TWC: Small: Safeguarding Mobile Cloud Services: New Challenges and Solutions

TWC：小型：保护移动云服务：新挑战和解决方案

• 批准号: 1618493
• 负责人: XiaoFeng Wang
• 金额: $ 50万
• 依托单位: Indiana University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1618493&HistoricalAwards=false
• 关键词: TWC; Small; Safeguarding; Mobile; Cloud

Mobile cloud technologies have begun to rely heavily on services known as Mobile Back-end as a Service (MBaaS), including push messaging, data synchronization, and mobile identity management. Many of today's popular apps have already integrated push messaging services such as Google Cloud Messaging (GCM), Amazon Device Messaging (ADM), and third parties like Baidu, to enable the apps to receive notifications such as private messages, financial secrets or family members' locations. Prior research has demonstrated significant security weaknesses inside such services, endangering the information assets of billions of mobile users. By exploiting flaws in services like GCM and ADM, and their integration within popular apps such as Facebook, Google+, Skype, PayPal etc., an attacker could steal a mobile user's sensitive messages, install or uninstall apps on her device, remotely lock out the user or even wipe out her data. This project is studying security risks in such services in order to significantly improve the security assurance of the new MBaaS computing paradigm. The team is collaborating with industry to facilitate the transfer of research outcomes to practical protections. To identify the security properties needed in individual components of mobile cloud technologies, the researchers are modeling different MBaaS services. The models enable the development of novel static and dynamic security analysis techniques, tailored to the unique features of different service types. These techniques will allow mobile cloud service providers to automatically verify security properties on both cloud and device fronts, find problems within their systems, and improve the security quality of their services. The researchers are also developing new techniques to enable app vendors, users and app stores to automatically detect threats to mobile clouds and protect their communication against the attempts to exploit those services' weaknesses. The research covers push messaging for Android, Apple, and mobile browsers, as well as other MBaaS services (e.g., identity management, data synchronization, and the platforms integrating them.)

移动云技术已经开始严重依赖被称为移动后端即服务(MBaaS)的服务，包括推送消息、数据同步和移动身份管理。如今许多流行的应用程序已经集成了谷歌云消息(GCM)、亚马逊设备消息(ADM)等推送消息服务，以及百度等第三方，使这些应用程序能够接收私人消息、财务秘密或家庭成员位置等通知。此前的研究表明，此类服务存在严重的安全漏洞，危及数十亿移动用户的信息资产。通过利用GCM和ADM等服务中的漏洞，以及它们与Facebook、Google+、Skype、PayPal等流行应用程序的集成，攻击者可以窃取移动用户的敏感消息，在她的设备上安装或卸载应用程序，远程锁定用户，甚至抹去她的数据。该项目正在研究此类服务中的安全风险，以显著改善新的MBaaS计算范式的安全保障。该团队正在与业界合作，促进将研究成果转化为实际保护措施。为了确定移动云技术的各个组件所需的安全属性，研究人员正在对不同的MBaaS服务进行建模。这些模型使开发新的静态和动态安全分析技术成为可能，这些技术针对不同服务类型的独特特征而量身定做。这些技术将允许移动云服务提供商自动验证云和设备前端的安全属性，发现其系统中的问题，并提高其服务的安全质量。研究人员还在开发新的技术，使应用程序供应商、用户和应用程序商店能够自动检测移动云面临的威胁，并保护他们的通信免受利用这些服务弱点的企图。这项研究涵盖了Android、Apple和移动浏览器的推送消息，以及其他MBaaS服务(例如，身份管理、数据同步和集成它们的平台)。