The UMBC Cyber Defense Lab presents
Security Review of the MyUMBC Mobile App
Mikhail Aleksander, Enis Golaszewski, Gavin Lebo and Daniel Whitt
11:15am-12:30pm Friday, 20 November 2015, ITE 231
Our team will present preliminary findings and lead an informal discussion on its project to carry out a security review of new custom software for mobile devices in the UMBC enterprise. Using Highpoint, this custom software allows users to connect from IOS and Android mobile devices to application services including Peoplesoft (registration and administrative functions), Blackboard (instructional support), and Cashnet (campus financial transactions). Focusing on the custom software, the review includes an adversarial model, summary of the data and resources to be protected, analysis of the system design and architecture, and static and dynamic analysis of the source code using a variety of tools. Among other questions, the review addresses the following: What are potential vulnerabilities? How might an adversary exploit these vulnerabilities? What attacks are possible, how difficult would it be to carry out such attacks, what would their consequences be, and what is the risk of such attacks? Are appropriate cryptography and protocols used, are they used appropriately, and are the key lengths appropriate? Is the key management sound, and where are keys stored? Does the design and implementation follow best practices? The final report will include constructive recommendations.
Mikhail Aleksander, Enis Golaszewski, Gavin Lebo, and Daniel Whitt are students in Dr. Sherman’s CMSC-491/691 Cybersecurity Research class of the NSF-funded INSuRE project. Aleksander, Golaszewski, and Lebo are BS students in computer science; Whitt is a MPS student in Cyber. Lebo and Whitt are also SFS Scholars.