Annual Computer Security Applications Conference (ACSAC) 2018

Full Program »

Why Johnny Can’t Make Money With His Contents: Pitfalls of Designing and Implementing Content Delivery Apps

Mobile devices are becoming the default platform for multimedia content consumption. Such a thriving business ecosystem has drawn interests from content distributors to develop apps that can reach a large number of audience. The business-edge of content delivery apps crucially relies on being able to effectively arbitrate the purchase and delivery of contents, and govern the access of contents with respect to usage control policies, on a plethora of consumer devices. Content protection on mobile platforms, especially in the absence of Trusted Execution Environment (TEE), is a challenging endeavor where developers often have to resort to ad-hoc deterrence-based defenses. This work evaluates the effectiveness of content protection mechanisms embraced by content delivery apps developers with respect to a hierarchy of adversaries with varying real-world capabilities. Our analysis of 111 vulnerable apps uncovered that, in many cases, due to developers’ unjustified trust assumptions about the underlying technologies, adversaries can obtain unauthorized and unrestricted access to contents of apps, sometimes without even needing to reverse engineer the deterrence-based defenses. Some weaknesses in the apps can also severely impact app users’ security and privacy. All our findings have been responsibly disclosed to the affected stakeholders.

Sze Yiu Chau
Purdue University
United States

Bincheng Wang
The University of Iowa
United States

Jianxiong Wang
Purdue University
United States

Omar Chowdhury
The University of Iowa
United States

Aniket Kate
Purdue University
United States

Ninghui Li
Purdue University
United States

 



Powered by OpenConf®
Copyright©2002-2018 Zakon Group LLC