/Teaching/Mobile Security/Assignments/Task 2 – Suggested Topics

Task 2 – Suggested Topics

Each of the following topics can be done in groups of max. 3 people. If none of these topics sounds appealing to you, propose your own idea and we can see if it fits into the ensemble. All listed projects can also be worked on independently by max. 2 groups per project.

Important note: Obviously, the subsequent list provides only a very short abstract of every project. In case something sounds appealing but you do not fully understand what the topic is about, do not hesitate to come to me after the lecture and I will gladly explain it! Also, if you are uncertain how to proceed, please just ask me after the lecture and do not wait until the last week before the deadline!

Hint: For all projects where Android applications have to be reverse-engineered, please use jadx, Apktool or something equivalent. These tools greatly simplify the job.

Topics

Working Title Description
Large-Scale App Analysis from Google Play On Android, applications signed with vendor certificates can be granted a large number of powerful permissions that third-party applications normally cannot obtain. Although vendors are urged to only sign their own preinstalled apps with these keys, they sometimes also sign apps that can be installed from app stores, sometimes even from third-party developers. In this project, you write an automated APK analysis tool that you run on a seizable portion of apps available from Google Play. Luckily, the AndroZoo project (you will have to request a free API key) already collects apps that you can use, so you can focus on the analysis aspect. If you choose this topic, make sure you start well ahead of the deadline, since the analysis will take a few days. The result of this project is a report of your findings, i.e. how many and which apps you found signed with vendor keys, and what powerful (platform) permissions they use.
Assigned:
Assigned:
Analysis of Samsung Auto Blocker Samsung recently introduced a feature called Auto Blocker that is intended to disable certain advanced device functionality (ADB, certain diagnosis screens, …) that renders the device easier to attack. In this project, you carry out an extensive online research and on-device investigation (including reverse-engineering of system components) to figure out the exact scope and functionality of this feature. The result of this project is a detailed report documenting your approach and findings. Approach me in time if you need a suitable rooted Samsung device.
Assigned:
Assigned: 
Solve Android Hacklets Security researcher Yanick Fratantonio assembled Android hacklet challenges on his website here. For assignment 2, your task is to solve as many of these challenges as possible (solve at least 17 + (# of group members) of the 21 challenges for grade 1). The result of this project is a detailed report documenting your solutions for the challenges you solved (include the flags you found for each challenge!). For the presentation, you describe the exploited vulnerabilities and your solution for 2 x (# of group members) hacklets of your choice in detail.
Assigned: Ammoush, Sert, Zlatar
Assigned: Second team not allowed for this project!
Linux: Analysing an Embedded Linux device Many IoT devices run a simple Linux-based operating system. They therefore present a very interesting possibility for studying various security-related concepts that directly translate to larger Linux-based embedded systems such as Android. As part of this project, you analyse an embedded Linux IoT device of your choice to shed light on its internal operation and identify potential security vulnerabilities. The following aspects will have to be covered:

  • How can the Linux system be accessed: Is there any debug interface such as a Serial or JTAG? Is an SSH server running?
  • What basic system-level security is used: How is DAC (Discretionary Access Control) configured? Is MAC (Mandatory Access Control) used as well?
  • What does the startup routine look like?
  • Is there any mechanism for firmware updates? Is it properly protected?
  • Integrated open-source SW/libs/kernel? Recency? Known vulnerabilities?
  • Proprietary software stack: What frameworks were used? Was security considered? Are there any vulnerabilities?

Helpful tools: Ghidra, ssh, strace, gdb

Note: If you choose this topic, please contact me in advance about the IoT device you intend to analyse!
Assigned: Kaiser, Possegger, Zanotti
Assigned: Pfeifenberger, Saiger, Samonik
Notification Forwarder (P2P) Develop an iOS/Android application that forwards notifications from a mobile device to your computer. The connection should be peer to peer. Pay special attention to how you secure the connection: How is confidentiality ensured? How are keys exchanged? Where are they stored? Can you prevent replay attacks or MITM attacks?
Your submission should consist of a report discussing your design decisions and the source codes for server and app component.
Assigned: Knezevic, Stjepanovic
Assigned: Horn, Maurer, Muckenschnabl
Use FlowDroid to automatically check Data Safety Section FlowDroid is a static analysis tool that implements taint tracking. This technique allows determining whether execution flows exist between a given source method and a given sink method. In this project, you will write a custom Java tool based on FlowDroid. It will use FlowDroid’s taint tracking capabilities to automatically identify information flows from source methods related to one of the data points mentioned in the Data Safety section of each analysed app (e.g. Location data)  to a set of sink methods related to Internet communications. You will run this automated tool against a set of at least 100 popular apps from Google Play (use the ranking published on Google Play). You can retrieve APK files from the AndroZoo project (you will have to request a free API key). If you choose this topic, make sure you start well ahead of the deadline, since the analysis will take some time. The result of this project is your implementation and a report of your findings, i.e. what analysis you implemented, which apps you analysed, what data flows you found that are not declared in the Data Safety Section, …
Assigned:
Assigned:
Investigation of Android’s Hardware Abstraction Layer Analyse how execution flows from app-facing APIs in the Android framework to low-level interaction with a particular piece of hardware (i.e. chip or peripheral) of the device. As part of this work, you will reverse-engineer proprietary libraries through static analysis and dynamic instrumentation (such as through Frida). A subsystems that is particularly interesting is the Android Keystore and its Hardware Abstraction Layer. Document the involved components and their interactions. The result of this project is a detailed report documenting your approach and findings.
Assigned:
Assigned:
Research on Partial Lock Screen Bypasses Even if complete lock screen bypasses are increasingly rare, partial lock screen bypasses keep showing up occasionally. These are vulnerabilities that allow reading or writing user data despite the device being locked. In this research-style project, you systematically identify publicly available reports of such vulnerabilities, and try to categorize them. Can you come up with an idea for an automated tool capable of catching at least some of these vulnerabilities? If not, what are the involved road blocks? The result of this project is a detailed report documenting your findings and concept.
Assigned: Marcher, Mühlbacher, Rajic
Assigned: Kainbacher, Legat, Sickl
Analysis of Google Play’s Automatic Integrity Protection Read up on Google Play’s Automatic Integrity Protection. Identify an app that uses it and analyze how it actually works. What code gets injected into the APK? Is any obfuscation added? Does the solution use app attestation? How can integrity be ensured if no backend is involved? Or is a backend involved? …. The result of this project is a detailed report documenting your approach and findings.
Assigned: Greilberger, Le
Assigned:
PoC of a 0-click exploit chain for the Pixel 9 In the last few years, AI-powered message analysis has been rolled out to mobile phones.
For it to work efficiently, the decoding of media attachments without user interaction is often necessary.
This change led to an increase in the 0-click attack surface.
For example, incoming SMS and RCS audio attachments received by Google Messages are automatically decoded. Thus, audio decoders are now in the 0-click attack surface of Android phones, and several CVEs concerning audio decoders were reported in 2025. Other researchers raised questions regarding the usefulness of code execution within a media decoder. To answer these question Google Project Zero wrote a 0-click exploit chain for the Pixel 9, documented in blog posts released in early 2026.
The result of this project is the implementation of a PoC of the exploit; a detailed report on your implementation and findings, as well as a brief overview of the mitigations the iOS platform has in place to prevent the very same exploit.
Assigned: Čadež, Pellizzari, Škof
Assigned: Hager, Waldhauser, Zeller
Your Project
Let me know if you have any particular idea related to mobile security that you want to work on!
Assigned: