TULIPS: Projects

Technology Usability Lab In Privacy and Security

Usability of Security APIs

The overall goal of this project is to develop a usable SSL/TLS API by studying how developers with limited security background approach adding encryption to their projects, followed by identifying common sources of error, and then iteratively designing an API that supports adding security as part of the developer's typical work model.

SSL/TLS is used to encrypt communication between devices on the internet, but many developers make errors when attempting to incorporate these libraries into their projects, leading to serious security problems such as data leakage and potential compromise of devices. It is estimated that as many as 88% of Android apps contain at least one cryptographic API usage mistake, e.g., using constants for keys, salt, seeds, or choosing the wrong encryption mode [1].

Just like any other human computer interface, APIs need to be designed to be usable, minimize accidental error, and generally support the workflow of users. When these principles are not taken into account, it becomes easy for even highly skilled developers to make mistakes. While several HCI methods exist for exploring API usability and creating new API designs, in general there have been few attempts to apply them to security libraries.

[1] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in Android applications. In Proc. ACM CCS’13, pages 73–84. ACM, 2013.

People

Funding

Research and projects here are partially funded by the following groups:

Related Student Projects

The following are projects completed by interns, undergraduate, and masters students related to the Software Update project.
Project screenshot.

Encrypt me if you can: Helping developers add Transport Layer Security to Android applications

Dimple Gulrajani (2016-2017, Undergraduate Thesis)

Supervisor: Kami Vaniea

An alarming number of mobile applications on the Google Play store do not encrypt their communications leaving them open to Man In The Middle attacks. This thesis analyzes why this is the case and presents a new tutorial to help developers correctly use TLS.