This class schedule is preliminary, and will be altered as the semester progresses. While I will try to announce changes as they happen, it is the responsibility of the students to frequently check this web-page for any changes to the schedule, readings or assignments.
Note: The slides will be available after each lecture via a slides link below the lecture topic.
| Date | Topics | Readings | Notes |
|---|---|---|---|
| 01/22/2026 | Course Introduction Slides |
1. Ken Thompson, Reflections on Trusting Trust. Turing Award Lecture, 1983. (link) 2. Building your first Android app (link) |
1. Homework 1 assigned; due January 27th at 11:59pm 2. Project Proposal (Milestone 1) assigned; due February 5th at 11:59pm |
| 01/27/2026 | University Closed due to the Winter Storm | Homework 1 due | |
| 01/29/2026 | CLASS CANCELLED – TRAVEL | January 30th Last Day to ADD/DROP | |
| 02/03/2026 | Android and Security Fundamentals | Security Engineering, Chapter 1 (link) | |
| 02/05/2026 | Crypto Basics 1 | 1. Security Engineering, Chapter 5.1-5.5 (link) | Project Proposal due |
| 02/10/2024 | Crypto Basics 2 | Security Engineering, Chapter 5.6 (link) | 1. Homework 2 assigned; due February 24th at 11:59pm 2. Project Application (Milestone 2) assigned, due March 5th at 11:59pm |
| 02/12/2026 | Crypto Basics 3 | 1. Security Engineering, Chapter 5.7 (link) 2. R. Rivest, A. Shamir, and L. Adlemani, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 1978. (link) 3. Creating your own Certificate Authority (link) |
|
| 02/17/2026 | SSL/TLS, Cryptography in Mobile Apps | 1. SSL and TLS: A Beginners Guide (link) 2. Anderson, R. 1993. Why cryptosystems fail. In Proceedings of the 1st ACM Conference on Computer and Communications Security (Fairfax, Virginia, United States, November 03 - 05, 1993). CCS ‘93. (link) |
|
| 02/19/2026 | Access Control Basics | 1. Operating System Security, Chapters 1, 2, and 5 (link) 2. [Part 1 Only] J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link) |
|
| 02/24/2026 | Managing Privilege in Mobile Apps | 1. Homework 2 due | |
| 02/26/2026 | Secure Inter-application Communication | [Sections 1 – 3 only] Adwait Nadkarni, B. Andow, W. Enck, and S. Jha, “Practical DIFC Enforcement on Android,” in Proceedings of the 25th USENIX Security Symposium (USENIX), Austin, TX, USA, 2016, pp. 1119–1136. (link) | |
| 03/03/2026 | Storage in Mobile Apps | [Read Previously] 1. Operating System Security, Chapters 1, 2, and 5 (focus on security models) (link) 2. J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9) (1975) pp. 1278-1308. (link) |
|
| 03/05/2026 | Application Security Analysis Goals | Reaves, B., Bowers, J., Gorski III, S.A., Anise, O., Bobhate, R., Cho, R., Das, H., Hussain, S., Karachiwala, H., Scaife, N. and Wright, B., 2016. * droid: Assessment and Evaluation of Android Application Analysis Tools. ACM Computing Surveys (CSUR), 49(3), p.55. (link) | 1. Homework 3 assigned, due March 19th at 11:59pm 2. Project Application due 2. |
| 03/10/2026 | SPRING BREAK | ||
| 03/12/2026 | SPRING BREAK | ||
| 03/17/2026 | Evaluating Security Analysis and Research Methods 1 | S. Axelsson, The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection. In Proceedings of the ACM Conference on Computer and Communication Security. November, 1999. (link) | 1. Analysis Plan (Milestone 3) assigned; due April 9th at 11:59pm. 2. Project Report (Milestone 4) assigned, due on April 30th at 11:59pm |
| 03/19/2026 | Intro to Static Analysis | 1. Fahl, Sascha, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. “Why Eve and Mallory love Android: An analysis of Android SSL (in) security.” In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 50-61. ACM, 2012. (link) 2. [Optional] Egele, Manuel, David Brumley, Yanick Fratantonio, and Christopher Kruegel. “An empirical study of cryptographic misuse in android applications.” In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 73-84. ACM, 2013. (link) |
1. Homework 3 due 2. Homework 4 assigned, due April 7th at 11:59pm March 23rd Last Day to Withdraw |
| 03/24/2026 | Mobile vulnerabilities in IoT, and Liability, in collab with Dr. Iria Guiffrida | ||
| 03/26/2026 | Permission Analysis | 1. Enck, William, Machigar Ongtang, and Patrick McDaniel. “On lightweight mobile phone application certification.” In Proceedings of the 16th ACM conference on Computer and communications security, pp. 235-245. ACM, 2009. (link) 2. Felt, Adrienne Porter, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. “Android permissions demystified.” In Proceedings of the 18th ACM conference on Computer and communications security, pp. 627-638. ACM, 2011. (link) |
|
| 03/31/2026 | Detecting Privacy Leaks | 1. Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link) 2. Arzt, Steven, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps.” Acm Sigplan Notices 49, no. 6 (2014): 259-269.(link) |
|
| 04/02/2026 | Sound vs Sound(y) analysis | 1. Bonett, R., Kafle, K., Moran, K., Nadkarni, A., & Poshyvanyk, D. (2018). Discovering flaws in security-focused static analysis tools for android using systematic mutation. Proceedings of the USENIX Security Symposium (link) 2. Livshits, Benjamin, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. “In defense of soundiness: a manifesto.” Communications of the ACM 58, no. 2 (2015): 44-46. (link) |
|
| 04/07/2026 | Inter-app communication analysis | 1. Chin, Erika, Adrienne Porter Felt, Kate Greenwood, and David Wagner. “Analyzing inter-application communication in Android.” In Proceedings of the 9th international conference on Mobile systems, applications, and services, pp. 239-252. ACM, 2011.(link) 2. Grace, Michael C., Yajin Zhou, Zhi Wang, and Xuxian Jiang. “Systematic Detection of Capability Leaks in Stock Android Smartphones.” In NDSS, vol. 14, p. 19. 2012. (link) 3. [Optional] Felt, Adrienne Porter, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” Proceedings of the USENIX Security Symposium, vol. 30, p. 88. 2011. (link) |
Homework 4 due |
| 04/09/2026 | Malware Basics | 1. Zhou, Yajin, and Xuxian Jiang. “Dissecting android malware: Characterization and evolution.” In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 95-109. IEEE, 2012. (link) 2. Arp, Daniel, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, Konrad Rieck, and C. E. R. T. Siemens. “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In NDSS, vol. 14, pp. 23-26. 2014. (link) |
Analysis Plan due |
| 04/14/2026 | Project Status Presentations - 1 | ||
| 04/16/2026 | Project Status Presentations - 2 | - | |
| 04/21/2026 | Understanding Mutants for Security: Tutorial (w/ Amit Seal Ami) | Ami, Amit S., Cooper, N., Kafle, K., Moran, K., Poshyvanyk, D., & Nadkarni, A. Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques. Proceedings of the IEEE Symposium on Security and Privacy, 2022. (link) | Extra Credit assignment Homework 5 assigned, due April 30th at 11:59pm |
| 04/23/2026 | Intro to Dynamic Analysis | [Read Previously] Enck, William, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (TOCS) 32, no. 2 (2014) (link) | |
| 04/28/2026 | NO CLASS, CONFERENCE TRAVEL | ||
| 04/30/2026 | Still traveling, but will do the final review on Zoom | 1. Project Report due 2. Homework 5, EXTRA CREDIT, due |
|
| 05/06/2026 | Final Exam, In class | 2 PM - 5 PM |