Friday 26 September 11:30 - 12:00, Red room.
Tao Wei FireEye
Min Zheng FireEye
Hui Xue FireEye
Dawn Song FireEye
download slides (PDF)
FireEye mobile security researchers have found several severe security flaws in the iOS7 architecture which allow a malicious app to monitor every screen tap and button press and other events (to be released after the Apple fix) in the background on non-jail-broken iOS7. Furthermore, an attacker could hide such malicious behaviour in an app and bypass Apple's app security review process in various ways, or inject such malicious behaviours by exploiting a vulnerability in a benign app. Putting the steps together, we show that serious, targeted attacks on iOS are feasible and realistic. We will discuss the implications of iOS7 security architecture and the challenges in addressing them.
Tao Wei is a senior staff research scientist at FireEye, Inc. Prior to joining FireEye, he was an associate professor at Peking University and a visiting project scientist at UC Berkeley. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security. He led his team to win the special recognition award of the BlueHat Prize contest 2012 by proposing a high-performance software hardening approach. Now, he leads the mobile security research team at FireEye to discover mobile vulnerabilities, identify malwares, and prevent privacy leakage.
Min Zheng is a Ph.D. candidate in the computer science and engineering department of the Chinese University of Hong Kong. His research focuses on smartphone security: Android app and system security, Android malware analysis and iOS app and system security. He has worked at FireEye, Baidu and Tencent as an intern.
Hui Xue works at FireEye as a senior engineer doing research on mobile security where he published blogs and papers about Android and iOS security. He received his Ph.D. from UIUC where he did research on operating system and browser security. He also worked as a visiting scholar in Berkeley where he did research on Android security. He is interested in applying system mechanisms from operating system, network and programming language fields to improve end-user environments in aspects such as security, performance and reliability.
Dawn Song is a FireEye Fellow. She is also an associate professor on leave from UC Berkeley. Her research interest lies in security and privacy issues in computer systems and networks, including areas ranging from software security, networking security, database security and distributed systems security, to applied cryptography. She is the recipient of various awards including the MacArthur Fellowship, the Guggenheim Fellowship, the NSF CAREER Award, the Alfred P. Sloan Research Fellowship, the MIT Technology Review TR-35 Award, and best paper awards from top conferences. She founded Ensighta Security, Inc., which was acquired by FireEye.