Your search keyword '"Browsers"' showing total 61 results

1. An Approach to Guide Users Towards Less Revealing Internet Browsers

Author

Mohsen, Fadi, Shtayyeh, Adel, Struijk, Marten, Naser, Riham, Mohammad, Lena, Daimi, Kevin, editor, Alsadoon, Abeer, editor, Peoples, Cathryn, editor, and El Madhoun, Nour, editor

Published

2023

2. Quantifying Information Exposure by Web Browsers

Author

Mohsen, Fadi, Shehab, Mohamed, Lange, Maxamilliano, Karastoyanova, Dimka, Kacprzyk, Janusz, Series Editor, Pal, Nikhil R., Advisory Editor, Bello Perez, Rafael, Advisory Editor, Corchado, Emilio S., Advisory Editor, Hagras, Hani, Advisory Editor, Kóczy, László T., Advisory Editor, Kreinovich, Vladik, Advisory Editor, Lin, Chin-Teng, Advisory Editor, Lu, Jie, Advisory Editor, Melin, Patricia, Advisory Editor, Nedjah, Nadia, Advisory Editor, Nguyen, Ngoc Thanh, Advisory Editor, Wang, Jun, Advisory Editor, Arai, Kohei, editor, Kapoor, Supriya, editor, and Bhatia, Rahul, editor

Published

2021

3. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery.

Author

Calzavara, Stefano, Conti, Mauro, Focardi, Riccardo, Rabitti, Alvise, and Tolomei, Gabriele

Abstract

We propose a methodology to leverage machine learning (ML) for the detection of web application vulnerabilities. We use it in the design of Mitch, the first ML solution for the black-box detection of cross-site request forgery vulnerabilities. Finally, we show the effectiveness of Mitch on real software. [ABSTRACT FROM AUTHOR]

Published

2020

4. Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions.

Author

Perrotta, Raffaello and Hao, Feng

Abstract

Browser extension systems risk exposing APIs, which are too permissive and cohesive with the browser’s internal structure, leaving a hole for malicious developers to exploit security critical functionality. We present a botnet framework based on malicious browser extensions and provide an exhaustive range of attacks that can be launched in this framework. [ABSTRACT FROM AUTHOR]

Published

2018

5. A New User Front End for EAST Remote Participation.

Author

Sun, Xiaoyang, Ji, Zhenshan, Wang, Feng, and Wang, Yang

Subjects

*TOKAMAKS, *REMOTE handling (Radioactive substances), *SUPERCONDUCTING device testing, *NUCLEAR reactors, *NUCLEAR fusion, *EQUIPMENT & supplies, DESIGN & construction

Abstract

The Web-based remote participation system for experimental advanced superconducting tokamak (EAST RPS) has been developed to provide a high-efficient and low-cost way to meet international collaboration requirements. The EAST RPS team focused on the extension, update, and optimization for the RPS during last two years. In the first version, EAST RPS has established Apache-Flex based front-end components to provide a platform-independent user interface. However, some Web browsers, such as Firefox, Google Chrome, and Microsoft Edge, and operation systems (iOS and android) stop supporting or disable the flash player plugin by default, and the Flex technology will become less relevant in the future. The purpose of this paper is to provide an update of the RPD in EAST. The front-end migration should be a priority to update the EAST RPS. The open source, cross-platform, maintainability, and life cycle are the key features that the front-end platform must have. The technical solutions for the new user front end for EAST RPS are offered in this paper. [ABSTRACT FROM AUTHOR]

Published

2018

6. Managing Potentially Intrusive Practices in the Browser: A User-Centered Perspective

Author

Daniel Smullen, Norman Sadeh, Arthur Edelstein, Yaxing Yao, Yuanyuan Feng, and Rebecca Weiss

Subjects

understanding, Ethics, browsers, Computer science, 05 social sciences, Perspective (graphical), interaction design, security, QA75.5-76.95, 02 engineering and technology, privacy, BJ1-1725, usability, World Wide Web, mental models, Electronic computers. Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, General Earth and Planetary Sciences, 0501 psychology and cognitive sciences, preferences, 050107 human factors, settings, General Environmental Science

Abstract

Browser users encounter a broad array of potentially intrusive practices: from behavioral profiling, to crypto-mining, fingerprinting, and more. We study people’s perception, awareness, understanding, and preferences to opt out of those practices. We conducted a mixed-methods study that included qualitative (n=186) and quantitative (n=888) surveys covering 8 neutrally presented practices, equally highlighting both their benefits and risks. Consistent with prior research focusing on specific practices and mitigation techniques, we observe that most people are unaware of how to effectively identify or control the practices we surveyed. However, our user-centered approach reveals diverse views about the perceived risks and benefits, and that the majority of our participants wished to both restrict and be explicitly notified about the surveyed practices. Though prior research shows that meaningful controls are rarely available, we found that many participants mistakenly assume opt-out settings are common but just too difficult to find. However, even if they were hypothetically available on every website, our findings suggest that settings which allow practices by default are more burdensome to users than alternatives which are contextualized to website categories instead. Our results argue for settings which can distinguish among website categories where certain practices are seen as permissible, proactively notify users about their presence, and otherwise deny intrusive practices by default. Standardizing these settings in the browser rather than being left to individual websites would have the advantage of providing a uniform interface to support notification, control, and could help mitigate dark patterns. We also discuss the regulatory implications of the findings.

Published

2021

7. Detecting Mobile Malicious Webpages in Real Time.

Author

Amrutkar, Chaitrali, Kim, Young Seuk, and Traynor, Patrick

Subjects

SMARTPHONES, WEB browsing, MALWARE, HTML (Document markup language)

Abstract

Mobile specific webpages differ significantly from their desktop counterparts in content, layout, and functionality. Accordingly, existing techniques to detect malicious websites are unlikely to work for such webpages. In this paper, we design and implement kAYO, a mechanism that distinguishes between malicious and benign mobile webpages. kAYO makes this determination based on static features of a webpage ranging from the number of iframes to the presence of known fraudulent phone numbers. First, we experimentally demonstrate the need for mobile specific techniques and then identify a range of new static features that highly correlate with mobile malicious webpages. We then apply kAYO to a dataset of over 350,000 known benign and malicious mobile webpages and demonstrate 90 percent accuracy in classification. Moreover, we discover, characterize, and report a number of webpages missed by Google Safe Browsing and VirusTotal, but detected by kAYO. Finally, we build a browser extension using kAYO to protect users from malicious mobile websites in real-time. In doing so, we provide the first static analysis technique to detect malicious mobile webpages. [ABSTRACT FROM AUTHOR]

Published

2017

8. The Market's Law of Privacy: Case Studies in Privacy and Security Adoption.

Author

Gupta, Chetan

Abstract

It might be possible for individual actors in a marketplace to drive the adoption of particular privacy and security standards. Using HTTPS, two-factor authentication, and end-to-end encryption as case studies, the author tries to ascertain which factors are responsible for successful diffusion that improves the privacy of a large number of users. [ABSTRACT FROM PUBLISHER]

Published

2017

9. Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?

Author

Ali, Mohammed Aamir, Arief, Budi, Emms, Martin, and van Moorsel, Aad

Abstract

An extensive study of the current practice of online payment using credit and debit cards reveals the intrinsic security challenges caused by differences in how payment sites operate. [ABSTRACT FROM PUBLISHER]

Published

2017

10. Designing Application Permission Models that Meet User Expectations.

Author

Roesner, Franziska

Abstract

How should applications legitimately requiring access to sensitive resources to carry out their functionality be granted access to those resources? The answer to this question depends on users. This article introduces user-driven access control, an alternate permission model that adheres to the principle of least privilege while reducing the burden on users to make explicit permission decisions. [ABSTRACT FROM PUBLISHER]

Published

2017

11. Neural Markers of Cybersecurity: An fMRI Study of Phishing and Malware Warnings.

Author

Neupane, Ajaya, Saxena, Nitesh, Maximo, Jose Omar, and Kana, Rajesh

Abstract

The security of computer systems often relies upon decisions and actions of end users. In this paper, we set out to investigate users’ susceptibility to cybercriminal attacks by concentrating at the most fundamental component governing user behavior—the human brain. We introduce a novel neuroscience-based study methodology to inform the design of user-centered security systems as it relates to cybercrime. In particular, we report on an functional magnetic resonance imaging study measuring users’ security performance and underlying neural activity with respect to two critical security tasks: 1) distinguishing between a legitimate and a phishing website and 2) heeding security (malware) warnings. We identify the neural markers that might be controlling users’ performance in these tasks, and establish relationships between brain activity and behavioral performance as well as between users’ personality traits and security behavior. Our results provide a largely positive perspective on users’ capability and performance vis-à-vis these crucial security tasks. First, we show that users exhibit significant brain activity in key regions associated with decision-making, attention, and problem-solving (phishing and malware warnings) as well as language comprehension and reading (malware warnings), which means that users are actively engaged in these security tasks. Second, we demonstrate that certain individual traits, such as impulsivity measured via an established questionnaire, are associated with a significant negative effect on brain activation in these tasks. Third, we discover a high degree of correlation in brain activity (in decision-making regions) across phishing detection and malware warnings tasks, which implies that users’ behavior in one task may potentially be predicted by their behavior in the other. Fourth, we discover high functional connectivity among the core regions of the brain, while users performed the phishing detection task. Finally, we discuss the broader impacts and implications of our work on the field of user-centered security, including the domain of security education, targeted security training, and security screening. [ABSTRACT FROM PUBLISHER]

Published

2016

12. A Taxonomy of Domain-Generation Algorithms.

Author

Sood, Aditya K. and Zeadally, Sherali

Abstract

Domain-generation algorithms (DGAs) allow attackers to manage infection-spreading websites and command-and-control (C&C) deployments by altering domain names on a timely basis. DGAs have made the infection and C&C architecture more robust and supportive for attackers. This detailed taxonomy of DGAs highlights the problem and offers solutions to combat DGAs through detection of drive-by download and C&C activity from the compromised machine. [ABSTRACT FROM PUBLISHER]

Published

2016

13. Using Passive Measurements to Demystify Online Trackers.

Author

Metwalley, Hassan, Traverso, Stefano, and Mellia, Marco

Subjects

*INTERNET, *COMPUTER users, *WEBSITES, *INTERNET advertising, *ELECTRONIC commerce

Abstract

The Internet revolution has led to the rise of trackers--online tracking services that shadow users' browsing activity. Despite the pervasiveness of online tracking, few users install privacy-enhancing plug-ins. [ABSTRACT FROM AUTHOR]

Published

2016

14. Mitigating Cross-Site Scripting Attacks with a Content Security Policy.

Author

Yusof, Imran and Pathan, Al-Sakib Khan

Subjects

*NATIONAL security, *WEB-based user interfaces, *PROTOTYPES, *CSP (Computer program language), *PROGRAMMING languages

Abstract

A content security policy (CSP) can help Web application developers and server administrators better control website content and avoid vulnerabilities to cross-site scripting (XSS). In experiments with a prototype website, the authors' CSP implementation successfully mitigated all XSS attack types in four popular browsers. [ABSTRACT FROM AUTHOR]

Published

2016

15. Analysis and Mitigation of NoSQL Injections.

Author

Ron, Aviv, Shulman-Peleg, Alexandra, and Puzanov, Anton

Abstract

NoSQL data storage systems have become very popular due to their scalability and ease of use. Unfortunately, they lack the security measures and awareness that are required for data protection. Although the new data models and query formats of NoSQL data stores make old attacks such as SQL injections irrelevant, they give attackers new opportunities for injecting their malicious code into the statements passed to the database. Analysis of the techniques for injecting malicious code into NoSQL data stores provides examples of new NoSQL injections as well as Cross-Site Request Forgery attacks, allowing attackers to bypass perimeter defenses such as firewalls. Analysis of the source of these vulnerabilities and present methodologies can mitigate such attacks. Because code analysis alone is insufficient to prevent attacks in today's typical large-scale deployment, certain mitigations should be done throughout the entire software life cycle. [ABSTRACT FROM PUBLISHER]

Published

2016

16. Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser.

Author

Levy, Amit, Corrigan-Gibbs, Henry, and Boneh, Dan

Abstract

Website publishers can derive enormous performance benefits and cost savings by directing traffic to their sites through content distribution networks (CDNs). However, publishers who use CDNs must trust they won't modify the site's JavaScript, CSS, images, or other media en route to end users. A CDN that violates this trust could inject ads into websites, downsample media to save bandwidth, or, worse, inject malicious JavaScript code to steal user secrets it couldn't otherwise access. The authors present Stickler, a system for website publishers that guarantees the end-to-end authenticity of content served to users that simultaneously lets publishers reap the benefits of CDNs. Crucially, Stickler achieves these guarantees without requiring modifications to the browser. [ABSTRACT FROM PUBLISHER]

Published

2016

17. Protected Web Components: Hiding Sensitive Information in the Shadows.

Author

De Ryck, Philippe, Nikiforakis, Nick, Desmet, Lieven, Piessens, Frank, and Joosen, Wouter

Subjects

WEB-based user interfaces, COMPUTER security, COMPUTER systems, INFORMATION technology, JAVASCRIPT programming language, PROGRAMMING languages

Abstract

Most modern Web applications depend on the integration of code from third-party providers, such as JavaScript libraries and advertisements. Because the included code runs within the page's security context, it represents an attractive attack target, allowing the compromise of numerous Web applications through a single attack vector (such as a malicious advertisement). Such opportunistic attackers aim to execute low-profile, nontargeted, widely applicable data-gathering attacks, such as the silent extraction of user-specific data and authentication credentials. In this article, the authors show that third-party code inclusion is rampant, even in privacy-sensitive applications such as online password managers, thereby potentially exposing the user's most sensitive data to attackers. They propose protected Web components, which leverage the newly proposed Web components, repurposing them to protect private data against opportunistic attacks, by hiding static data in the Document Object Model (DOM) and isolating sensitive interactive elements within a component. This article is part of a special issue on IT security. [ABSTRACT FROM AUTHOR]

Published

2015

18. It's All in the Cloud: Reviewing Cloud Security.

Author

Pitropakis, Nikolaos, Darra, Eleni, Vrakas, Nikos, and Lambrinoudakis, Costas

Abstract

Cloud computing is gradually replacing traditional IT infrastructures. However, an important issue that has emerged through that revolution is the preservation of an adequate level of security for the infrastructure. Currently there are many researchers working in the area of cloud security and privacy protection, proposing several solutions that address the threats against cloud infrastructures. This paper provides a thorough review of the research work in the area presenting the solutions that have been proposed so far. [ABSTRACT FROM PUBLISHER]

Published

2013

19. On Detection and Prevention of Clickjacking Attack for OSNs.

Author

Rehman, Ubaid Ur, Khan, Waqas Ahmad, Saqib, Nazar Abbas, and Kaleem, Muhammad

Abstract

Click jacking attacks are the emerging threats to websites, especially to online social networks (OSNs). In this paper, we describe some new attacks to online websites. The new Click jacking attacks cause serious damage to users by stealing their personal credentials or by sharing their personal information on social networks bringing moral degradation to them. The attacker applications are hidden behind the sensitive user interface to steal the clicks of the user and use them for the illegal purposes. To detect and prevent Click jacking attacks, we propose a browser-based solution referred to as Cursor Spoofing and Click jacking Prevention (CSCP). CSCP ensures protection Cursor spoofing attack with high effectiveness and also the Like jacking attacks, other variation of Click jacking attacks which associate malicious code to Facebook Like buttons. We have conducted our studies on 442 participants to evaluate the effectiveness of our attacks and also defenses. Results show that our attack success rate falls between 76% and 78%. [ABSTRACT FROM PUBLISHER]

Published

2013

20. Automated detection of session management vulnerabilities in web applications.

Author

Takamatsu, Yusuke, Kosuga, Yuji, and Kono, Kenji

Abstract

Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge on the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to only enter a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge on the web application. Our experiments demonstrated that our technique could detect vulnerabilities in five web applications deployed in the real world. [ABSTRACT FROM PUBLISHER]

Published

2012

21. Improve security of web Browser with stand-alone e-Learning awareness application.

Author

Serrhini, Mohammed, Dargham, Abdelmajid, and Ait-Moussa, Abdel Aziz

Abstract

We are living in the electronic age where electronic transactions such as e-mail, e-banking, e-commerce, and e-learning etc.. are becoming more and more prominent. To access online for this services, web browser is today's almost unique software used. These days' hackers know that browsers are installed into all computers, and can be used to compromise a machine by distributing malware via malicious or hacked websites. Also these sites use JavaScript to manipulate web browsers and can drive user system to failures, each web browsers have features that define theirs behaviors, unfortunately most of users are unwilling to enable or disable this features, because many of them still do not understand even basic security concepts, This paper will briefly describe some specific web browser features misconfiguration and associated risks, also we present an application that will check configuration of selected web browser in order to find all misconfigured features, and propose to student through tailored e-learning awareness program to reconfigure them securely. [ABSTRACT FROM PUBLISHER]

Published

2012

22. Study and Application of a Migrating Instance.

Author

Jing, Wang

Abstract

A Workflow Management System usually works in a specific trusted environment in practice. So it increases migrating efficiency of migrating instance by configuring some functions of the migrating instance as the services of trusted work position. In the research, we improved the light migrating instance[5] according to Emergency Information Management characteristics. We designed Emergency Information Management System based on the migrating instance. In the System, Browser/Server and Client/Server were adopted. In the paper, the improvement of migrating instance was discussed firstly. Next structure and functions of Emergency Information Management System were introduced. [ABSTRACT FROM PUBLISHER]

Published

2012

23. Don't work. Can't work? Why it's time to rethink security warnings.

Author

Krol, Kat, Moroz, Matthew, and Sasse, M. Angela

Abstract

As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced. [ABSTRACT FROM PUBLISHER]

Published

2012

24. Towards a Semantics of Phish.

Author

Orman, Hilarie

Abstract

Phishing constitutes more than half of all reported security incident son the Internet. The attacks cause users to erroneously trust websites and enter sensitive data because the email notifications and the website look familiar. Our hypothesis is that familiarity can be defined formally using history data from the user's computer, and effective presentation of the data can help users distinguishphishing messages from trustworthy messages. [ABSTRACT FROM PUBLISHER]

Published

2012

25. A Novel Security Scheme for Online Banking Based on Virtual Machine.

Author

Guan, Bei, Wu, Yanjun, and Wang, Yongji

Abstract

Current online banking scheme built on ordinary software stack, which comprises of the operating system and its applications running on it, is facing attacks including Phishing, Pharming, Malicious Software Attacks (MSW), Man in the Middle Attacks (MITM) and Key logger. Today's countermeasures either prevent only part of these attacks or have high cost on performance and usability. In this paper, we introduce the Domain Online Banking (DOBank), a novel security scheme for online banking that combines the virtual machine (VM) technology with web services. Firstly, DOBank encapsulates the banking service into a lightweight domain and protects it from any attacks caused by virus from the user's host. Secondly, the domain can access certain hardware devices exclusively against Key logger and gains nearly native performance using the pass through technology. Finally, we use the virtual Trusted Platform Module (vTPM) for the online banking domain's integrity verification as well as the SSL/TLS (Security Sockets Layer/Transport Layer Security) protocol for the confidentiality of data transaction over the internet. We show that this scheme is secure enough to prevent typical viruses that threaten the online banking. The experiments on the network throughput and the time consumed of integrity measurement show it adds little overhead to the overall system. [ABSTRACT FROM PUBLISHER]

Published

2012

26. Integrated detection of anomalous behavior of computer infrastructures.

Author

Maggi, Federico and Zanero, Stefano

Abstract

Our research concentrates on anomaly detection techniques, which have both industrial applications such as network monitoring and protection, as well as research applications such as software behavioral analysis or malware classification. During our doctoral research, we worked on anomaly detection from three different perspective, as a complex computer infrastructure has several weak spots that must be protected. We first focused on the operating system, central to any computer, to avoid malicious code to subvert its normal activity. Secondly, we concentrated on web applications, which are the main interface to modern computing: Because of their immense popularity, they have indeed become the most targeted entry point of intrusions. Last, we developed novel techniques with the aim of identifying related events (e.g., alerts reported by intrusion detection systems) to build new and more compact knowledge to detect malicious activity on large-scale systems. During our research we enhanced existing anomaly detection tools and also contributed with new ones. Such tools have been tested over different datasets, both synthetic data and real network traffic, and lead to interesting results that were accepted for publication at main security venues. [ABSTRACT FROM PUBLISHER]

Published

2012

27. Sensor based home automation and security system.

Author

Assaf, Mansour H., Mootoo, Ronald, Das, Sunil R., Petriu, Emil M., Groza, Voicu, and Biswas, Satyendra

Abstract

The conventional design of home security systems typically monitors only the property and lacks physical control aspects of the house itself. Also, the term security is not well defined because there is a time delay between the alarm system going on and actual arrival of the security personnel. This paper discusses the development of a home security and monitoring system that works where the traditional security systems that are mainly concerned about curbing burglary and gathering evidence against trespassing fail. The paper presents the design and implementation details of this new home control and security system based on field programmable gate array (FPGA) The user here can interact directly with the system through a web-based interface over the Internet, while home appliances like air conditioners, lights, door locks and gates are remotely controlled through a user-friendly web page. An additional feature that enhances the security aspect of the system is its capability of monitoring entry points such as doors and windows so that in the event any breach, an alerting email message is sent to the home owner instantly. [ABSTRACT FROM PUBLISHER]

Published

2012

28. A leaky bucket called smartphone.

Author

Ugus, Osman, Westhoff, Dirk, and Rajasekaran, Hariharan

Abstract

This work is a survey presenting attacks on smartphones and recommending the best possible locations for deploying defensive mechanisms to mitigate those attacks. The attack vectors are categorized into three classes according to their characteristics as attacks via application layer, communication layer and operating system layer. We describe various attacks belonging to each of these classes and suggest locations where defensive mechanisms could be deployed to mitigate them. This paper does not intend to present a complete list of attacks. It rather tries to evaluate the best possible place for implementing the potential countermeasures to either prevent or to detect attacks with similar characteristics. The focus of this work is therefore to present a set of representative attacks on smartphone specific services and to identify meaningful locations where particular countermeasures available from the literature could be installed. [ABSTRACT FROM PUBLISHER]

Published

2012

29. Solving Some Modeling Challenges when Testing Rich Internet Applications for Security.

Author

Choudhary, Suryakant, Dincturk, Mustafa Emre, Bochmann, Gregor V., Jourdan, Guy-Vincent, Onut, Iosif Viorel, and Ionescu, Paul

Abstract

Crawling is a necessary step for testing web applications for security. An important concept that impacts the efficiency of crawling is state equivalence. This paper proposes two techniques to improve any state equivalence mechanism. The first technique detects parts of the pages that are unimportant for crawling. The second technique helps identifying session parameters. We also present a summary of our research on crawling techniques for the new generation of web applications, so-called Rich Internet Applications (RIAs). RIAs present new security and crawling challenges that cannot be addressed by traditional techniques. Solving these issues is a must if we want to continue benefitting from automated tools for testing web applications. [ABSTRACT FROM PUBLISHER]

Published

2012

30. MANTICORE: Masking All Network Traffic via IP Concealment with OpenVPN Relaying to EC2.

Author

Butler, Patrick, Rhodes, Adam, and Hasan, Ragib

Abstract

Malware and computer forensic researchers often communicate with malicious servers, either directly or indirectly, through the web browser or other ports utilized by malicious software. Communication with this form of adversary can sometimes necessitate the use of a proxy server in order to conceal the true origin of the researcher's traffic. Open source projects such as OpenVPN currently offer a structured method for establishing software based virtual private networks (VPNs) between arbitrary clients and servers. Likewise, paradigms exist which allow a user to proxy traffic from one end of a VPN to another, effectively masking the origin of traffic being sent to and from the client system. In this paper, we present MANTICORE -- a system that  combines ideas from VPN with the instancing functionality of a cloud computing system in order to dynamically mask and reassign the apparent IP address of a researcher's system. We also present experimental evaluation of our system on Amazon's Elastic Compute Cloud (EC2). [ABSTRACT FROM PUBLISHER]

Published

2012

31. The design and implementation of Cloud Terminal Operating System Kernel.

Author

Zhang, Fanlong, Su, Xiaohong, Sun, Zhigang, and Ma, Peijun

Abstract

With the rapid development of Internet and Cloud Computing, Web-based applications become more powerful. In order to fully use the Web-based applications, we design a new Operating System known as the Cloud Terminal Operating System. CTOS just runs one application which is Web browser, and the Web-based applications meet all the daily needs of users. CTOS abandons the traditional desktop applications, and makes some special design to optimize Web-based applications. This paper gives the concept of CTOS, and analyzes the other similar operating systems. This paper also gives a detailed design and implementation of CTOS which is based on the Hurd operating system. [ABSTRACT FROM PUBLISHER]

Published

2012

32. Practical clickjacking with BeEF.

Author

Lundeen, Brigette and Alves-Foss, Jim

Abstract

A lot of effort has been put into researching client-side attacks, including vulnerabilities like cross-site scripting, cross-site request forgery, and more recently, clickjacking. Similar to other client-side attacks, a clickjacking vulnerability can use the browser to exploit weaknesses in cross domain isolation and the same origin policy. It does this by tricking the user to click on something that is actually not what the user perceives they are clicking on. In the most extreme cases, this vulnerability can cause an unsuspecting user to have their account compromised with a single click. Although there are protections available for clickjacking, the web applications implementing these mitigations are far and in between. Additionally, although the possibility for an attacker to frame a page is easy to detect, it is much more difficult to demonstrate or assess the impact of a clickjacking vulnerability than more traditional client-side vectors. Tools do not currently exist to reliably demonstrate clickjacking exploitation, and the rare demonstrations that are done typically use custom JavaScript and HTML for each individual vulnerability. Worse, many times this esoteric code is never made public, leaving everyone to rewrite their own from scratch. BeEF, known as the Browser Exploitation Framework, is a tool designed to help professional penetration testers easily demonstrate the impact of client-side security vulnerabilities. In this paper, we present a plugin module for BeEF which provides a way for penetration testers to easily demonstrate the impact of clickjacking vulnerabilities. [ABSTRACT FROM PUBLISHER]

Published

2012

33. Audit based privacy preservation for the OpenID authentication protocol.

Author

Riesch, Philip J. and Du, Xiaojiang

Abstract

This paper studies a privacy vulnerability within OpenID, a distributed single sign on protocol. An OpenID system consists of three components: User Agent (UA); Relying Party - A web application that a UA would like to authenticate with using their unique identifier; and Identity Provider - A web server that provides a globally unique identifier for the UA and validates the identity of UAs on behalf of Relying Parties. The privacy vulnerability has been identified in existing literatures. However, no effective solution has been proposed to date. In this paper, we present an effective scheme to mitigate this vulnerability. In order for OpenID to gain wider acceptance, this vulnerability must be addressed with a solution that is convenient to the users of single sign on. We propose a method for mitigating this vulnerability by creating vertical levels of trust between constituents of an OpenID network through expanding the role of OpenID Identity Providers to include auditing OpenID Relying Parties for privacy vulnerabilities. In addition, Identity Providers may keep records of audits that identify Relying Parties that do not protect the privacy of OpenID users. The primary issue with this privacy vulnerability is that it is completely transparent - it occurs without the user ever being aware that it is happening. We cannot force Relying Parties to guarantee the privacy of OpenID users, nor would we like to burden individual users with browser level solutions that are often overly technical and difficult to understand. We have designed an audit solution at the level of the Identity Provider, which can accurately inform users when Relying Parties may be sharing information with third parties, therefore giving OpenID users the ability to make a conscious choice to share that information. We have performed real network experiments to validate our scheme, and the experimental results show that our scheme is effective. [ABSTRACT FROM PUBLISHER]

Published

2012

34. Secure web referral service.

Author

Nagarajan, Vijayakrishnan and Huang, Dijiang

Abstract

Security has become a major concern while browsing as the number of malicious sites keeps increasing with the cost for hosting a site decreasing. Though most of the web servers use Secure Socket Layer (SSL) over HTTP (Hyper Text Transfer Protocol) to ensure trust between consumers and providers, SSL is vulnerable to Man-In-The-Middle (MITM) attack and becoming very common these days. Phishing is another major problem, which has increased rapidly over the years. In this paper we present a novel secure web referral service using Secure Search Engine (SSE), which would resolve phishing and MITM attacks for web based applications. SSE is based on web crawling technology with a set of checking services to validate IP addresses and certificate chains. Additionally, we present a novel phishing filter that can be used to check any given URLs with minimal delay. Our solution is non-intrusive and reduces human factors, which are commonly in existing web-based services, in security verification processes. Our evaluation shows that our solutions produce less false positive and false negative than existing web browser-based anti-phishing solutions. [ABSTRACT FROM PUBLISHER]

Published

2012

35. Discovering security vulnerabilities and leaks in ASP.NET websites.

Author

AL-Amro, Huyam and El-Qawasmeh, Eyas

Abstract

Websites written in ASP.NET might contain security vulnerabilities that are not seen to the owner of the website. This paper describes an algorithm that aims in the detection of security vulnerabilities. The suggested algorithm performs a scanning process for all website/ application files. Our scanner tool relies on studying the source code of the application depending on ASP.NET files and the code behind files (Visual Basic VB and C sharp C#). A program written for this purpose is to generate a report that describes most leaks and vulnerabilities types (by mentioning the file name, leak description and its location). The suggested algorithm will help organization to fix the vulnerabilities and improve the overall security. [ABSTRACT FROM PUBLISHER]

Published

2012

36. Design of web-based Smart Home with 3D virtural reality interface.

Author

Hu, Wenshan, Zhou, Hong, Chaoyang Lin, Xianfeng Chen, Chen, Zhen, and Lu, Yiyan

Abstract

In this paper, the design of the a web-based Smart Home system is introduced. The proposed system provides a web interface through which users are able to check the home status and control the domestic appliance remotely as long as they have a PC system connected to the Internet. In order to give users a more vivid way to access the Smart Home system, a web based 3D interface with virtual reality technology is proposed in this paper. The rooms, appliances and furniture are reconstructed in the web-based interface. Users can “look around” in the virtual home remotely. They are able to check the security alarms, control the appliances in the 3D virtual reality similar as they do in real homes. [ABSTRACT FROM PUBLISHER]

Published

2012

37. Analysis and Detection of Modern Spam Techniques on Social Networking Sites.

Author

T, Krishna Chaitanya, Ponnapalli, HariGopal, Herts, Dylan, and Pablo, Juan

Abstract

The modern web has become a collaboration and communications platform with the advent of social networks. Apart from attracting millions of users, the popularity of social networking communities has also attracted spammers who can abuse and misuse the rich information in these sites using sophisticated attack techniques. In this paper we have described four popular modern techniques used by attackers to spam social networking sites: clickjacking [1], malicious browser extensions via drive-by-downloads [2], URL shorteners [3] and socially engineered script injection [4]. We have analyzed click-jacking and malicious browser extensions in detail, evaluating existing solutions to detect=prevent them. We observed that the existing solutions for clickjacking fail in some common use case scenarios. Therefore, we proposed enhancements that help detecting clickjacking attacks in those failed scenarios. We also proposed a declarative security policy to prevent malicious browser extension attacks. We implemented chrome extensions to validate both of our proposals in a test bed social network, which we have setup using an open source social networking engine. We believe our proposals are helpful to strengthen the security of social networks in general and the web platform as a whole. [ABSTRACT FROM PUBLISHER]

Published

2012

38. On Remote Attestation for Google Chrome OS.

Author

Bente, Ingo, Hellmann, Bastian, Rossow, Thomas, Vieweg, Joerg, and von Helden, Josef

Abstract

In this paper we present an approach to add Remote Attestation capabilities to the Google Chrome OS platform. Our approach is based on the combination of two integral aspects of Chrome OS: (1) its Verified Boot procedure and (2) its extensible, app-based architecture. Verified Boot ensures the integrity of the static operating system base including firmware, kernel and user land code. The dynamic part of Chrome OS is formed by apps, that can be installed, updated and removed during runtime by the user. We propose an approach that is able to attest both the integrity of the static Chrome OS base as well as the dynamic part composed of apps installed by the user to a remote party. The static part is attested without any measurements of binaries. We detail properties of apps that are reasonable to be measured. Thus, a remote party can reason about the trustworthiness of a remote platform by knowing (1) that it is running Chrome OS and (2) by knowing certain characteristics of installed apps. [ABSTRACT FROM PUBLISHER]

Published

2012

39. Filtering malicious routines in web browsers using dynamic binary instrumentation.

Author

Jae Won Min, Sung Min Jung, and Tai Myoung Chung

Abstract

Extension of web browser capability has introduced variety of security problems. Attackers exploit vulnerabilities found in internals of web browsers or plugins to compromise the system and execute arbitrary code. In this paper, we present a filtering method which blocks malicious routines from being executed. Filtering is done by keeping a blacklist of dangerous routines and arguments separately to compare with the routines being called by the web browser at runtime. To show the concept, we built a prototype by using dynamic binary instrumentation framework called Pin. Pin provides rich API that allows us to build a custom tool that inserts instrumentation codes in the program. Using this tool, we are able to block malicious instructions from being executed. [ABSTRACT FROM PUBLISHER]

Published

2012

40. Technical Issues of Forensic Investigations in Cloud Computing Environments.

Author

Birk, Dominik and Wegener, Christoph

Abstract

Cloud Computing is arguably one of the most discussed information technologies today. It presents many promising technological and economical opportunities. However, many customers remain reluctant to move their business IT infrastructure completely to the cloud. One of their main concerns is Cloud Security and the threat of the unknown. Cloud Service Providers (CSP) encourage this perception by not letting their customers see what is behind their virtual curtain. A seldomly discussed, but in this regard highly relevant open issue is the ability to perform digital investigations. This continues to fuel insecurity on the sides of both providers and customers. Cloud Forensics constitutes a new and disruptive challenge for investigators. Due to the decentralized nature of data processing in the cloud, traditional approaches to evidence collection and recovery are no longer practical. This paper focuses on the technical aspects of digital forensics in distributed cloud environments. We contribute by assessing whether it is possible for the customer of cloud computing services to perform a traditional digital investigation from a technical point of view. Furthermore we discuss possible solutions and possible new methodologies helping customers to perform such investigations. [ABSTRACT FROM PUBLISHER]

Published

2011

41. On the Workings and Current Practices of Web-Based Device Fingerprinting.

Author

Nikiforakis, Nick, Kapravelos, Alexandros, Joosen, Wouter, Kruegel, Christopher, Piessens, Frank, and Vigna, Giovanni

Abstract

By analyzing the code of three popular browser-fingerprinting code providers, the authors reveal the techniques that allow websites to track users without client-side identifiers. They expose questionable practices, such as the circumvention of HTTP proxies to discover a user's real IP address and the installation of intrusive browser plug-ins. In addition, they measure the adoption of fingerprinting on the Web and evaluate user-agent-spoofing browser extensions, showing that current commercial approaches can bypass the extensions and take advantage of their shortcomings. [ABSTRACT FROM PUBLISHER]

Published

2014

42. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery

Author

Riccardo Focardi, Gabriele Tolomei, Alvise Rabitti, Stefano Calzavara, and Mauro Conti

Subjects

Forgery, applications, Computer Networks and Communications, Computer science, Browsers, Vulnerability, Cross-site request forgery, 02 engineering and technology, Machine learning, computer.software_genre, Tools, 03 medical and health sciences, 0302 clinical medicine, Software, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Web application, Leverage (statistics), Electrical and Electronic Engineering, 030219 obstetrics & reproductive medicine, Settore INF/01 - Informatica, business.industry, Supervised learning, Security, Social networking (online), Vulnerability detection, websites, cross-site scripting, The Internet, Artificial intelligence, business, Law, computer

Abstract

We propose a methodology to leverage machine learning (ML) for the detection of web application vulnerabilities. We use it in the design of Mitch, the first ML solution for the black-box detection of cross-site request forgery vulnerabilities. Finally, we show the effectiveness of Mitch on real software.

Published

2020

43. Towards Comprehensible and Effective Permission Systems

Author

Felt, Adrienne Porter

Subjects

Computer science, browsers, permissions, privacy, security, smartphones, web

Abstract

How can we, as platform designers, protect computer users from the threats associated with malicious, privacy-invasive, and vulnerable applications? Modern platforms have turned away from the traditional user-based permission model and begun adopting application permission systems in an attempt to shield users from these threats. This dissertation evaluates modern permission systems with the goal of improving the security of future platforms.In platforms with application permission systems, applications are unprivileged by default and must request permissions in order to access sensitive API calls. Developers specify the permissions that their applications need, and users approve the granting of permissions. Permissions are intended to provide defense in depth by restricting the scope of vulnerabilities and user consent by allowing users to control whether third parties have access to their resources.In this dissertation we investigate whether permission systems are effective at providing defense in depth and user consent. First, we perform two studies to evaluate whether permissions provide defense in depth: we analyze applications to determine whether developers request minimal sets of permissions, and we quantify the impact of permissions on real-world vulnerabilities. Next, we evaluate whether permissions obtain the user's informed consent by surveying and interviewing users. We use the Android application and Google Chrome extension platforms for our studies; at present, they are popular platforms with extensive permission systems.Our goal is to inform the design of future platforms with our findings. We argue that permissions are a valuable addition to a platform, and our study results support continued work on permission systems. However, current permission warnings fail to inform the majority of users about the risks of applications. We propose a set of guidelines to aid in the design of more user-friendly permissions, based on our user research and relevant literature.

Published

2012

44. Improved Blacklisting: Inspecting the Structural Neighborhood of Malicious URLs.

Author

Akiyama, Mitsuaki, Yagi, Takeshi, and Hariu, Takeo

Subjects

UNIFORM Resource Locators, WEBSITES, SEARCH engines, SECURITY management, NEIGHBORHOODS

Abstract

Filtering based on blacklists is a major countermeasure against malicious websites. However, blacklists must be updated because malicious URLs tend to be short-lived, and they can be partially mutated to avoid blacklisting. Due to these characteristics, it can be assumed that unknown malicious URLs exist in the neighborhood of known malicious URLs created by the same adversary. The authors propose an effective blacklist URL generation method that discovers URLs in the neighborhood of a malicious URL by using a search engine. This article is part of a special issue on security. [ABSTRACT FROM AUTHOR]

Published

2013

45. The Compleat Story of Phish.

Author

Orman, Hilarie

Subjects

INTERNET fraud, COMPUTER security, WEBSITES, MALWARE, HYPERTEXT systems, ONLINE social networks

Abstract

Deceptive email that leads unwary users to disclose sensitive information on fake websites is the most common form of malware seen by today's users. The technology behind these attacks uses the Internet's weak notion of "place" and the increasing use of websites for financial transactions. Users can protect themselves through precautionary measures, and experts learn to accurately identify malicious email. [ABSTRACT FROM PUBLISHER]

Published

2013

46. Have Java's Security Issues Gotten out of Hand?

Author

Garber, Lee

Subjects

*COMPUTER security, *SPECIALISTS, *JAVA programming language, *OBJECT-oriented programming languages, *PROGRAMMING languages

Abstract

In the past year, security experts have found many vulnerabilities, some critical, in Java. This represents a serious trend because Java is so widely used. [ABSTRACT FROM PUBLISHER]

Published

2012

47. Accelerating Multipattern Matching on Compressed HTTP Traffic.

Author

Bremler-Barr, Anat and Koral, Yaron

Subjects

COMPUTER memory management, WEB browsers, HTTP (Computer network protocol), COMPUTER security, INTRUSION detection systems (Computer security), INTERNET traffic, COMPUTER systems

Abstract

Current security tools, using “signature-based” detection, do not handle compressed traffic, whose market-share is constantly increasing. This paper focuses on compressed HTTP traffic. HTTP uses GZIP compression and requires some kind of decompression phase before performing a string matching. We present a novel algorithm, Aho–Corasick-based algorithm for Compressed HTTP (ACCH), that takes advantage of information gathered by the decompression phase in order to accelerate the commonly used Aho–Corasick pattern-matching algorithm. By analyzing real HTTP traffic and real Web application firewall signatures, we show that up to 84% of the data can be skipped in its scan. Surprisingly, we show that it is faster to perform pattern matching on the compressed data, with the penalty of decompression, than on regular traffic. As far as we know, we are the first paper that analyzes the problem of “on-the-fly” multipattern matching on compressed HTTP traffic and suggest a solution. [ABSTRACT FROM PUBLISHER]

Published

2012

48. Framework Approach for WebSockets.

Author

Schulze, Alexander

Subjects

*HTML (Document markup language), *INTERNETWORKING, *RELIABILITY (Personality trait), *COMPUTER security, *RELIABILITY in engineering, *INTERNET servers

Abstract

This paper describes a framework approach and its communication models for the use of HTML5 WebSockets in cross-browser and cross-platform compatible, stationary and mobile, real-time web applications. This includes interoperability, security and reliability as well as server extensions, integration into existing applications and the implementation of WebSocket business logic - from a stand-alone system up to large clusters. [ABSTRACT FROM AUTHOR]

Published

2011

49. Security Evolution of the Webkit browser engine.

Author

Hodovan, Renata and Kiss, Akos

Abstract

By now, the Web has matured into a full-scale application platform and its popularity is constantly rising. However, popularity comes at a cost: theWeb is becoming more and more of a target for attackers. In this paper, we argue that the security analysis of web browsers deserves attention and the data on their security evolution is of high value. We examine the security evolution of the widely used WebKit browser engine, investigate its historical security data, and point at the alarming trends. [ABSTRACT FROM PUBLISHER]

Published

2012

50. Mobile Applications for Agriculture and Rural Development

Author

Qiang, Christine Zhenwei, Kuek, Siou Chew, Dymond, Andrew, and Esselaar, Steve

Subjects

COMMUNICATIONS, INFORMATION PROVISION, INFORMATION, CUSTOMER LOYALTY, GLOBAL MARKET, GPS, SOFTWARE, PRIVATE INVESTMENT, ONLINE BANKING, COMMODITIES, EGOVERNMENT PROJECTS, MOBILE NETWORK, CREDIT CARD, NICHE MARKET, MONITORING, REVENUE MODEL, PENETRATION RATE, PROTOTYPES, ADVERTISING, MANAGEMENT SERVICES, CELL PHONE, MIDDLEMEN, SERVICE PROVIDERS, TRANSACTIONS, DATA RATES, QUERY, FRAUD, TECHNOLOGIES, INFORMATION FLOWS, BUSINESS DEVELOPMENT, INTERFACES, CALL CENTER, PAYMENT METHODS, COMPUTER, PERSONAL DATA, CELLPHONES, E- GOVERNMENT, INFORMATION SYSTEMS, MOBILE SERVICE, DIGITAL DIVIDE, PROFIT, PRICES, TIMELY ACCESS, ADMINISTRATIVE COSTS, VALUE CHAIN, DEBIT CARDS, SERVICE PROVIDER, NEW MARKET, MENU, CELLPHONE, DATA ENTRY, MOBILE NETWORKS, INFORMATION SYSTEM, PHONE NUMBER, E-MARKETPLACE, INFORMATION PROVIDERS, SOFTWARE SUITE, KNOWLEDGE WORKER, CAPABILITIES, FINANCIAL SERVICES, OPERATING SYSTEMS, CENTRAL SERVER, MARKET PRICES, COMMUNICATIONS TECHNOLOGY, EMAIL, UNIVERSAL ACCESS, OPERATING SYSTEM, MOBILE  PHONE, CUSTOMERS, COMMUNICATION TECHNOLOGY, CUSTOMER SERVICE, GOVERNMENT FUNDING, RESULT, MENUS, SECURITY, INFORMATION DATABASE, SUPPLY CHAIN INTEGRATION, ACCESS TO INFORMATION, WEB, NETWORKS, APPLICATION DEVELOPMENT, FINANCIAL INSTITUTIONS, BUSINESS PLAN, BROADCAST, MOBILE APPLICATIONS, EQUIPMENT, TELECOMMUNICATIONS, PRICE, BUSINESS MODELS, VIDEO, CERTIFICATES, TRANSMISSION, DATABASE, GOVERNMENT ORGANIZATIONS, AUTOMATION, MOBILE PHONE, BUYER, MARKET INFORMATION, TARGETS, UNIVERSAL SERVICE, FINANCIAL RESOURCES, MARKET SHARE, CUSTOMIZATION, RURAL ACCESS, GOVERNMENT SERVICES, WIRELESS DEVICES, CUSTOMER, MARKET RESEARCH, SOFTWARE DEVELOPMENT, RESULTS, NEW MARKETS, PRODUCT DEVELOPMENT, COMPUTER SCIENCE, MARKET POTENTIAL, INSPECTION, COMMUNICATIONS TECHNOLOGIES, BUSINESSES, INFRASTRUCTURE DEVELOPMENT, INSPECTIONS, PAYOUT, NEW TECHNOLOGIES, MARKET SEGMENTS, TRANSACTION, SOFTWARE APPLICATIONS, ENABLING ENVIRONMENTS, SOFTWARE ARCHITECTURE, SYSTEM DEVELOPMENT, INFORMATION SERVICE, ELECTRONIC DATA, GENERAL PUBLIC, COMMUNICATION, DATABASES, CREDIT CARDS, COMMODITY, RADIO STATIONS, COMPUTERS, RFID, PRIVATE PARTNERSHIPS, PRODUCTIVITY, E-MAIL MESSAGES, BUYERS, CAPITAL INVESTMENTS, FINANCIAL TRANSACTIONS, PROJECT MANAGEMENT, ENABLING ENVIRONMENT, BUSINESS, PROCUREMENT, INSTITUTIONS, E-MAIL, BROADCASTS, INFORMATION SERVICES, USERS, TELEVISION, BUSINESS PARTNERS, PAYMENT SYSTEM, DIGITAL TECHNOLOGIES, SECURITY FEATURES, TYPES OF USERS, IMAGES, PAYMENT SYSTEMS, EXPORT MARKET, MULTIMEDIA, LINKS, TECHNICAL STANDARDS, NUMBER OF USERS, PHONE, MOBILE PHONES, SEARCH, TRACEABILITY, FINANCIAL ADMINISTRATION, IMPACT ASSESSMENTS, SUPERVISION, PERFORMANCE, EGOVERNMENT, MOBILE COMMUNICATIONS, BUSINESS TO BUSINESS, E-GOVERNMENT, MARKET SEGMENT, MANAGEMENT SYSTEMS, MOBILE APPLICATION, COMPUTING DEVICES, CONTENT PROVIDERS, PHONES, BUSINESS PLANNING, MARKETING, APPLICATION PROGRAMMING, TELEPHONE, DATA, BROADBAND NETWORKS, INFORMATION INFRASTRUCTURE, INNOVATION, SUPPLY CHAIN OPERATIONS, ELECTRICITY, B2B, PRIVATE SECTORS, NETWORK, INTEGRATION SOLUTIONS, BUSINESS ACTIVITIES, SATELLITE, BUSINESS SERVICES, BROADBAND, USES, USER, INTERFACE, CONSULTANT, TARGET, HUMAN CAPITAL, BEST PRACTICES, BUSINESS MODEL, CELL PHONES, SUPPLY CHAIN, CONSULTANTS, STORAGE FACILITIES, PRIVATE SECTOR, BUSINESS OPERATIONS, JOINT VENTURE, PAYOUTS, EMPLOYMENT CREATION, FINANCING PLANS, MARKET PRICE, MATERIALS, ADMINISTRATION, COMMERCE, PROFITS, INNOVATIONS, JOINT VENTURES, FINANCIAL BENEFITS, SUPPLY CHAINS, SEARCHES, COMMERCIAL BANKS, ISP, TECHNOLOGY, MATERIAL, PRIVATE SECTOR DEVELOPMENT, MOBILE SERVICES, SERVER, RADIO, FRAMEWORK FOR DEVELOPMENT, TELECOM, PRICE INFORMATION, BROWSERS, INFORMATION NETWORK, CASH FLOWS, FINANCIAL SUPPORT, CAPACITY BUILDING, QUERIES, ICT, CONSUMER GOODS, LINK, FUNCTIONALITY

Abstract

The dynamic growth of mobile communications technology is creating opportunities for economic growth, social empowerment, and grassroots innovation in developing countries. One of the areas with the greatest potential impact is in the contribution that mobile applications can make to agricultural and rural development (ARD), by providing access to information, markets, and services to millions of rural inhabitants. For both agricultural supply and demand, mobile phones can reduce waste, make delivery more efficient, and forge closer links between farmers and consumers. This report provides policymakers and development practitioners with a guide that facilitates the development and deployment of mobile applications for ARD. It also informs their understanding of the key drivers for promoting such applications and services in their countries. Using James Moore’s (1996) revised definition of ecosystems: economic communities based on interacting organizations and individuals the report identifies a wide range of players in the ecosystem for m-ARD apps, such as mobile network operators, m-app (mobile applications) providers, content providers, and various types of users. M-apps are software designed to take advantage of mobile technology and can be developed for technology besides mobile phones. But mobile phones have many key advantages: affordability, wide ownership, voice communications, and instant and convenient service delivery. As a result, there has been a global explosion in the number of m-apps, facilitated by the rapid evolution of mobile networks and by the increasing functions and falling prices of mobile handsets. M-apps are markedly different in developing countries because they typically run on second-generation (2G) phones rather than smartphones, which are far more common in developed countries. The report reviews country examples and extracts policy lessons and good practices. It also presents detailed studies of cases from Kenya, Philippines, and Sri Lanka, as well as summarizes 92 case studies from Africa, Asia, and Latin America. The goal is to provide a comprehensive understanding of the development impact, ecosystem, and business models for mobile applications in ARD. The report is intended to complement the recent ICT in Agriculture eSourcebook. One of the main findings is that an enabling platform (or platforms) is probably the most important factor for the development of m-ARD apps. Platforms can facilitate interactions among ecosystem players, increase access to users, provide technical standards, and incorporate payment mechanisms.

Published

2012