RPE: Richard McPherson, GDC 6.816

Contact Name: 
Lydia Griffith
Date: 
Dec 16, 2013 11:00am - 12:00pm

Research Preparation Exam: Richard McPherson

Date: December 16, 2013
Time: 11:00 AM - 12:00 PM
Place: GDC 6.816
RPE Committees: Vitaly Shmatikov (chair), Lili Qiu, Lorenzo Alvisi

Title: No Escape From Reality: Security and Privacy of Augmented Reality Browsers

Abstract:

Augmented reality (AR) browsers are an emerging category of mobile
applications that add interactive virtual objects to the user's view of
the outside world.  We carry out the first comprehensive evaluation of
security and privacy issues in AR browsers, focusing on the three most
popular ones -- Junaio, Layar, and Wikitude, which have already
been installed on more than 30 million iOS and Android devices.

We start by analyzing the functional requirements that AR browsers must
support in order to present AR content: accessing native resources on
mobile devices, rendering and manipulating non-HTML content such as
2D and 3D models, integrating HTML and non-HTML content from multiple
origins, outsourced image processing, and delegated authentication.
We then investigate how AR browsers meet their requirements using
off-the-shelf components (in particular, WebView) and demonstrate that
these components do not provide the right abstractions and system support
for AR functionality.

The lack of system support causes AR browsers to rely on ad hoc schemes
and mechanisms that contain inherent security and privacy flaws.
We demonstrate how these built-in flaws can be exploited for cookie
theft, cross-site scripting attacks against any Web content, bypassing of
normal access control for device resources such as the onboard camera,
clickjacking, and other serious attacks.  We conclude with lessons and
recommendations.