INI Student Presents Android Research at 2011 WOOT Conference

September 01, 2011

With smartphone usage around the world on a steady incline, it's no wonder that mobile products are in such fierce competition. One operating system in particular, although competing against products such as Apple, Microsoft, and Blackberry, has gained popularity: the Android system. Because Android behaves differently and has issues different from other smartphones, it is a great area in need of exploration. Smartphones have all the capabilities of laptop computers, which means that they are just as susceptible to security attacks. INI student Daniel Votipka chose to put his graduate studies in Information Security Technology and Management (MSISTM) to work this summer on a research project to identify potential weaknesses in the Android operating system.

Votipka, along with fellow electrical and computer engineering (ECE) student Timothy Vidas and faculty advisor Nicolas Christin, put together a research paper entitled All Your Droid Are Belong to Us: A Survey of Current Android Attacks, which was presented at the 2011 Usenix Workshop on Offensive Technologies (WOOT) on August 8 in San Francisco.

"When we started our research on the Android system, we realized there was a lack of a central point of knowledge," Votipka said. "We wanted to put this research into literature so people could better understand it."

This project was Votipka's first research paper, and with his thesis being on Android forensic work, the subject matter was a definite interest of his. He was put in charge of research, and the team began to study all previous work done on attacking the Android system and then systematically organized that information. Through their findings they were able to identify possible vulnerabilities in the Android system such as unprivileged application attacks, attacks on the ADB (Android Developer Bridge) interface using USB connections, and attacks that can occur through the Android's boot system using the separate recovery partition. They then suggested six possible mitigations to these threats.

When presenting their findings at the WOOT Conference, Votipka said nerves were definitely a part of the equation, but he was happy overall with the execution and the crowd's reaction. "The first question I got after the presentation was whether or not we had presented this to Google yet," he said.

In terms of his future plans, Votipka's experience with this Android research project has reinforced his interest in forensics. Although he is still bouncing around the idea of pursuing a Ph.D., he would love to one day work in digital forensics research and recognizes his experience at the INI is what provided him with the knowledge, connections and the opportunity to pursue this research project.

"The level of research done at CMU is a rare thing," Votipka said. "You can't find that at many other places."