News
UdS Students: Backup Exam Results and InspectionWritten on 26.03.24 by Sven Bugiel Dear all, The results of the backup exam are now visible in the CMS. I will upload them to the LSF after the exam inspection. The exam inspection will take place on April 05, 10:00–12:00, in CISPA (E9.1), room 0.07. To coordinate the inspection, please book a time slot via the link at "UdS Book… Read more Dear all, The results of the backup exam are now visible in the CMS. I will upload them to the LSF after the exam inspection. The exam inspection will take place on April 05, 10:00–12:00, in CISPA (E9.1), room 0.07. To coordinate the inspection, please book a time slot via the link at "UdS Book Backup Exam Inspection Slot" in the course materials in CMS. |
Seating Plan for backup exam now visibleWritten on 18.03.24 by Sven Bugiel The seating plan for the backup exam is now visible. Please excuse the confusion; there was a misconfiguration in the access control. |
UdS Students: Backup exam infoWritten on 18.03.24 by Sven Bugiel Dear participants from UdS, All UdS students registered in LSF/HISPOS have been assigned a seat for the backup exam on Friday, 22.03.2024, between 10:00–12:00 in the E3.1 HS002 lecture hall. Please check the CMS for your assigned seat. If you can't register in LSF (e.g., Erasmus, non-CS… Read more Dear participants from UdS, All UdS students registered in LSF/HISPOS have been assigned a seat for the backup exam on Friday, 22.03.2024, between 10:00–12:00 in the E3.1 HS002 lecture hall. Please check the CMS for your assigned seat. If you can't register in LSF (e.g., Erasmus, non-CS department,...) but intend to attend the exam, please contact me ASAP to get a seat assigned. Further, I added a 1h recap lecture to the "5 Old Exams" section of the course materials, where I explained again some lecture content that I noticed was frequently misunderstood in the endterm exam. |
Exam results and inspectionWritten on 04.03.24 by Sven Bugiel Dear all, The exam results are now in the CMS under "UdS Exams" or "LUH Exam," respectively. I will enter the grades into LSF and QIS later today. For the exam inspection: Dear all, The exam results are now in the CMS under "UdS Exams" or "LUH Exam," respectively. I will enter the grades into LSF and QIS later today. For the exam inspection: LUH Students: Exam inspection will be online via BigBlueButton in Stud.Ip (a corresponding room should be visible there to you) on Friday, Mar 08, between 10:00–12:00. You need to book a slot for your inspection. A link for booking slots will be posted in the CMS Course Materials section today at 13:00. Please book by Thursday at the latest. |
UdS Students: Exam infoWritten on 19.02.24 by Sven Bugiel Dear participants from UdS, All UdS students registered in LSF/HISPOS have been assigned a seat for the exam on Thursday, 22.02.2024 between 10:00–12:00 in the GHH in E2.2. Please check the CMS for your assigned seat. If you can't register in LSF (e.g., Erasmus, non-CS department,...) but intend… Read more Dear participants from UdS, All UdS students registered in LSF/HISPOS have been assigned a seat for the exam on Thursday, 22.02.2024 between 10:00–12:00 in the GHH in E2.2. Please check the CMS for your assigned seat. If you can't register in LSF (e.g., Erasmus, non-CS department,...) but intend to attend the exam, please contact me ASAP to get a seat assigned. |
LUH Students: Exam infoWritten on 15.02.24 (last change on 19.02.24) by Sven Bugiel Update: Since there was no update from the LUH Dean's office, the exam will take place as planned tomorrow at 08:00 despite the ÜSTRA strike. I hope to see all that registered in QIS tomorrow at the exam! Dear all, Here is some information about the exam at LUH next Tuesday, Feb 20:
Update: Since there was no update from the LUH Dean's office, the exam will take place as planned tomorrow at 08:00 despite the ÜSTRA strike. I hope to see all that registered in QIS tomorrow at the exam! Dear all, Here is some information about the exam at LUH next Tuesday, Feb 20:
If there are any other questions, please use the Askbot or contact me. PS: Sorry for the potential double posting, but my direct email bounced for several students. |
Updated solution for old examsWritten on 07.02.24 by Sven Bugiel Please note that there was an error in the answer for Question 3.1 in the sample solutions for the old exams. The incorrect answer was an artifact from an old version of that question where the root CA was pinned for any connection. A revised version with additional explanations was uploaded to the… Read more Please note that there was an error in the answer for Question 3.1 in the sample solutions for the old exams. The incorrect answer was an artifact from an old version of that question where the root CA was pinned for any connection. A revised version with additional explanations was uploaded to the CMS. Thanks to the students who spotted this! |
For UdS Students: Course EvaluationWritten on 12.01.24 by Sven Bugiel Dear all, the course evaluations at UdS are happening until Jan 31. I shared the link to the Qualtrics in the "Organizational Matters" section of the course materials in the CMS. We would appreciate it if the UdS students could take 5 minutes to answer the survey and provide feedback for this course. |
Corrected error in Solution for TLS Exercise 07Written on 16.12.23 by Sven Bugiel There was an error in the solution for retrieving the SHA-256 value for certificate pinning with NSC. The new uploaded version shows the correct command |
Tomorrow only online classroomWritten on 16.11.23 by Sven Bugiel This is a reminder that tomorrow's flipped classroom, unfortunately, has to take place only online via Zoom since the lecture hall is not available. |
Lecture videos for Security Architecture IV onlineWritten on 13.11.23 by Sven Bugiel The links to the videos were added to the lecture schedule and the slides are in the materials section. |
Advertisements in lecture videosWritten on 10.11.23 by Sven Bugiel There were complaints about the ads in the lecture videos. I understand that ads are annoying, but I am not placing them in the videos. I am not monetizing the lecture videos. Google shows the ads if you watch the videos with a non-premium account. If the ads are too annoying for many of you, we can… Read more There were complaints about the ads in the lecture videos. I understand that ads are annoying, but I am not placing them in the videos. I am not monetizing the lecture videos. Google shows the ads if you watch the videos with a non-premium account. If the ads are too annoying for many of you, we can consider another platform to publish the videos, though some features of YouTube, like streaming videos, chapters, etc, might be lost. If you think we should move the videos somewhere else, I would appreciate advice/wishes in an Askbot discussion. |
Lecture videos for Security Architecture III onlineWritten on 07.11.23 by Sven Bugiel The YouTube links to the Security Architecture III lecture are now in the lecture schedule, and the corresponding slides are in the lecture materials. |
Recordings and materials of today are onlineWritten on 03.11.23 by Sven Bugiel The recording of the flipped classroom is online, and the slides and the quiz are in the Materials section. The link to the recording is in the schedule. Further, I added three short videos to the Crash Course playlist on Youtube, which show how to a) request and use dangerous permission, b) use… Read more The recording of the flipped classroom is online, and the slides and the quiz are in the Materials section. The link to the recording is in the schedule. Further, I added three short videos to the Crash Course playlist on Youtube, which show how to a) request and use dangerous permission, b) use signature permission with/without knownSigner to protect app components, and c) delegate access rights via PendingIntents. Have a nice weekend! |
Short self-assessment quiz for this week's lectureWritten on 31.10.23 by Sven Bugiel I added a link to a short self-assessment quiz to the lecture schedule. This allows you to quickly check if you understood some of the main points from this week's lecture. It's a Google Form, but it does not require any Google account and does not collect anything besides the answers. |
Lecture videos for Security Architecture II onlineWritten on 31.10.23 by Sven Bugiel The YouTube links to the Security Architecture II lecture are now in the lecture schedule and the corresponding slides are in the lecture materials. |
Flipped classroom link and Exercise 01 publishedWritten on 27.10.23 by Sven Bugiel The link for a recording of today's flipped classroom has been added to the lecture schedule. Unfortunately, the recording during live lecture crashed and this is only a re-recording of my part. Please add the questions that you remember being asked during the lecture to Askbot. I will answer them in… Read more The link for a recording of today's flipped classroom has been added to the lecture schedule. Unfortunately, the recording during live lecture crashed and this is only a re-recording of my part. Please add the questions that you remember being asked during the lecture to Askbot. I will answer them in Askbot, so we have at least a written collection of the Q&A of today's classroom. Exercise 01 has been published in the course material section, both the PDF of the exercise sheet and the APKs for the practical parts. |
Lecture videos for Security Architecture I onlineWritten on 25.10.23 by Sven Bugiel The YouTube links to the Security Architecture I lecture are now in the lecture schedule. |
Crash course in Android App ProgrammingWritten on 24.10.23 by Sven Bugiel We added the link to a short YouTube playlist covering the basics of using Android Studio for App programming (Intents, BroadcastReceivers, started/bound Services). If you are new to Android app programming and intend to do the practical exercises, this should introduce you to the essentials. |
Videos for Kick-off, Organizational Matters, and Motivation are onlineWritten on 18.10.23 by Sven Bugiel The YouTube links to the recordings for the course Kick-off, Organizational Matters, and Motivation/Lecture content are now in the lecture schedule table in CMS. They explain how the course is structured and what to expect content-wise. |
About the course
This advanced lecture deals with different fundamental aspects of mobile operating systems and application security, focusing strongly on the popular, open-source Android OS and its ecosystem. In general, the awareness and understanding of the students for security and privacy problems in this area are increased. The students learn to tackle current security and privacy issues on smartphones from the perspectives of different security principals in the smartphone ecosystem: end-users, app developers, market operators, system vendors, and third parties (like companies).
The central questions of this course are:
- What is the threat model from the different principals' perspectives?
- How are the fundamental design patterns of secure systems and security best practices realized in the design of smartphone operating systems? And how does the multi-layered software stack (i.e., middleware on top of the OS) influence this design?
- How are hardware security primitives, such as Trusted Execution Environments and trusted computing concepts, integrated into those designs?
- Which problems and solutions did security research in this area identify in the past half-decade?
- Which techniques have been developed to empower the end-users to protect their privacy?
The lectures are accompanied by exercises to reinforce the theoretical concepts and to provide an environment for hands-on experience for mobile security on the Android platform.
See also the lecture schedule.
Where and when
The lectures will take place in the form of a flipped classroom. Lecture videos will be posted online before the class (ca. one week), and the lecture slots will be used to answer and discuss questions about the lecture content. This discussion takes place as a hybrid event with physical attendance at either UdS or LUH every Friday from 10:00 – 12:00. Please consult the lecture schedule for video links, where physical attendance will take place, and Zoom links for online participation.
The lectures will take place between 27.10.2023 and 26.01.2024 (i.e., the overlap in lecture periods between Saarland University and Leibniz University Hannover).
Prerequisites
There are no formal requirements for participation. Students who want to participate in the course should
- have worked with a smartphone before (e.g., own an Android-based phone, iPhone, etc.)
- be familiar with programming in Java
Actual programming experience on Android or at the OS level is not a prerequisite but definitively an advantage.
Background in security is also an advantage (e.g., prior participation in the Foundations of Cybersecurity lecture or Security core lecture). However, the necessary knowledge of system design, access control, and network security will be provided in this lecture to put Android's design choices better into context.
Requirements for obtaining credit points (Scheinvergabe)
To pass the course, you need the following minimum amount of points:
- 50% of the points from the final exam.
The final grade is based purely on your exam results.
The end-term exam will take place:
- LUH: 20.02.2024 at 08:00–10:00 in 3408.-220 (MZ1)
- UDS: 22.02.2024 at 10:00–12:00 in the GHH in E2.2
The backup exam (ONLY UDS) will take place 22.03.2024 at 10:00–12:00 in HS002 in E1.3
Registration
For all students
Register for the course here in the CISPA CMS. Registration will open on October 01, 2023.
For students of Saarland University
Don't forget to register in the LSF for the exam.
For students of Leibniz University Hannover
Don't forget to register in the QIS for the course and exam.