Common Mistakes When Building Authentication into Apps
Departmental Seminar
- When?
- Wednesday 16 January 2013, 14:00 to 15:00
- Where?
- 39 BB 02
- Open to:
- Alumni, Public, Staff, Students
- Speaker:
- Dr Edgar Weippl, Research Director, SBA Research, Vienna University of Technology, Vienna, Austria
Mobile applications only become really useful if combined with cloud-based services. We have observed that the increasingly short time to market may cause serious design flaws in the security architecture. In this talk I will highlight some flaws discovered in the past.
For example, we looked at nine popular mobile messaging and VoIP applications and evaluated their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user's phone number as a unique token to identify accounts; they contain vulnerabilities allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers. Other examples pertain to (already fixed) problems in cloud-based storage services such as Dropbox.
Biography
Edgar Weippl is research director of SBA Research and Associate Professor at the Vienna University of Technology. His research focuses on applied concepts of IT-security and e-learning.
After graduating with a Ph.D. from the Vienna University of Technology, Edgar worked for two years in a research startup. He then spent one year teaching as an assistant professor at Beloit College, WI, USA. From 2002 to 2004, while with the software vendor, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the Vienna University of Technology and founded together with A Min Tjoa and Markus Klemen the research center SBA Research.
Edgar R. Weippl (CISSP, CISA, CISM, CRISC, CSSLP, CMC) is member of the editorial board of Computers & Security (an IFIP journal published by Elsevier) and he organizes the ARES conference.