SmartHome Application Security

We developed an app patching based mechanism to add security logic to commodity SmartApps, which enables the verification of an important property called "Contextual Integrity" in the app runtime. We demonstrate that it introduces only minimal performance overhead, and won't risk much user habituation or annoyance.

Please visit our website for some sample malicious SmartApps we created for testing purpose.


Open Port Security

We design and implement a static analysis tool that can effectively identify and characterize vulnerable open port usage in Android applications. Using this tool, we discovered over 400 vulnerable apps, which can be exploited to cause highly-severe damage such as remotely stealing contacts, photos, and also performing sensitive actions such as malware installation and malicious code execution.

Please visit our website for more information.

Featured attack demo: Session hijacking of AirDroid (CVE-2016-5227).


Android Local Socket Security

We propose a tool called SInspector to expose potential security vulnerabilities in using Unix domain socket. Our analysis revealed some serious vulnerabilities in popular apps and system daemons.

Please visit our website for more information.

Featured attack demo: Privilege Escalation exploiting KingRoot v4.8.2.


Off-path Packet Injection Vulnerability Detection

We develop a tool called PacketGuardian that supports implicit flow tainting for Linux kernel code base in C. We use PacketGuardian on 6 popular protocol implementations of TCP, SCTP, DCCP and RTP, and uncover new vulnerabilities in Linux kerneal TCP, as well as 2 out of 3 RTP implementations.

Please visit our website for more information


Cross-layer Diagnosis for Voice Call

Our research prototype of cross-layer diagnosis tool on mobile device based on my Mobicom 2015 paper was productized by T-Mobile to automate the problem diagnosis with crowd-sourced data.