Vulnerability exploration and data protection in end-user applications

Abstract

Using different end-user applications on personal computers and mobile devices has become an integral part of our daily lives. For example, we use Web browsers and mobile applications to perform many important tasks such as Web browsing, banking, shopping, and bill-paying. However, due to the security vulnerabilities in many applications and also due to the lack of security knowledge or awareness of end users, users’ sensitive data may not be properly protected in those applications and can be leaked to attackers resulting in severe consequences such as identity theft, financial loss, and privacy leakage. Therefore, exploring potential vulnerabilities and protecting sensitive data in end-user applications are of great need and importance. In this dissertation, we explore the vulnerabilities in both end-user applications and end users. In terms of end-user applications, we focus on Web browsers, browser extensions, stand-alone applications, and mobile applications by manually or automatically exploring their vulnerabilities and by proposing new data protection mechanisms. Specifically, we (1) investigate vulnerabilities of the password managers in the five most popular Web browsers, (2) investigate vulnerabilities of two commercial browser extension and cloud based password managers, (3) propose a framework for automatic detection of information leakage vulnerabilities in browser extensions, (4) propose a secure cloud storage middleware for end-user applications, and (5) investigate cross-site input inference attacks on mobile Web users. In terms of end users, we focus on phishing attacks by investigating users’ susceptibility to both traditional phishing and Single Sign-On phishing. Specifically, we (6) explore the feasibility of creating extreme phishing attacks and evaluate the effectiveness of such phishing attacks. By conducting these research projects, we expect to advance the scientific and technological understanding on protecting users’ sensitive data in applications, and make users’ online experience more secure and enjoyable.