DOCSLIB.ORG

Making Smartphone Application Permissions Meaningful for The

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Making Smartphone Application Permissions Meaningful for the Average User Amer Chamseddine and George Candea School of Computer and Communication Sciences École Polytechnique Fédérale de Lausanne (EPFL), Switzerland May 2012 Abstract address book and send the contacts to spammers? Do they track the user’s movements via GPS? Do Smartphones hold important private information, they turn on the phone’s camera/microphone and yet users routinely expose this information to ques- spy on the user? This is serious, because smart- tionable applications written by developers they phones, unlike computers, are always on, network- know nothing about. Users may be tempted to connected, and always with their user. think of smartphones as old-style dumb phones, not Today’s smartphones are powerful computers, as powerful network-connected computers, and this but it is easy for users to think of them as “dumb” opens a gap between the permissions-based secu- phones; the magic by which apps can dynamically rity paradigm (offered by platforms like Android) augment the functionality of this “phone” is not and what users expect. This makes it easy to fool fully understood and is therefore ignored. Cer- users into installing applications that steal their in- tain concepts, such as “app permissions” do not re- formation. Not surprisingly, Android is now a more ally have an equivalent in the world of traditional favored target for hackers than Windows [14]. phones. Discrepancies of this sort create a gap that, We propose an approach for closing this gap, from a security standpoint, invites exploitation. We based on the observation that the current per- aim to bridge this gap by making the concept of app missions system—rooted in good ol’ UNIX-style and app permissions more “natural” to users, thus thinking—is both too coarse and too fine grained, making it easier to understand and manage. because it uses the wrong axes for defining the permissions space. We argue for replacing the We start by looking at Android, both because paradigm in which “an app accesses device re- of its popularity and because we think it has im- sources” (which is foreign to most non-geeks) with portant weaknesses in this context. Android per- aparadigminwhich“anappaccessesuser-tangible missions were conceived to mitigate the threats de- services.” By using a simple piece of middleware, scribed above, by putting the user in control: users we can wrap this view of application control around must explicitly grant the app, at installation time, today’s permission system, and, by doing so, no access to the resources it requires. Unfortunately, conceptual refactoring of applications is required. many Android permissions are too coarse grained, thus leading to a violation of the “least privilege” principle. For example, a weather forecast applica- 1Introduction tion may simply need to download data from a spe- Mobile applications (“apps”) have captured the cific server, but in the current Android Permissions mind and soul of consumers, with much of the com- System a user would have to give this app full Inter- petition in the smartphone arena revolving around net access. Other permissions are too technical for the variety and coolness of apps available on a given average users, like “use SIP service” or “change the device. An average smartphone owner has more Z-order of tasks.” A puzzled user trying to choose than 40 applications installed [1], actively uses 15 of between saying “no” and getting to (install and) use them, and spends more than ten hours a month inter- the app will likely opt for the latter. And, in so do- acting with these applications—more time is spent ing, the user may unwittingly hand over to the app with apps than spent talking on the phone or using control over his/her data. it to browse the Web [13]. Our goal is to eliminate the mismatch between Most users do not know what exactly their in- user expectations and actual app behavior, as per- stalled apps do or have access to. Do they read the tains to user data. We describe a split/merge ap- 1 proach for morphing the Android Permissions Sys- tem into user-meaningful permissions: split proxies on the phone turn permissions that are too coarse into finer ones, and merge proxies combine low- level or too-technical permissions into semantically meaningful ones. Permissions and proxies form a hierarchy, and applications access the top layer of this hierarchy. We envision service providers (such as AdMob, Facebook, or Google Analytics) defin- ing the permissions by writing such proxies and pro- viding them to developers as part of their SDKs. Before describing our approach in more detail, we briefly present the Android Permissions System. 2AndroidPermissions:TheGoodandtheBad Each mainstream smartphone platform has its Figure 1: Installing Android apps: On the left, a weather own security model, with pros and cons. iOS and forecast app requests full access to the Internet (unnecessar- Windows Phone 8 control apps’ behavior largely by ily coarse grained). On the right, a VoIP app requests access to “send sticky broadcast,” “reroute outgoing calls,” etc. (too testing them before admitting them in the respec- technical for an average user). tive app store/marketplace; users trust Apple and Microsoft to do proper checking of the apps. Of UNIX-style users and groups, respectively. When course, full verification of an app is still an open installing a new app, Android creates a new userid challenge, and apps can still misbehave [15]. An- for it, and runs the app as that user. Android main- droid, however, defers the choice for what an app is tains one usergroup for each permission and, if the allowed to do to the end user. We believe the ideal user grants a particular permission at install time, smartphone security model will offer users some the app’s userid is added to the respective usergroup. level of choice, and thus the question of how to for- When the app invokes system services, the ker- mulate and grant permissions will remain pertinent. nel checks whether the app is entitled to make the This makes Android an interesting research target. respective system call or not (e.g., if an app tries to create a network socket but its userid does not 2.1 Android Permissions System: An Overview belong to the “Internet access” usergroup, Android The Android Permissions System [2] allows de- denies the socket creation attempt). Enforcement velopers to specify a list of accesses and permis- is performed in the kernel so that even native code sions their app needs in order to function properly; cannot bypass the permissions system. this list is part of the app’s manifest file. These The benefit of the Android Permissions System is permissions control access to sensitive device APIs, that the operating system promises users that each such as the camera, the microphone, or GPS sensor. app will only be allowed to access the APIs that Which permissions are granted to an app is de- were granted by the user at install time. Further- cided upfront, at app installation time—after instal- more, a user can determine at any time what permis- lation, apps cannot request additional permissions. sions an app has by looking at its list of permissions, When a user installs an app, the operating system which is available post-installation. displays the list of requested permissions (see for 2.2 Shortcomings example Figure 1). Presumably, the user reads the list, makes an informed decision on whether to grant Unfortunately, most users are not prepared to or not the requested permissions, and clicks Install exercise their right to choose, because some An- or Cancel. Installation can only proceed if the user droid permissions can be incomprehensible to them. accepts all requested permissions. These typically relate to device details that are out- Underneath the covers, Android (which runs a side the user’s realm of comprehension (access Sur- modified Linux kernel) enforces its security poli- faceFlinger, broadcast WAP PUSH receipt notifica- cies by mapping applications and permissions onto tions, perform I/O over NFC, etc.). In a recent study, 2 only 17% of users were aware of the requested per- sion proxy takes permissions from a lower layer missions list and, of those, only 3% had some under- and transforms them into a new permission exposed standing of the permissions’ meaning, power, and to the upper layer. We have two types of per- consequences [9]. In our experience, even tech- mission proxies: split proxies that divide permis- nical users make the decision based on intuition sions into finer-grain ones, and merge proxies that rather than careful analysis. This is because, even combine multiple permissions into a semantically when understanding what the permissions are about, higher-level one. reasoning about how a combination of permissions might compromise privacy or security is difficult. 3.1 Proxy-based Permission System At the same time, some Android permissions Proxies are built as thin Android apps that lever- force the violation of the “least privilege” princi- age Android’s flexibility for defining new permis- ple by being too coarse-grained, as illustrated by sions, thus not requiring changes to the OS in most the weather forecast app in Figure 1. Another com- cases. Each proxy X declaring a new permission mon case is when a non-networked app uses a li- P also defines an API corresponding to the use brary/SDK to show ads (e.g., via AdMob) or to of P.Forexample,aswillbedetailedlater,us- collect usage statistics (e.g., via Google Analytics): ing a selective form of HTTP access would re- even though the user knows the app should not re- quire using the SelectiveHttpClient class pro- quire Internet access, the fact that it is ad-supported vided by the corresponding proxy, instead of the forces it to ask for such access.
Recommended publications
  • The Effectiveness of Application Permissions

    The Effectiveness of Application Permissions

    The Effectiveness of Application Permissions Adrienne Porter Felt,∗ Kate Greenwood, David Wagner University of California, Berkeley apf, kate eli, [email protected] Abstract cations’ permission requirements up-front so that users can grant them during installation. Traditional user-based permission systems assign the Traditional user-based permission systems assign the user’s full privileges to all applications. Modern plat- user’s full privileges to all of the user’s applications. In forms are transitioning to a new model, in which each the application permission model, however, each appli- application has a different set of permissions based on cation can have a customized set of permissions based its requirements. Application permissions offer several on its individual privilege requirements. If most applica- advantages over traditional user-based permissions, but tions can be satisfied with less than the user’s full priv- these benefits rely on the assumption that applications ileges, then three advantages of application permissions generally require less than full privileges. We explore over the traditional user-based model are possible: whether that assumption is realistic, which provides in- sight into the value of application permissions. • User Consent: Security-conscious users may be We perform case studies on two platforms with appli- hesitant to grant access to dangerous permissions cation permissions, the Google Chrome extension sys- without justification. For install-time systems, this tem and the Android OS. We collect the permission re- might alert some users to malware at installation; quirements of a large set of Google Chrome extensions for time-of-use systems, this can prevent an in- and Android applications.
  • Wiretapping End-To-End Encrypted Voip Calls Real-World Attacks on ZRTP

    Wiretapping End-To-End Encrypted Voip Calls Real-World Attacks on ZRTP

    Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schürmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 wiretapping difficulty End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty End-to-End Encryption & Authentication SIP + SRTP + ZRTP Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time Transport Protocol) End-to-End Encryption SIP + DTLS-SRTP (SIP + Datagram Transport Layer Security-SRTP) 2017-07-18 Dominik Schürmann Wiretapping End-to-End Encrypted VoIP Calls Page 2 of 13 wiretapping difficulty Introduction Man-in-the-Middle ZRTP Attacks Conclusion End-to-End Security for Voice Calls Institute of Operating Systems and Computer Networks No End-to-End Security PSTN (Public Switched Telephone Network) SIP + (S)RTP (Session Initiation Protocol + Secure Real-Time
  • Parental Control – Whatsapp

    Parental Control – Whatsapp

    Parental controls guide WhatsApp privacy guide Parental Controls information Type of guide Social media privacy guides Features and Benefits WhatsApp privacy settings allow you to restrict who can see your child’s messages and location. There are also ways to block delete or report users on the platform. Please note, WhatsApp new privacy policy has come into effect starting May 15. What specific content can I restrict? Chatting Downloading file sharing Location sharing Privacy Privacy and identity theft What do I need? A WhatsApp account WhatsApp privacy guide Step by step guide 1 Control who sees your information You can set your last seen, profile photo and/or status to the following options: Everyone, My Contacts and Nobody: 1. Open WhatsApp and go to your Settings, tap Account, then tap Privacy. 2. Next, tap your selected option, then choose from either option: ‘Everyone’, ‘My Contacts’ or ‘Nobody’. 3. The changes will be applied automatically. 1 WhatsApp privacy guide 2 3 WhatsApp privacy guide Step by step guide 2 How to block contacts You can stop receiving messages, calls and status updates from certain contacts by blocking them. Open WhatsApp, choose the person you want to block either by searching or scrolling through your chat list. 2. Tap on their name, then scroll down and tap Block Contact. 1 2 WhatsApp privacy guide WhatsApp privacy guide Step by step guide 3 How to report contacts 1. Open WhatsApp, choose the person you want to report either by searching or scrolling through your chat list. 2. Tap on their name, then scroll down and tap Report or Report and Block Contact.
  • Enterprise Edition

    Enterprise Edition

    Secure Communication. Simplified. SAFECHATS Problem Most companies use popular insecure email and ⛔ messaging services to communicate confidential information P The information flow within the Company is ⛔ disorganized Metadata is exposed and available to third-party ⛔ services SAFECHATS Introducing SAFECHATS Ultra-secure communication solution P Designed with security in mind SAFECHATS Why SAFECHATS? ✔ Information is always end-to-end encrypted by default P ✔ All-in-one communication suite: • Text messaging (one-on-one and group chats) • Voice calls • File transfers (no size and file type limits) SAFECHATS How does SAFECHATS solve the problem? ✔ Customizable white label solution ✔ Integrates with existing softwareP infrastructure ✔ Enterprise-wide account and contact list management, supervised audited chats for compliance SAFECHATS What makes SAFECHATS different? ✔ Your own isolated cloud environment or on-premise deployment P ✔ Customizable solution allows to be compliant with internal corporate security policies ✔ No access to your phone number and contact list SAFECHATS Screenshot Protection ✔ Notifications on iOS P ✔ DRM protection on Android SAFECHATS Identity Verification ✔ Protection from man-in-the-middle attacksP ✔ SMP Protocol SAFECHATS Privacy Features ✔ Show / hide messages and files P ✔ Recall messages and files ✔ Self-destructing messages and files SAFECHATS Additional Protection ✔ History retention control P ✔ Application lock: • PIN-code • Pattern-lock on Android devices • Touch ID on iOS devices SAFECHATS How does SAFECHATS
  • TECH TOOLS for ACTIVISTS Published : 2012-10-04 License : CC-BY T ABLE of CONT ENT S

    TECH TOOLS for ACTIVISTS Published : 2012-10-04 License : CC-BY T ABLE of CONT ENT S

    TECH TOOLS FOR ACTIVISTS Published : 2012-10-04 License : CC-BY T ABLE OF CONT ENT S Tech Tools For Activism 1 An introduction to this booklet 2 2 Securing your email 4 3 Anonymous Blogs and Websites 7 4 Microblogging Beyond Twitter 9 5 Browsing the Internet 11 6 Organising and Networking Online 14 7 Mobile Phone Security and Android Apps 18 8 Publishing and Networking News 21 9 Producing and Publishing Media to the Internet 23 10 Green Computing 25 11 Hiding & Deleting Things on your PC 27 TECH TOOLS FOR ACTIVISM 1. AN INTRODUCTION TO THIS BOOKLET 2. SECURING YOUR EMAIL 3. ANONYMOUS BLOGS AND WEBSITES 4. MICROBLOGGING BEYOND TWITTER 5. BROWSING THE INTERNET 6. ORGANISING AND NETWORKING ONLINE 7. MOBILE PHONE SECURITY AND ANDROID APPS 8. PUBLISHING AND NETWORKING NEWS 9. PRODUCING AND PUBLISHING MEDIA TO THE INTERNET 10. GREEN COMPUTING 11. HIDING & DELETING THINGS ON YOUR PC 1 1. AN INT RODUCT ION T O T HIS BOOKLET T his booklet will help you to: use email securely publish news and upload media anonymously make your web browsing more anonymous and secure use Facebook and Twitter more securely get organised online without relying on corporate social networking sites use encrypted messaging on mobile phones hide stuff on your computer so it can't be found find a more secure and decentralised replacement for Twitter support free software, open licences and decentralised/ federated communication. Why this booklet is important: This booklet provides an introduction to the effective use of technology for activism, with links to step-by-step guides and further information.
  • How Secure Is Textsecure?

    How Secure Is Textsecure?

    How Secure is TextSecure? Tilman Frosch∗y, Christian Mainkay, Christoph Badery, Florian Bergsmay,Jorg¨ Schwenky, Thorsten Holzy ∗G DATA Advanced Analytics GmbH firstname.lastname @gdata.de f g yHorst Gortz¨ Institute for IT-Security Ruhr University Bochum firstname.lastname @rub.de f g Abstract—Instant Messaging has gained popularity by users without providing any kind of authentication. Today, many for both private and business communication as low-cost clients implement only client-to-server encryption via TLS, short message replacement on mobile devices. However, until although security mechanisms like Off the Record (OTR) recently, most mobile messaging apps did not protect confi- communication [3] or SCIMP [4] providing end-to-end con- dentiality or integrity of the messages. fidentiality and integrity are available. Press releases about mass surveillance performed by intelli- With the advent of smartphones, low-cost short-message gence services such as NSA and GCHQ motivated many people alternatives that use the data channel to communicate, to use alternative messaging solutions to preserve the security gained popularity. However, in the context of mobile ap- and privacy of their communication on the Internet. Initially plications, the assumption of classical instant messaging, fueled by Facebook’s acquisition of the hugely popular mobile for instance, that both parties are online at the time the messaging app WHATSAPP, alternatives claiming to provide conversation takes place, is no longer necessarily valid. secure communication experienced a significant increase of new Instead, the mobile context requires solutions that allow for users. asynchronous communication, where a party may be offline A messaging app that claims to provide secure instant for a prolonged time.
  • Ethics of Facebook: Analyzing the Social Network and Global Leader

    Ethics of Facebook: Analyzing the Social Network and Global Leader

    Ethics of Facebook: Analyzing the Social Network and Global Leader A Thesis Submitted to the Faculty of the School of Engineering and Applied Science University of Virginia • Charlottesville, Virginia In Partial Fulfillment of the Requirements of the Degree Bachelor of Science, School of Engineering Selwyn Hector Spring 2020 On my honor as a University Student, I have neither given nor received unauthorized aid on this assignment as defined by the Honor Guidelines for Thesis-Related Assignments Signature __________________________________________ Date __________ Selwyn Hector Approved __________________________________________ Date __________ Michael Gorman, Department of Engineering and Society Ethics of Facebook: Analyzing the Social Network and Global Leader Introduction As computing technology has grown, the internet and computers have become an essential part of people’s daily lives. According to data from the US Census, 81% of United States homes had a computer with internet access in 2016 and 76% of households had at least 1 one smartphone. Facebook is one of the internet’s largest services with 1.59 billion daily active 2 users and 2.41 billion monthly active users as of June 2019. ​ Facebook’s massive user base gives ​ it a platform to influence many parts of the world. Facebook began as a platform for connecting college students but now is a behemoth in entertainment, news, advertising, and more. Small decisions in how content is prioritized and what content is allowed to be posted have consequences across many cultures. This enormous power makes Facebook not only a social network that connects friends but a global leader that shapes the future. Unfortunately, the platform has been at the center of many controversies related to user 3,4 privacy, misinformation, and hate speech.
  • What Is Whatsapp? Whatsapp Is a Mobile Phone Application That Allows Users to Send Messages to Individuals and Groups, As Well As Share Images and Documents

    What Is Whatsapp? Whatsapp Is a Mobile Phone Application That Allows Users to Send Messages to Individuals and Groups, As Well As Share Images and Documents

    What is WhatsApp? WhatsApp is a mobile phone application that allows users to send messages to individuals and groups, as well as share images and documents. WhatsApp is a useful tool when you want to communicate with a group—such as all the nurses on your unit. It is less cumbersome than starting a texting group using everyone’s personal mobile phone. How to set up WhatsApp on your mobile phone Go to the App Store for your iPhone or Open Google Play on your Android Install “WhatsApp” Once you have the App on your phone: Go to “Settings” and add a photo and a status message (optional) The App will draw from directly your contacts in your phone and identified people who have WhatsApp How to set up a group chat Open WhatsApp On the bottom of the screen there are options to make calls, send texts etc. Click on the Chat Bubble which will take you to the screen where you message with your contacts From here there are two ways of creating a new group: Click on NEW GROUP on the top right of your screen This will take you to your contact list. Type a name in the search bar at top, or go down the list and tap everyone you would like in the group (a little blue check will show up next to their name). Click NEXT The next page is where you can give your group a name, and add a picture that represents the group (optional) SECOND WAY TO CREATE A GROUP CHAT: Back on the main chat page, you can click on the icon of a note being written all the way at the top right of the page Which will take to the next page offering you the option of creating a new group.
  • Is Bob Sending Mixed Signals?

    Is Bob Sending Mixed Signals?

    Is Bob Sending Mixed Signals? Michael Schliep Ian Kariniemi Nicholas Hopper University of Minnesota University of Minnesota University of Minnesota [email protected] [email protected] [email protected] ABSTRACT Demand for end-to-end secure messaging has been growing rapidly and companies have responded by releasing applications that imple- ment end-to-end secure messaging protocols. Signal and protocols based on Signal dominate the secure messaging applications. In this work we analyze conversational security properties provided by the Signal Android application against a variety of real world ad- versaries. We identify vulnerabilities that allow the Signal server to learn the contents of attachments, undetectably re-order and drop messages, and add and drop participants from group conversations. We then perform proof-of-concept attacks against the application to demonstrate the practicality of these vulnerabilities, and suggest mitigations that can detect our attacks. The main conclusion of our work is that we need to consider more than confidentiality and integrity of messages when designing future protocols. We also stress that protocols must protect against compromised servers and at a minimum implement a trust but verify model. 1 INTRODUCTION (a) Alice’s view of the conversa-(b) Bob’s view of the conversa- Recently many software developers and companies have been inte- tion. tion. grating end-to-end encrypted messaging protocols into their chat applications. Some applications implement a proprietary protocol, Figure 1: Speaker inconsistency in a conversation. such as Apple iMessage [1]; others, such as Cryptocat [7], imple- ment XMPP OMEMO [17]; but most implement the Signal protocol or a protocol based on Signal, including Open Whisper Systems’ caching.
  • Portable Wi-Fi Calling and Interactive Voice Response System

    Portable Wi-Fi Calling and Interactive Voice Response System

    www.ijemr.net ISSN (ONLINE): 2250-0758, ISSN (PRINT): 2394-6962 Volume-7, Issue-1, January-February 2017 International Journal of Engineering and Management Research Page Number: 384-386 Portable Wi-Fi Calling and Interactive Voice Response System Ruchi W. Kasare1, Pooja K. Muneshwar2, Nikhil D. Tembhekar3, Prof. V. P. Yadav4, Prof. J. V. Shriral5 1,2,3,4,5Department of Computer Science and Engineering, Priyadarshani College of Engineering and Research, Nagpur University, Maharashtra, INDIA ABSTRACT Wireless IP-PBX utilizes WIFI technology for Implementation of a VoIP telephony system using communication, the same wireless infrastructure used for an IP Telephony solution in the organization as IVR. A new your corporate network. Just as we use mobiles and technology VoIP or Internet Telephony means that your laptops within this wireless infrastructure to gain access voice is carried over the IP network, otherwise known as to information, now we can use wireless IP phones the Internet. Voice which is an analog signal, is converted system as this system uses the telephony function to digital data, which is then disassembled and transmitted through the Internet or Internet to be recovered back to an directly into an already existing data network. This analog signal an the other using an IP Telephony solution provides an advantage that voice and data network can which is an Linux base system. be used together using single system. One of the major This service can be properly managed and advantages of the IP-PBX wireless phone is that you can deployed over a network with less stress and expenses.
  • 2Nd USENIX Conference on Web Application Development (Webapps ’11)

    2Nd USENIX Conference on Web Application Development (Webapps ’11)

    conference proceedings Proceedings of the 2nd USENIX Conference Application on Web Development 2nd USENIX Conference on Web Application Development (WebApps ’11) Portland, OR, USA Portland, OR, USA June 15–16, 2011 Sponsored by June 15–16, 2011 © 2011 by The USENIX Association All Rights Reserved This volume is published as a collective work. Rights to individual papers remain with the author or the author’s employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. Permission is granted to print, primarily for one person’s exclusive use, a single copy of these Proceedings. USENIX acknowledges all trademarks herein. ISBN 978-931971-86-7 USENIX Association Proceedings of the 2nd USENIX Conference on Web Application Development June 15–16, 2011 Portland, OR, USA Conference Organizers Program Chair Armando Fox, University of California, Berkeley Program Committee Adam Barth, Google Inc. Abdur Chowdhury, Twitter Jon Howell, Microsoft Research Collin Jackson, Carnegie Mellon University Bobby Johnson, Facebook Emre Kıcıman, Microsoft Research Michael E. Maximilien, IBM Research Owen O’Malley, Yahoo! Research John Ousterhout, Stanford University Swami Sivasubramanian, Amazon Web Services Geoffrey M. Voelker, University of California, San Diego Nickolai Zeldovich, Massachusetts Institute of Technology The USENIX Association Staff WebApps ’11: 2nd USENIX Conference on Web Application Development June 15–16, 2011 Portland, OR, USA Message from the Program Chair . v Wednesday, June 15 10:30–Noon GuardRails: A Data-Centric Web Application Security Framework . 1 Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans, University of Virginia PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks .
  • A Survey of Open Source Products for Building a SIP Communication Platform

    A Survey of Open Source Products for Building a SIP Communication Platform

    Hindawi Publishing Corporation Advances in Multimedia Volume 2011, Article ID 372591, 21 pages doi:10.1155/2011/372591 Research Article A Survey of Open Source Products for Building a SIP Communication Platform Pavel Segec and Tatiana Kovacikova Department of InfoCom Networks, University of Zilina, Univerzitna 8215/1, 010 26 Zilina, Slovakia Correspondence should be addressed to Tatiana Kovacikova, [email protected] Received 29 July 2011; Revised 31 October 2011; Accepted 15 November 2011 Academic Editor: T. Turletti Copyright © 2011 P. Segec and T. Kovacikova. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The Session Initiation Protocol (SIP) is a multimedia signalling protocol that has evolved into a widely adopted communication standard. The integration of SIP into existing IP networks has fostered IP networks becoming a convergence platform for both real- time and non-real-time multimedia communications. This converged platform integrates data, voice, video, presence, messaging, and conference services into a single network that offers new communication experiences for users. The open source community has contributed to SIP adoption through the development of open source software for both SIP clients and servers. In this paper, we provide a survey on open SIP systems that can be built using publically available software. We identify SIP features for service deve- lopment and programming, services and applications of a SIP-converged platform, and the most important technologies support- ing SIP functionalities. We propose an advanced converged IP communication platform that uses SIP for service delivery.