Information and Data Security

Assignment: II Total Marks: 30 Weighting: 15% Deadline:, 17 November 2020 (11:59 pm). Note: Submit the assignment via Turnitin (Include Student Name and ID in assignment). Objectives This assignment has been designed to test your knowledge for investigating access control and any potential issues with mobile applications. Note 

• Assumptions (if any) must be stated clearly in your answers. 

• There may not be one right answer for some of the questions. So, your explanations need to present your case clearly. The explanations you provide do not have to be long; conciseness is preferred to meandering. 

• It is recommended that you use Python for the programming components of the assignment. However, you are free to use another programming language provided the question/answer/solution can be naturally translated into a similar problem in that programming language. 1 Assessment For all questions in this assignment not only content but also presentation will affect your mark. You may lose marks if there are considerable problems with the presentation, particularly with clarity. This means that your answers to each question should be a coherent statement. You should ensure that spelling and grammar mistakes of your submission are kept to a minimum. 

• Clarity: – Ambiguous or poorly worded answers will receive a grade no more than a pass for the individual question. 

• Correctness of approach taken and answer obtained: – Incorrect answers with the correct logic or approach will not be necessarily penalised. – Correct answers with incorrect logic or approach will receive no more than pass for the individual question. – Incorrect answers with no explanation of the approach taken or with the incorrect approach will receive a fail grade for the individual question. The questions will be marked individually, the marks totalled, and a final grade assigned that is no more than indicated by the total marks, and no more than allowed by the standards specified above and in the unit outline. Submission • On line submission via Turnitin. Assignments will be marked and returned online. There are no hardcopy submissions for written assignments. Ensure you submit the correct file. The submission process shows you a complete preview of your entire assignment after you have uploaded it but before you have submitted it. Carefully check through every single page to ensure everything is there and the correct version has been uploaded, and only then press CONFIRM. Multiple submissions may be possible via Turnitin prior to the final due date and time of an assessment task and originality reports may be made available to students to view and check their levels of similarity prior to making a final submission. Students are encouraged to use these reports to ensure that they do not breach the Academic Honesty Policy through high levels of similarity checks. 2 Access Control (marks: 3) A lattice is a partially ordered set (L, ?) in which every subset has a greatest lower bound and a least upper bound. The least upper bound (or greatest lower bound) property is important in access control since we would like to uniquely determine the combined access privileges of any subset of security clearances in the access control model. 

Ex. 1 — Is the model shown in Figure 1 a lattice? Why or why not? (marks: 2) a d e f b c Figure 1: Is this a lattice? Bell-LaPadula Model The security levels TS, S, C, U stand for Top Secret, Secret, Classified, and Unclassified, respectively. Why is the “covert channel” attack mentioned against the Bell-LaPadula model, a covert attack? First a covert channel is a communication link through which information is NOT supposed to flow. Secondly, it would be undetected by the security mechanisms in place. In the attack example shown in the lecture, the subject with higher clearance may be sending the information contained in the object to the subject with lower clearance. 

Ex. 2 — Why is the covert channel attack on Bell-LaPadula Model an issue? (marks: 1) Online Tracking and Fingerprinting (marks: 10) Ex. 3 — One of the hotly contested issues in online tracking is whether tracking should be opt-out or opt-in, i.e., whether the default should be tracking or non-tracking. Does this actually matter, since both provide the same choice? (marks: 1) 

Ex. 4 — For Do Not Track to be meaningful, there has to be some way of detecting trackers that are not in compliance. What are some ways of doing so? (marks: 1)

 Ex. 5 — Are there tools you can download that are specifically intended to resist fingerprinting? (marks: 1) 3 

Ex. 6 — Are there applications of fingerprinting for fraud prevention? (marks: 1) 

Ex. 7 — Neither self-regulation in the U.S. nor Government regulation in the EU (e.g., “the cookie law”) has worked particularly well. What are some reasons that these attempts have run into problems? (marks: 2) 

Ex. 8 — Speculate on what the state of online tracking might look like in 5 years. (marks: 1) 

Ex. 9 — Experiment with Panopticlick. Try to minimize the identifiability of your usual browser or another browser. What’s the most anonymous you were able to get? With what settings? (marks: 3) Android Apps’ Analysis (marks: 17) Suppose you were hired by Google to analyze the recently published Android application on Google Play store: YogaForDiabities1 ; and MobInCube2 . Equipped with skills learnt in COMP8320, you opt to perform static and dynamic analysis of these apps. Essentially, you use Use mitmweb to analyze the network traffic sent and received by these two apps. Use mitmweb to analyze YogaForDiabities’ traffic 

Ex. 10 — What is the value of id sent by YogaForDiabities in HTTP request to (marks: 1) 

Ex. 11 — What is the value of adsid sent by YogaForDiabities in HTTP request to (marks: 1)

 Ex. 12 — What is the Android OS version and Phone Model on which YogaForDiabities was run? (Hint: Analyze all ‘POST’ requests.) (marks: 1) 

Ex. 13 — What is the value of cookie (named: ASP.NET SessionId) set by  What is the type of set cookie? (marks: 1) 

Ex. 14 — What is the value of cookie (named: afclick) set by  And what is the expiry date of the cookie? What is the main difference between this cookie (named: afclick) and ASP.NET SessionId? (marks: 2)

Ex. 15 — What is the value of imei shared with (marks: 1) 

Ex. 16 — Why adOpt is set to false? Can airpush.com tracks and shows advertisements if it is set to true? (marks: 2) 1APP ID: appinventor.ai homestudioapp.yogafordiabities 2APP ID: com.mobincube.android.sc 3DRJG7 4 Use mitmweb to analyze MobinCube’s traffic

 Ex. 17 — What is the Phone Model and network carrier name (carrierName) on which MobInCube was run? (marks: 1) 

Ex. 18 — What is the location related permission requested by MobInCube? What is location (latitude and longitude) value shared with  (marks: 2) 

Ex. 19 — Visit privacy policies of YogaForDiab eties  and MobInCube  and report whether or not these apps are transparent about the information they collect? (marks: 2) 

Ex. 20 — What are your recommendations on the security and privacy option of these two apps? Would you recommend these apps to user? Why or why not? (marks: 3) ——— End Assignment 2 ——— 5

No Comment.