The course will cover topics including (but not limited to) security basics, application of crypto in mobile apps, storage in mobile applications, secure network communications, inter-application data flows, user privacy, static and dynamic analysis, manual analysis, using NLP in application analysis, and other emerging topics. A detailed list of lecture by lecture contents, assignments, and due dates (subject to change as semester evolves) is available on the course schedule.
Formal: CSCI 301 (Software Development)
Informal: An understanding of (1) computer networks, (2) modern operating systems (e.g., Windows, Linux), (3) file systems, (4) basic cryptography, and (5) reverse engineering/analysis of software would be beneficial. If you do not have a basic understanding of any of these areas, you will have difficulty with the course. If you have questions regarding these prerequisites, please contact the instructor.
Textbooks and Reading Material
This course has no formal textbook. The course readings will come from online book chapters, seminal papers, and other informative sources.
Here are some useful online books that provide additional information:
- Ross Anderson. [Security Engineering][anderson], 2nd Edition. Wiley. April 2008.
- Jaeger, T., [Operating System Security][jaeger]. Morgan & Claypool, 2008.
- Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press. October 1996.
Student Learning Outcomes
By the end of this course, students will be able to:
- Explain common mobile application design primitives and requirements, with a specific focus on modular development using the Android application model.
- Outline the security risks associated with various application design decisions in the mobile context, in terms of using storage, network communication, and inter-application communication.
- Explain concepts related to access control in operating systems, such as the confused deputy problem, least privilege, etc., and their implications on application design on mobile operating systems such as Android.
- Identify threats and defenses in the context of application design, and perform manual as well as semi-automated vulnerability analysis of closed source applications.
Course Structure and Grading
The course will consist of several homework assignments, a final, paper critiques, quizzes, class participation, and a course research project that contribute towards the final grade in the following proportions:
- 40% Course Project (2 phases, 20% each) (CSCI 520 (MS) students can opt to complete an independent research project for credit instead of the predefined course project.)
- 25% Final Exam
- 25% Homework Assignments
- 10% Class Participation and Quizzes
The final letter grade will be based on the final percentage as follows:
A >= 95% > A- >= 90% > B+ >= 85% > B >= 80% > B- >= 75% > C+ >= 70% > C >= 65% > C- >= 60% > D+ >= 55% > D >= 50% > D- >= 45% > F
The grades may be interpreted according to W&M’s grading policies.
Homework Assignments: The instructor will assign homework assignments on a periodic basis for topics associated with the class assignments. These homeworks may require the students to write, program, or perform basic research. The content and due dates of these assignments will be decided over the course of the semester. If you cannot attend a lecture, contact other students to see if any assignments have been made and consult the schedule.
Course Project: The course project requires students to build as well as analyze applications for security, and will be executed in two phases. In the first phase, students will build a secure Android application with a certain set of prerequisite capabilities. The first phase is expected to be completed and graded before the final withdrawal date. In the second phase, students will perform a security analysis of a set of Android applications, composed of third party applications from Google Play, as well as those applications built by students during the first phase. Students will submit a final written report at the end of the second phase. Each phase of the project will amount to 20% of the course grade. The grade will be based on the quality of the application designed, satisfaction of the specified prerequisites along with adherence to security best-practices, as well as the depth and findings of the analyses. See the Project for more details.
Quizzes: Quizzes may given at the beginning/end of class and will cover topics from the preceding lecture and readings. It is strongly suggested that students do the reading prior class, as a good percentage of their grade will depend on them. Quizzes missed because of absences can not be made up unless arrangements are made with the instructor prior to the course meeting.
Class Participation: To do well in this course, students must take active and regular roles in discussion and demonstrate comprehension of the reading and lecture themes. Students are required to do the assigned reading before class. This will be closely monitored by the instructor, thereby making a student’s ability to demonstrate their comprehension of papers essential to a receiving a passing grade.
Assignment Lateness Policy
Homework and project deadlines will be hard. Late assignments will be accepted within 24 hours with a 25% reduction in grade. Homeworks submitted after 24 hours will have a 100% penalty. Students with legitimate reasons who contact the professor before the deadline may apply for an extension.
Statement for students with disabilities
William & Mary accommodates students with disabilities in accordance with federal laws and university policy. Any student who feels they may need an accommodation based on the impact of a learning, psychiatric, physical, or chronic health diagnosis should contact Student Accessibility Services staff at 757-221-2512 or at email@example.com to determine if accommodations are warranted and to obtain an official letter of accommodation. For additional information please see www.wm.edu/sas.
The instructor will not take any formal attendance for class meetings. However, as stated above, a portion of the grade is based on class participation, which includes pop quizzes. Additionally, exam material includes anything in the readings, slides, and topics discussed in class. Students missing class should consult classmates on missed material, and refer to the class schedule for slides.
The university policy on excused absences will be observed (see this). The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam. Late submission of homework assignments due to excused absences is not subject to the policies on late assignments.
Academic Integrity Policy
The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the W&M Student Code from the following URL: http://www.wm.edu/offices/deanofstudents/services/studentconduct/studenthandbook/student_code_of_conduct/index.php
The instructor expects honesty in the completion of test and assignments. The instructor has a zero tolerance policy for violations of academic integrity. The instructor carefully monitors for instances of offenses such as plagiarism and illegal collaboration, so it is very important that students use their best possible judgement in meeting this policy. The instructor will not entertain any discussion on the discovery of an offense, and will assign the ‘F’ grade and refer the student to the appropriate University bodies for possible further action. It is the understanding and expectation of instructor that the student’s signature on any test or assignment means that the student neither gave nor received unauthorized aid.
Note that students are explicitly forbidden to copy anything off the Internet (e.g., source code, text) for the purposes of completing an assignment or the final project. If the assignment requires the use of an online resource (e.g., developer docs, guides), explicit permission will be given in writing. Also, students are forbidden from discussing or collaborating on any assignment except were explicitly allowed in writing by the instructor.
This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.
When in doubt, please contact the course professor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from the instructor.
Statement on transportation
Students have to provide their own transportation for any and all class related trips.
Statement on safety and risk assumption
This course does not require activities that pose physical risk to students.
Writing Resource Center
The Writing Resources Center, located on the first floor of Swem Library, is a free service provided to W&M students. Trained consultants offer individual assistance with writing, presentation, and other communication assignments across disciplines and at any stage, from generating ideas to polishing a final product. To make an appointment, visit the WRC webpage www.wm.edu/wrc.