Prof. Dr. Eric Bodden

As I announced a few weeks ago, in 2016 I will be moving to the University of Paderborn to start a tenured professorship there. As part of this move, I am looking for a number of new Ph.D. students and also PostDocs. The positions come with full funding for a number of years. You can find more information about these positions here. As stated, please direct your applications to se-jobs.cs@upb.de

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application!

Cross-posted from Secure Software Engineering

As I announced a few weeks ago, in 2016 I will be moving to the University of Paderborn to start a tenured professorship there. As part of this move, I am looking for a number of new Ph.D. students and also PostDocs. The positions come with full funding for a number of years. You can find more information about these positions here. As stated, please direct your applications to se-jobs.cs@upb.de

If you have a deep interest in software engineering, especially software security, the I am very much looking forward to your application!

Cross-posted from Secure Software Engineering

There is a growing use of empirical research methods to address cyber security challenges. This workshop aims to contribute to developing a common understanding of these methods and to set guidelines for using them for the different sub-disciplines including, but not limited to: security in software engineering, network security, security in social networks, and usable security. Researchers who work with these methods are encouraged to submit their work to the workshop and share their findings and experience. The submission deadline is January 4th, 2016. More information are available here.

Cross-posted from Secure Software Engineering

We presented our Backend-as-a-Service investigation at Blackhat Europe 2015.

The slides are available here. The paper contains more details and you can find it here.

Update: First news report available here.

Cross-posted from Secure Software Engineering

To be presented at Black Hat Europe next week:

Smartphone applications frequently need to store data remotely. From a developer’s point of view, setting up and maintaining back-ends, however, is time-consuming and error-prone. Therefore, commercial cloud-based data storage solutions from Backend-As-A-Service (BaaS) providers such as the ones from Amazon, Google, and Facebook have become omnipresent. They provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to make an interaction between the cloud and the app, and, e.g., store credit card data. While this model is convenient, one might wonder whether it’s really secure in practice (spoiler: it’s not).
In this study, we will show that many BaaS solutions are completely insecure and attackers have no difficulties in breaking into the developer’s backend. We investigated about two million Android apps and the results were quite shocking. We were able to access more than 56 million sensitive user records stored in the cloud by heavily misconfigured BaaS solutions. These records contained all sorts of sensitive data processed by Android apps: medical information, credit card data, photos, voice-, audio- and video-records, money transaction records, etc. Some apps even contained credentials that gave us full control over the remote storage. Adversaries could hijack Amazon S3-Buckets which gives them the ability to modify sensitive customer databases, add malicious code to well-known websites or directly run malware on the cloud at the app developer’s expense. In order to find and verify these insecure BaaS solutions in Android applications, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

Cross-posted from Secure Software Engineering

I gave, recently, a lecture at the Ninth International Crisis Management Workshop (CriM’15) and Oulu Winter School. The program included many interesting talks. I talked in my lecture about our experience on using interviews, questionnaires, and data analytics to address research questions in secure software development. The lecture video is publicly available here.

Cross-posted from Secure Software Engineering