Due to the complex nature of mobile communication systems, most of the security e orts in its domain are isolated and sca ered across underlying technologies. is has resulted in an obscure view of the overall security. In this work, we a empt to x this problem by proposing a domain-speci c threat modeling framework. By gleaning from a diverse and large body of security literature, we systematically organize the a acks on mobile communications into various tactics and techniques. Our framework is designed to model adversarial behavior in terms of its a ack phases and to be used as a common taxonomy matrix. We also provide concrete examples of using the framework for modeling the a acks individually and comparing them with similar ones.
CCS CONCEPTS•Security and privacy → Security requirements; Mobile and wireless security; •Networks → Mobile networks;
Many cloud-application vendors open their APIs for third-party developers to easily extend the functionality of their applications. The features implemented with these APIs are called add-ons (also called add-ins or apps). This is a relatively new phenomenon, and its effects on the application security have not been widely studied. It seems likely that some of the add-ons have lower code quality than the core applications themselves and, thus, may bring in security vulnerabilities. In this work, we found that many of such add-ons are vulnerable to cross-site scripting (XSS). The attacker can take advantage of the document-sharing and messaging features of the cloud applications to send malicious input to them. The vulnerable add-ons then execute client-side JavaScript from the carefully crafted malicious input. In a major analysis effort, we systematically studied 300 add-ons for three popular application suites, namely Microsoft Office Online, G Suite and Shopify, and discovered a significant percentage of vulnerable add-ons among them. We present the results of this study, as well as analyze the add-on architectures to understand how the XSS vulnerabilities can be exploited and how the threat can be mitigated.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.