Xusheng Xiao, assistant professor from the Department of Computer and Data Sciences, received a $500,000 National Science Foundation Early Career (CAREER) Award to develop a context- and user-aware security framework for enhancing mobile application security.

Mobile applications (i.e., apps) have become an integral part of daily life. These apps increasing access to users' sensitive data (e.g., location and contacts) raises serious security concerns. Mainstream smartphone platforms (e.g., Android and iOS) adopt permission-based access-control mechanisms, but such mechanisms fail to consider the context in which permission requests arise and do not explain how and why the app uses sensitive data, causing users to make uninformed decisions.

To address these fundamental limitations, the security framework developed by Prof. Xiao's lab will enable (G1) contextual integrity by notifying users only when sensitive data is used in the ways that cannot be justified by the contexts and the apps' intentions, and (G2) user awareness by generating natural-language (NL) descriptions that explain the sensitive data uses. The lab will develop a context- and intention-aware model that represents the correlation between the contexts/intentions and the sensitive behaviors in the code and perform anomaly detection based on the model to detect abnormal behaviors. Further, the lab will develop a neural machine-translation model that takes as input the GUI contexts and privacy policies, and synthesizes descriptions for sensitive behaviors in the code. The success of this project will enhance the security of society at large by leading to more secure mobile apps, and the proposed techniques will provide new insights for the cooperation of program analysis and machine learning.