Pre-Conference Talk by Imam Nur Bani Yusuf and Vikas Kumar MALVIYA

Writing code for Arduino poses unique challenges. A developer needs hardware-specific knowledge about the interface configuration between the Arduino controller and the I/O hardware, identifies a suitable driver library, and follows certain usage patterns of the driver library. In this work, we propose ArduinoProg to address such challenges. ArduinoProg consists of three components, i.e., Library Retriever, Configuration Classifier, and Pattern Generator. Given a query, Library Retriever retrieves library names relevant to the I/O hardware identified from the query. Configuration Classifier predicts the interface configuration between the I/O hardware and the Arduino controller based on the method definitions of each library. Pattern Generator generates the usage pattern of a library using a sequence-to-sequence model. Evaluation on real-world queries show that the components of ArduinoProg can generate accurate and useful suggestions to guide developers in writing Arduino code. Demo video: bit.ly/3Y3aeBe.

Android apps frequently need users' permission, but many of them only ask for it once at the first time use and then they keep and abuse the given permissions. In this work, we propose an approach for classifying the permission uses for each Android app functionality that a user interacts with. Our approach, named DroidGem, relies on mainly three technical components: (1) static inter-procedural control-flow graphs and call graphs representing each UI triggered functionality in an app (2) graph embedding techniques converting graph structures into numerical encoding, and (3) supervised machine learning models classifying (mis)uses of permissions based on the embedding. We have implemented a prototype of DroidGem and evaluated it on 89 diverse apps. The results show that DroidGem can accurately classify permission usage with up to 95% precision and recall.

Banking sector has got benefited with the mobile technology. Mobile banking enriched this sector with various advantages but it also has security concerns. Illegal access to personal and financial information often occurs due to lapses in mobile security. In recent years, we have worked with banks from 10 countries and systematically analyzed 28 of their apps. We found several vulnerabilities in these apps by manual code reviews and by conducting 11 types of attacks. We then proposed and applied adequate security measures to protect these apps. Finally, we added these measures to our tool named AppProtect+ to effectively identify and thwart these threats.

Imam Nur Bani Yusuf is a Ph.D. candidate at SMU SCIS, supervised by Prof. Lingxiao Jiang and Prof. David Lo. His research focuses on automated code generation systems. More info available: https://imamnurby.github.io/.