/Teaching/Mobile Security/Assignments

Assignments


Essentially, the practical exercises shall foster your understanding of topics related to the lecture. However, in this course we pursue an approach which is slightly different from what you might have experienced in other courses: your ideas may form part of an assignment. Instead of exercises where each student tries to solve the same task, the seminar-style class enables us to highlight your individual contribution. Now, what does that mean in practice? During the course, you get two assignments. While the first task intends to introduce you to the subject, the second one challenges your individual skills and should enable you to work on a project, related to the lecture, which is fun to you.

Task 1

The first assignment focuses on combining network analysis with mobile security. As shown on the slides, your task consists of analysing a set of min. 8 applications for either Android or iOS and find out if they are susceptible to MITM / if this is detected by an app and to determine whether an app makes use of Certificate Pinning. A roadmap you may follow, how to proceed, and what to submit, is highlighed on the slides. Please note that it is not sufficient to just answer the susceptibility for attacks with a yes/no answer – you should provide some evidence why you believe the app is vulnerable or not. In case you are using Burp Suite for analysis, it is also fine if you hand in traffic dumps that are not in PCAP format 🙂 Important: Upload your results until 10.04.2021! The required format is described on the slides. Sending an email to me (in addition) is not necessary.

Resources

In the following, a small list of task-related links is assembled. This may help you to deepen your understanding of what you should do.

Please note that there has been a breaking change with Android 7 (“Nougat”) that prevents you from installing arbitrary CAs on your device (if it uses Android 7). If your analysis would fail because of that, please follow the steps described here. Make sure that the used root CA has a validity of max. 2 years and that all required extensions are set (i.e. for Burp Suite here). Otherwise Android won’t accept it. The presented workaround is applicable to any rooted Android device or emulator. In case, you are using an emulator and adb root doesn’t work, see here.

Task 2

You will have the opportunity to propose a preferred and somehow course-related topic for this assignment. Otherwise, you may choose from one of the suggested topics. With regards to content, the focus is put on fast-prototyping research and might form a basis for subsequent projects at our institute. Please send a ZIP archive of your final work or a link to a GIT repository until 08.06.2021 at 23:59 to the email address mobilesec@iaik.tugraz.at. A documentation of source code would be nice but is not explicitly required. If you want, of course, you can hand in your final delivery also alongside with your presentation. All information regarding the presentation can be found here.