In this paper, we analyze about database security requirements of these environment and the provided encryption technologies of until now. And, even anyone who don't have the expertise for security assessment and management or CC could be easily accessible it.

Download Full-text

Hiding Yourself Behind Collaborative Users When Using Continuous Location-Based Services

Journal of Circuits System and Computers ◽

10.1142/s0218126617501195 ◽

2017 ◽

Vol 26 (07) ◽

pp. 1750119 ◽

Cited By ~ 4

Author(s):

Chunguang Ma ◽

Lei Zhang ◽

Songtao Yang ◽

Xiaodong Zheng

Keyword(s):

Single Point ◽

Security Analysis ◽

Location Based Services ◽

Third Party ◽

Impersonation Attack ◽

Experimental Comparison ◽

Personal Privacy ◽

Correlation Attack ◽

Communication Devices ◽

Random Block

The prosperity of location-based services (LBSs) makes more and more people pay close attention to personal privacy. In order to preserve users privacy, several schemes utilized a trusted third party (TTP) to obfuscate users, but these schemes were suspected as the TTP may become the single point of failure or service performance bottleneck. To alleviate the suspicion, schemes with collaborative users to achieve [Formula: see text]-anonymity were proposed. In these schemes, users equipped with short-range communication devices could communicate with adjacent users to establish an anonymous group. With this group, the user can obfuscate and hide herself behind at least [Formula: see text] other users. However, these schemes are usually more efficient in snapshot services than continuous ones. To cope with the inadequacy, with the help of caching in mobile devices, we propose a query information blocks random exchange and results caching scheme (short for CaQBE). In this scheme, a particular user is hidden behind collaborative users in snapshot service, and then the caches further preserve the privacy in continuous service. In case of the active adversary launching the query correlation attack and the passive adversary launching the impersonation attack, a random collaborative user selection and a random block exchange algorithm are also utilized. Then based on the feature of entropy, a metric to measure the privacy of the user against attacks from the active and passive adversaries is proposed. Finally, security analysis and experimental comparison with other similar schemes further verify the optimal of our scheme in effectiveness of preservation and efficiency of performance.

Download Full-text

An Efficient and Privacy-Preserving Multiuser Cloud-Based LBS Query Scheme

Security and Communication Networks ◽

10.1155/2018/4724815 ◽

2018 ◽

Vol 2018 ◽

pp. 1-11 ◽

Cited By ~ 5

Author(s):

Lu Ou ◽

Hui Yin ◽

Zheng Qin ◽

Sheng Xiao ◽

Guangyi Yang ◽

...

Keyword(s):

Location Privacy ◽

Security Analysis ◽

Privacy Preserving ◽

Location Based Services ◽

Third Party ◽

Location Information ◽

User Privacy ◽

User Revocation ◽

And Performance ◽

Cloud Infrastructures

Location-based services (LBSs) are increasingly popular in today’s society. People reveal their location information to LBS providers to obtain personalized services such as map directions, restaurant recommendations, and taxi reservations. Usually, LBS providers offer user privacy protection statement to assure users that their private location information would not be given away. However, many LBSs run on third-party cloud infrastructures. It is challenging to guarantee user location privacy against curious cloud operators while still permitting users to query their own location information data. In this paper, we propose an efficient privacy-preserving cloud-based LBS query scheme for the multiuser setting. We encrypt LBS data and LBS queries with a hybrid encryption mechanism, which can efficiently implement privacy-preserving search over encrypted LBS data and is very suitable for the multiuser setting with secure and effective user enrollment and user revocation. This paper contains security analysis and performance experiments to demonstrate the privacy-preserving properties and efficiency of our proposed scheme.

Download Full-text