Principles of Mobile Application Development and Analysis (CPEN 524)

Overview
Communication and Links
Topics and Schedule
Course Format
Grading
Absence and Late Deliverables
University Policies

1. Overview

For several years now, mobile devices bypass desktops in sales: just walk into a restaurant, bar or a shopping mall and see how many individuals are holding a mobile device. The number of mobile application developers also bypasses the number of desktop developer worldwide. To better understand the mobile ecosystem, this course will look at topics specific to mobile application development and management, such as mobile application security, privacy, and energy-efficiency. Students will learn fundamentals and specifics of mobile application development and how it differs from the development of desktop applications. The main part of the course will focus on fundamentals of program analysis and how to apply analysis techniques for evaluating and vetting mobile applications developed by a third-party, e.g., those submitted to application stores.

This is a graduate research-oriented course. Each student will read, summarize, and present several scientific papers. Students will work in pairs or groups of three to propose, implement, and present an original project that advances the state-of-the-art in mobile application analysis. The course will also focus on polishing the students' research, development, communication, and technical presentation skills.

Instructor and Office Hours

Prof. Julia Rubin

Lecture:
Wed. 2-5pm, CEME 1212

Office hours:
Mon. 5-6pm, KAIS 4053 (or by appointment)

Course Prerequisites

Programming experience, in languages such as in Java, C++, Swift, or Objective-C.

Learning Objectives

By the end of the course, students will learn:

mobile application development paradigms;
program analysis paradigms;
specifics of mobile development, such as mobile application security, privacy and energy-efficiency;
application of analysis techniques for evaluating third-party mobile applications, e.g., w.r.t. security, privacy, and energy-efficiency;
efficient technical communication and presentation skills.

2. Communication and Links

Most course communication (questions, discussions, announcements, submissions of all deliverables, etc.) will be done via Piazza. Please enroll yourself!

Like most online services, Piazza is hosted outside Canada. Please come and talk to the instructor if you are uncomfortable using Piazza.

By 2pm PST on January 15, 2019, please indicate which papers you would like to present. Use this form to select up to 6 papers. I will do my best to satisfy everyone's preferences and will give priority to earlier records in case multiple students are interested in the same paper.
Weekly paper summaries should be submitted via Piazza using a private message.

Summaries must be posted in the “summaries” category, using the following template as subject:
“Your Name: Week X Paper Summaries”. For example, “Julia Rubin: Week 3 Paper Summaries”

Project milestones should be submitted via Piazza using a private message.

Project milestones must be posted in the “project” category, using the following template as subject:
“Names of All Your Team Members: Project Milestone”. For example, “Julia Rubin and Lady Gaga: Project Proposal”

3. Topics and Schedule

Week	Date	Topic	Major Deadlines
W1	Jan. 8	Introduction; mobile application development, Android development principles; mobile security, privacy and energy-efficiency [instructor]
W2	Jan. 15	UBC closed - weather alert	By the beginning of the class (2pm): - select papers you would like to present - submit HW1. Jan. 17: Last day to withdraw
W3	Jan. 22	Software analysis principles: static and dynamic program analysis, symbolic execution, model checking [instructor]	By the beginning of the class: project M0 (finalize groups and discuss project ideas).
W4	Jan. 29	Privacy Arzt et al., "FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps" http://dl.acm.org/citation.cfm?id=2594299 Enck et al., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" http://static.usenix.org/event/osdi10/tech/full_papers/Enck.pdf Yang et al., "AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection" http://dl.acm.org/citation.cfm?id=2516676
W5	Feb. 5	Input generation and testing Mao et al., "Sapienz: Multi-objective Automated Testing for Android Applications http://www0.cs.ucl.ac.uk/staff/K.Mao/archive/p_issta16_sapienz.pdf Gu et al., Practical GUI Testing of Android Applications via Model Abstraction and Refinement http://gutianxiao.com/static/ape-icse-2019.pdf	By the beginning of the class: project M1 (proposal).
W6	Feb. 12	Project proposal presentations [students]
W7	Feb. 19	Midterm Break - No classes
W8	Feb. 26	Security Zhou and Jiang, "Dissecting Android Malware: Characterization and Evolution" http://dl.acm.org/citation.cfm?id=2310710 Arp et al., "DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket https://www.sec.cs.tu-bs.de/pubs/2014-ndss.pdf
W9	Mar. 4	Security Mariconti et al., "MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models https://arxiv.org/pdf/1612.04433.pdf Fratantonio et al., "TriggerScope: Towards Detecting Logic Bombs in Android Applications" https://www.cs.ucsb.edu/~vigna/publications/2016_SP_Triggerscope.pdf
W10	Mar. 11	Libraries and Security Backes et al., “Reliable Third-Party Library Detection in Android and its Security Applications” https://people.svv.lu/derr/publications/pdfs/derr_ccs16.pdf Derr et al., “Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android” https://people.svv.lu/derr/publications/pdfs/derr_ccs17.pdf	By the beginning of the class: project M2 (first project report)
W11	Mar. 18	Reliability in Malware Detection Demontis et al., “Yes, Machine Learning Can Be More Secure! A Case Study on Android Malware Detection” https://arxiv.org/pdf/1704.08996.pdf Chen et al., “Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach” https://lingling-fan.github.io/llfan_files/Computers&Security.pdf
W12	Mar. 25	Energy-efficiency Banerjee et al., "Detecting Energy Bugs and Hotspots in Mobile Apps" http://dl.acm.org/citation.cfm?id=2635871 Lui et al., “Understanding and detecting wake lock misuses for Android applications” http://sccpu2.cse.ust.hk/andrewust/files/FSE2016.pdf
W13	Apr. 1	USENIX Security '19 - Stack Overflow Considered Helpful! Deep Learning Security Nudges Towards Stronger Cryptography
W14	Apr. 8	No class. Please work on your projects!
W15	April 15	Project presentations in lieu of the meeting in April 8. Please mark your calendars! [students]	Project M3 (presentations and demos)
W16	April 22	Final project reports are due.	April 22, 2pm: Project M4 (final project report)

4. Course Format

Reading Assignments

For weeks 3-5, 8-13 students will read the assigned research papers (two or three papers each week). Each student will submit a one-page summary of each paper that describes (a) how the approach proposed in the paper works and (b) a critical review of the paper.

For (a), please specify, in bullet points, the input and outputs to the approach and what it does to transform the inputs to outputs. Then describe how the approach was evaluated and what the results show. The description should take about 3/4 of the page. Points will be deduced for explanations that are not clear or not specific to the paper.

For (b), specify in bullet points 1-2 main strengths and weaknesses of the paper (not including those listed in the paper) and 1-2 suggestions for improvement and follow-up work. Points will be deduced for unclear statements and for listing non-original strength / weaknesses / suggestions, i.e., those stated in the paper.

Paper Presentations

Each week, a student will present one of the assigned research papers to the class (two or three students each week). The student should motivate the need for the contribution made by the paper, summarize the proposed technique and its evaluation, discuss the strengths and weaknesses of the approach (beyond those listed in the paper), and lead the discussion on the paper. Depending on the number of course participants, each student will present 1-2 papers. Students do not need to submit summaries of the papers they present.

Homework

The first and the only homework assignment (HW1) is due the beginning of class on week 2. The students are expected to implement a simple Android-native mobile application and demonstrate it in class. The detailed specification for the assignment will be given in class and be posted on Piazza.

Project

The majority of evaluation for the course is based on the course project. The expectation for the project is to generate novel insights relevant to the mobile application ecosystem. That can include novel mobile application development paradigms, novel application analysis techniques, discovery of previously unknown vulnerabilities in mobile applications, collection of statistical data on existing vulnerabilities and their impact on the society, or novel literature reviews. Come to talk to the course instructor at least one week before the deadline if you want some ideas for inspiration!
The project will be performed by groups of 2-3 students. The scope of each group's project should match the number of students involved.
There are five deliverables for the project:

M0: Groups are formed by the beginning of class on week 3.
M1: Project proposals are due by the beginning of class on week 5.

The proposal should be up to 2 pages and should include (a) description of the problem solved in the project, (b) statement of novelty and relation to existing work, (c) proposed technical approach, (d) proposed evaluation, (e) timetable and the planned role of each team member.
Each group should set a meeting with the course instructor to discuss the project idea before submitting the proposal.

M2: The first project report is due by the beginning of class on week 10.

The report should be up to 5 pages and should include (a) description of the problem solved in the project, possibly refined, (b) statement of novelty and relation to existing work, possibly refined, (c) technical approach, (d) results achieved so far and contribution of each team member, (e) plan to completion the planned role of each team member.

M3: Demos and presentations will be scheduled in the course workshop that will be held during the weeks 14 or 15.
M4: The final project report is due by the beginning of class on week 15.

The report should be up to 10 pages and should include (a) description of the problem solved in the project, (b) explicit statement of contribution and its novelty, (c) relation to existing work, (d) description of the technical approach, (e) evaluation and results, (f) contribution of each team member, (g) lessons learned and future research directions.

5. Grading

This course does not have a final exam. The grading is based on four components:

HW1 – 5%
Summaries of the assigned research papers – 20%
Presentation of 1-2 research papers in class – 20%
Project – 50%, specifically:

Project proposal summary and presentation – 5% (only if final report is submitted)
First project report – 10% (only if final report is submitted)
Final demo and presentation – 15%
Final project report – 20%

Constructive participation in class discussions – 5%

6. Absence and Late Deliverables

This course is based on group discussions. As such, the attendance in lectures is mandatory. If you are sick or miss a class for any other justified reason, you should notify the instructor ahead of time (via Piazza).
Late deliverables will be subject to the following penalties:

1st deliverable late: 20% off for every 24 hours of delay.
2nd deliverable late: 40% off for every 24 hours of delay.
3rd deliverable late: 80% off for every 24 hours of delay.
4 or more deliverables late: no points given.

7. University Policies

UBC provides resources to support student learning and to maintain healthy lifestyles but recognizes that sometimes crises arise and so there are additional resources to access including those for survivors of sexual violence. UBC values respect for the person and ideas of all members of the academic community. Harassment and discrimination are not tolerated nor is suppression of academic freedom. UBC provides appropriate accommodation for students with disabilities and for religious, spiritual and cultural observances. UBC values academic honesty and students are expected to acknowledge the ideas generated by others and to uphold the highest academic standards in all of their actions. Details of the policies and how to access support are available here.