Trusted Systems Group

Mobile Security WS 16/17

Lecture type Advanced lecture
Credits 6 CP
Instructor Dr.-Ing. Sven Bugiel
Teaching assistants Madhu Priya Murugan
Dhiman Chakraborty
Jie Huan
Time/Place Tuesday 16 – 18, Building E1 3, HS 001
Kick-off Tuesday, 8th November, 16:00 – 16:30, Building E1 3, HS 001
Language English
LSF Here
L:Admin Here
Important: Students that finished the course 95377: Android Security are not permitted to register for the exam of this course!


  • 04.11.2016: Pre-registration closed
  • 30.09.2016: More information on registration using own hardware
  • 21.09.2016: Course website online


This advanced lecture deals with different, fundamental aspects of mobile operating system and application security, with a strong focus on the popular, open-source Android OS and its ecosystem. In general, the awareness and understanding of the students for security and privacy problems in the area of smartphones is increased and they learn to tackle current security and privacy issues on smartphones from the perspectives of different security principals in the smartphone ecosystem: end-users, app developers, market operators, sytem vendors, third parties (like companies).

Central questions of this course are:

  • What is the threat model from the different principals' perspective?
  • How are basic design patterns of secure systems and security best practices realized in the design of smartphone operating systems? And how does the multi-layered software stack (i.e., middleware on top of the OS) influence this design?
  • How are hardware security primitives, such as Trusted Execution Environments, and trusted computing concepts integrated in those designs?
  • What are the techniques and solutions market operators have at hand to improve the overall ecosystem's hygiene?
  • Which problems and solutions have been identified in the past half decade of security research in this area?
  • Which techniques have been develop to empower the end-users to protect their privacy?

The lectures are accompanied by exercises to re-enforce the theoretical concepts and to provide an environment for hands-on experience for mobile security on the Android platform. Additionally, a short course project should provide hands-on experience in extending Android's security architecture with a simple custom access control enforcement mechanism.


There are no formal requirements for participation. Students who want to participate in the course should

  • have worked with a smartphone before (e.g., own an Android-based phone, iPhone, etc.)
  • be familiar with programming in Java (and C/C++)
  • should be comfortable with working with Linux

Actual programming experience on Android or at OS-level is not a prerequisite, but definitively an advantage.

Background in security is also an advantage (e.g., prior participation in the Foundations of Cybersecurity lecture or Security core lecture), however, the necessary background on system design, access control, and network security will be provided in this lecture in order to better put Android's design choices into context.

Requirements for obtaining credit points (Scheinvergabe)

For passing the course, the following minimal amount of points is needed:
  • 50% of the points from the exercise sheets; and
  • 50% of the points from the final exam.

The endterm exam will take place Thu, 23.02.2017, in E2.2 Günter-Hotz lecture hall from 14:00-16:00 (s.t.).

The backup exam will take place Mon, 10.04.2017, in E2.2 Günter-Hotz lecture hall from 14:00-16:00 (s.t.).


The registration is closed.


Time Place Tutor
Thu 14-16 E1.1, SR206 Madhu Priya Murugan
Thu 16-18 E1.3, SR014 Jie Huang
Fri 10-12 E1.3, SR014 Dhiman Chakraborty
Fri 14-16 E1.3, SR015 Sven Bugiel

Lecture Notes

The references for the lecture slides can be found here. (Last update: Nov 08, 2016)

Date Topic Exercise
24-10-2016 No lecture!
01-11-2016 No lecture! (All Saint's day)
08-11-2016 Kick-off
Lecture 1: Motivation and Basic Concepts
Exercise 1
15-11-2016 Lecture 2: Security Concepts and Security Architecture Exercise 2
Solution for Exercise 2
APKs for Exercise 2
22-11-2016 Lecture 3: Security Architecture II
29-11-2016 Lecture 3: Security Architecture II Exercise 3
Solution for Exercise 3
06-12-2016 Lecture 4: Security Architecture III Exercise 4
Solution for Exercise 4
13-12-2016 Lecture 5: Security Support APIs Exercise 5 (Course Project)
(Updated 2017/01/09)
20-12-2016 No lecture! (Christmas holidays)
03-01-2017 No lecture!
10-01-2017 Lecture 6: Advanced Attacks and Problems
17-01-2017 Lecture 7: Network Security Exercise 6
Solution of Exercise 6
24-01-2017 Lecture 8: App Analysis Exercise 7
Solution of Exercise 7
31-01-2017 Lecture 9: Application-layer Security Extensions Exercise 8
Solution of Exercise 8
07-02-2017 Lecture 10: Intro to Trusted Computing and Trusted Computing Concepts Exercise 9
Solution for Exercise 9
14-02-2017 Lecture 11: Hardware Security Primitives and Mobile Trusted Computing
Q&A for exam