Prof. Adwait Nadkarni
William Mary
Home automation and mobile-IoT apps
A very simple example, is hacking the mobile app and the server, and changing the mode to home
Why do mobile app vulnerabilities prevail?
- Possibility1: developers don't care about security
- Possibility2: care, but don't know enough to build secure software
- Possibility3: don't use vulnerability detection tools
- Possibility4: misconfigure vulnerability detection tools
==Do security tools work?==
RQ1: Do security tools and techniques detect the vulnerabilities that they claim to detect?
RQ2: Do the tools detect vulnerabilities as developers expect them to?
RQ1
ECB mode is considered not vulnerable until March'20 in OWASP
Mutation testing
How do they evaluate the detectors?
- using mutation testing to insert vulnerable code into benign apps
- and check where the tools can detect them
