Mobile Security Sven Bugiel

Registration for this course is open until Sunday, 29.10.2017 23:59.



Lecture schedule updated

Lecture schedule was adjusted to adhere to the actual lecture period.


Course activated in CISPA CMS

The course is now available on the CISPA CMS and registration opens Aug 14 at 12:00 (noon).


About the course

This advanced lecture deals with different, fundamental aspects of mobile operating system and application security, with a strong focus on the popular, open-source Android OS and its ecosystem. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn to tackle current security and privacy issues on smartphones from the perspectives of different security principals in the smartphone ecosystem: end-users, app developers, market operators, sytem vendors, third parties (like companies).

Central questions of this course are:

  • What is the threat model from the different principals' perspective?
  • How are basic design patterns of secure systems and security best practices realized in the design of smartphone operating systems? And how does the multi-layered software stack (i.e., middleware on top of the OS) influence this design?
  • How are hardware security primitives, such as Trusted Execution Environments, and trusted computing concepts integrated in those designs?
  • What are the techniques and solutions market operators have at hand to improve the overall ecosystem's hygiene?
  • Which problems and solutions have been identified in the past half decade of security research in this area?
  • Which techniques have been develop to empower the end-users to protect their privacy?

The lectures are accompanied by exercises to re-enforce the theoretical concepts and to provide an environment for hands-on experience for mobile security on the Android platform. Additionally, a short course project should provide hands-on experience in extending Android's security architecture with a simple custom access control enforcement mechanism.

Where and when

The lectures will take place every Wednesday 10:00 – 12:00 in building E9 1 (CISPA), room 0.05 (lecture hall ground floor).


There are no formal requirements for participation. Students who want to participate in the course should

  • have worked with a smartphone before (e.g., own an Android-based phone, iPhone, etc.)
  • be familiar with programming in Java (and C/C++)
  • should be comfortable with working with Linux

Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.

Background in security is also an advantage (e.g., prior participation in the Foundations of Cybersecurity lecture or Security core lecture), however, the necessary background on system design, access control, and network security will be provided in this lecture in order to better put Android's design choices into context.

Requirements for obtaining credit points (Scheinvergabe)

For passing the course, the following minimal amount of points is needed:

  • 50% of the points from the exercise sheets; and
  • 50% of the points from the final exam.


Register for the course here in the CISPA CMS. Registration opens Aug 14 at 12:00. Once you are registered here, don't forget to register in the LSF.

Please note that the number of students for this course is limited to 60!

Exercise 0

In this course, you will do graded exercises that involve Android application and system programming. Thus, it is important that you have a working development environment. You can set one up by going through Exercise 0 (not graded), in which you create a set of apps, which we will use in later exercises. If you are already familiar with Android programming, you can skip the IDE setup of this exercise, however, you should still create the explained apps.

If you encounter technical problems, please contact the administrators