CSCI 445 – Mobile Application Security

[Overview] Syllabus [Schedule] [Project]

The course will cover topics including (but not limited to) security basics, application of crypto in mobile apps, storage in mobile applications, secure network communications, inter-application data flows, user privacy, static and dynamic analysis, manual analysis, using NLP in application analysis, and other emerging topics. A detailed list of lecture by lecture contents, assignments, and due dates (subject to change as semester evolves) is available on the course schedule.

Please contact Prof. Nadkarni for any questions regarding the content of the course. We will use Piazza for announcements and discussions (and a Slack channel as well!). Please sign up.

Finally, we will use Blackboard for assignment and exam submissions.


Course Prerequisites

Formal: CSCI 301 (Software Development)

Informal: An understanding of (1) computer networks, (2) modern operating systems (e.g., Windows, Linux), (3) file systems, (4) basic cryptography, and (5) reverse engineering/analysis of software would be beneficial. If you do not have a basic understanding of any of these areas, you will have difficulty with the course. If you have questions regarding these prerequisites, please contact the instructor.

Textbooks and Reading Material

This course has no formal textbook. The course readings will come from online book chapters, seminal papers, and other informative sources.

Here are some useful online books that provide additional information:

  1. Ross Anderson. Security Engineering, 2nd Edition. Wiley. April 2008.
  2. Jaeger, T., Operating System Security. Morgan & Claypool, 2008.
  3. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press. October 1996.

Student Learning Outcomes

By the end of this course, students will be able to:

  • Explain common mobile application design primitives and requirements, with a specific focus on modular development using the Android application model.
  • Outline the security risks associated with various application design decisions in the mobile context, in terms of using storage, network communication, and inter-application communication.
  • Explain concepts related to access control in operating systems, such as the confused deputy problem, least privilege, etc., and their implications on application design on mobile operating systems such as Android.
  • Identify threats and defenses in the context of application design, and perform basic but effective manual as well as semi-automated vulnerability analysis of closed source applications.

Course Structure and Grading

The course will consist of several homework assignments, a final, paper critiques, quizzes, class participation, and a course research project that contribute towards the final grade in the following proportions:

  • 40% Course Project (2 phases, 20% each) (CSCI 545 (MS) students must complete an independent CSCI 545 research project for credit instead of the predefined course project )
  • 25% Homework Assignments
  • 20% Final Exam
  • 10% Class Participation and Quizzes
  • 5% Bugs/Readings (Be the first to find 2 unique, relevant, and non-trivial “bugs” in any of the assigned readings, 2.5 points per bug. More details below.)

The final letter grade will be based on the final percentage as follows:

A >= 95% > A- >= 90% > B+ >= 85% > B >= 80% > B- >= 75% > C+ >= 70% > C >= 65% > C- >= 60% > D+ >= 55% > D >= 50% > D- >= 45% > F

The grades may be interpreted according to W&M’s grading policies.

Homework Assignments: The instructor will assign homework assignments on a periodic basis for topics associated with the class assignments. These homeworks may require the students to write, program, or perform basic research. The content and due dates of these assignments will be decided over the course of the semester. If you cannot attend a lecture, contact other students to see if any assignments have been made and consult the schedule.

Course Project: The course project requires students to build as well as analyze applications for security, and will be executed in two phases. In the first phase, students will build a secure Android application with a certain set of prerequisite capabilities. The first phase is expected to be completed and graded before the final withdrawal date. In the second phase, students will perform a security analysis of a set of Android applications, composed of third party applications from Google Play, as well as those applications built by students during the first phase. Students will submit a final written report at the end of the second phase. Each phase of the project will amount to 20% of the course grade. The grade will be based on the quality of the application designed, satisfaction of the specified prerequisites along with adherence to security best-practices, as well as the depth and findings of the analyses. See the Project for more details.

Quizzes: Quizzes may given at the beginning/end of class and will cover topics from the preceding lecture and readings. It is strongly suggested that students do the reading prior class, as a good percentage of their grade will depend on them. Quizzes missed because of absences can not be made up unless arrangements are made with the instructor prior to the course meeting.

Class Participation: To do well in this course, students must take active and regular roles in discussion and demonstrate comprehension of the reading and lecture themes. Students are required to do the assigned reading before class. This will be closely monitored by the instructor, thereby making a student’s ability to demonstrate their comprehension of papers essential to a receiving a passing grade.

Readings: The assigned readings are futile unless done in depth. As reading 20+ papers in depth in the span of a semester can be tough, this class pursues an alternative: read few papers, provided you read them in-depth, and think critically about them. To this end, each student owes the instructor 2 non-trivial bugs/mistakes/unjustified assumptions made in the security papers assigned as readings, each worth 2.5 points on the class grade, by the last day of class. There are three conditions for a bug to be valid: (1) you must be the first in class to report it (hence, report privately to the instructor), (2) it must be non-trivial (i.e., minor spelling/grammar errors, or minor calculation errors that do not affect the claims made in the paper, do not count), and (3) you must be able to reason about it, i.e., explain why it is a mistake. The instructor reserves the right to adjudicate the validity of a reported bug.

Assignment Lateness Policy

Homework and project deadlines will be hard. Late assignments will be accepted within 24 hours with a 25% reduction in grade. Homeworks submitted after 24 hours will have a 100% penalty. Students with legitimate reasons who contact the professor before the deadline may apply for an extension.

Statement for students with disabilities

William & Mary accommodates students with disabilities in accordance with federal laws and university policy. Any student who feels they may need an accommodation based on the impact of a learning, psychiatric, physical, or chronic health diagnosis should contact Student Accessibility Services staff at 757-221-2512 or at to determine if accommodations are warranted and to obtain an official letter of accommodation. For additional information please see

Attendance Policy

The instructor will not take any formal attendance for class meetings. However, as stated above, a portion of the grade is based on class participation, which includes pop quizzes. Additionally, exam material includes anything in the readings, slides, and topics discussed in class. Students missing class should consult classmates on missed material, and refer to the class schedule for slides.

The university policy on excused absences will be observed (see this). The students are responsible for discussing makeup exams if they miss exams due to excused absence. The instructor will choose a mutually agreed date and time for the makeup exam. Late submission of homework assignments due to excused absences is not subject to the policies on late assignments.

The instructor will treat COVID-related absences as excused absences, and follow the attendance policy outlined previously. The instructor will also release slides, and hold additional office hours if required, to assist students facing COVID-related absences. In case the instructor has to quarantine/isolate due to COVID, the class will continue over Zoom.

Please note that testing positive for COVID or any other temporary illness is not considered a disability as defined by ADA guidelines and is not under the purview of W&M’s Student Accessibility Services (SAS). Thus, any questions should be addressed via email to the instructor.

Academic Integrity Policy

The university, college, and department policies against academic dishonesty will be strictly enforced. You may obtain copies of the W&M Student Code from the following URL:

The instructor expects honesty in the completion of test and assignments. The instructor has a zero tolerance policy for violations of academic integrity. The instructor carefully monitors for instances of offenses such as plagiarism and illegal collaboration, so it is very important that students use their best possible judgement in meeting this policy. The instructor will not entertain any discussion on the discovery of an offense, and will assign the ‘F’ grade and refer the student to the appropriate University bodies for possible further action. It is the understanding and expectation of instructor that the student’s signature on any test or assignment means that the student neither gave nor received unauthorized aid.

Note that students are explicitly forbidden to copy anything off the Internet (e.g., source code, text) for the purposes of completing an assignment or the final project. Also, students are forbidden from discussing or collaborating on any assignment except were explicitly allowed in writing by the instructor.

Ethics Statement

This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.

When in doubt, please contact the course professor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from the instructor.

Statement on transportation

Students have to provide their own transportation for any and all class related trips.

Statement on safety and risk assumption

This course does not require activities that pose physical risk to students.

Writing Resource Center

The Writing Resources Center, located on the first floor of Swem Library, is a free service provided to W&M students. Trained consultants offer individual assistance with writing, presentation, and other communication assignments across disciplines and at any stage, from generating ideas to polishing a final product. To make an appointment, visit the WRC webpage

Mental and Physical Well-Being

William & Mary recognizes that students juggle different responsibilities and can face challenges that make learning difficult. There are many resources available at W&M to help students navigate emotional/psychological, physical/medical, material/accessibility concerns, including:

The W&M Counseling Center at (757) 221-3620. Services are free and confidential.
The W&M Health Center at (757) 221-4386. For additional support or resources & questions, contact the Dean of Students at 757-221-2510.

Back to the top