Güliz Seray Tuncay

Güliz Seray Tuncay

Dr. Güliz Seray Tuncay is a Senior Research Scientist in the Android Security and Privacy team at Google. She received her Ph.D. from the University of Illinois at Urbana-Champaign in 2019. Her Ph.D. thesis titled "Practical least privilege for cross-origin interactions on mobile operating systems" was the runner up of the ACM SIGSAC Doctoral Dissertation Award. Güliz was selected as a Rising Star in EECS in 2019.

Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.

Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.

Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.

For more information, please visit www.gulizseray.com
Authored Publications
Sort By
  • Title
  • Title, descending
  • Year
  • Year, descending
    50 Shades of Support: A Device-Centric Analysis of Android Security Updates
    Abbas Acar
    Esteban Luques
    Harun Oz
    Ahmet Aris
    Selcuk Uluagac
    Network and Distributed System Security (NDSS) Symposium (2024)
    Preview abstract Android is by far the most popular OS with over three billion active mobile devices. As in any software, uncovering vulnerabilities on Android devices and applying timely patches are both critical. Android Open Source Project (AOSP) has initiated efforts to improve the traceability of security updates through Security Patch Levels (SPLs) assigned to devices. While this initiative provided better traceability for the vulnerabilities, it has not entirely resolved the issues related to the timeliness and availability of security updates for end users. Recent studies on Android security updates have focused on the issue of delay during the security update roll-out, largely attributing this to factors related to fragmentation. However, these studies fail to capture the entire Android ecosystem as they primarily examine flagship devices or do not paint a comprehensive picture of the Android devices’ lifecycle due to the datasets spanning over a short timeframe. To address this gap in the literature, we utilize a device-centric approach to analyze the security update behavior of Android devices. Our approach aims to understand the security update distribution behavior of OEMs (e.g., Samsung) by using a representative set of devices from each OEM and characterize the complete lifecycle of an average Android device. We obtained 367K official security update records from public sources, span- ning from 2014 to 2023. Our dataset contains 599 unique devices from four major OEMs that are used in 97 countries and are associated with 109 carriers. We identify significant differences in the roll-out of security updates across different OEMs, device models/types, and geographical regions across the world. Our findings show that the reasons for the delay in the roll-out of security updates are not limited to fragmentation but also involve OEM-specific factors. Our analysis also uncovers certain key issues that can be readily addressed as well as exemplary practices that can be immediately adopted by OEMs in practice. View details
    On the Robustness of Image-based Malware Detection against Adversarial Attacks
    Yassine Mekdad
    Harun Oz
    Ahmet Aris
    Leonardo Babun
    Faraz Naseem
    Selcuk Uluagac
    Nasir Ghani
    Abbas Acar
    Network Security Empowered by Artificial Intelligence, Springer (2024)
    Preview abstract Machine and deep learning models are now one of the most valuable tools in the arsenal of computer security practitioners. Their success has been demonstrated in various network-security-oriented applications such as intrusion detection, cyber threat intelligence, vulnerability discovery, and malware detection. Nevertheless, recent research studies have shown that crafted adversarial samples can be used to evade malware detection models. Even though several defense mechanisms such as adversarial training have been proposed in the malware detection domain to address this issue, they unfortunately suffer from model poisoning and low detection accuracy. In this chapter, we assess the robustness of image-based malware classifier against four different adversarial attacks: (a) random and benign brute-force byte append attacks for black-box settings and (b) random and benign Fast Gradient Sign Method (FGSM) attacks for white-box settings. To this end, we implement a Convolutional Neural Network (CNN) to classify the image representations of Windows Portable Executable (PE) malware with a detection accuracy of 95.05%. Then, we evaluate its robustness along with MalConv, a state-of-the-art malware classifier, by applying a set of functionality-preserving adversarial attacks. Our experimental results demonstrate that image-based classifier exhibits a lower evasion rate of 5% compared to MalConv that achieves an evasion rate ranging between 44 and 54% in black-box settings. However, in white-box settings, both models fail against random byte and benign byte FGSM attacks, with an evasion rate of more than 46%. View details
    With Great Power Comes Great Responsibility: Security and Privacy Issues of Modern Browser APIs
    Harun Oz
    Daniele Cono D’Elia
    Abbas Acar
    Riccardo Lazzeretti
    Selcuk Uluagac
    IEEE Security and Privacy (2024)
    Preview abstract This paper discusses security and privacy issues in modern Browser APIs by categorizing them based on their functionality. With this study, we aim to alert the community about these issues and motivate further research into analyzing the security and privacy concerns within modern Browser APIs. View details
    Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables
    Doguhan Yeke
    Muhammad Ibrahim
    Habiba Farukh
    Abdullah Imran
    Antonio Bianchi
    Z. Berkay Celik
    IEEE Security and Privacy (2024) (to appear)
    Preview abstract Wearable devices are becoming increasingly important, helping us stay healthy and connected. There are a variety of app-based wearable platforms that can be used to manage these devices. The apps on wearable devices often work with a companion app on users’ smartphones. The wearable device and the smartphone typically use two separate permission models that work synchronously to protect sensitive data. However, this design creates an opaque view of the management of permission- protected data, resulting in over-privileged data access without the user’s explicit consent. In this paper, we performed the first systematic analysis of the interaction between the Android and Wear OS permission models. Our analysis is two-fold. First, through taint analysis, we showed that cross-device flows of permission-protected data happen in the wild, demonstrating that 28 apps (out of the 150 we studied) on Google Play have sensitive data flows between the wearable app and its companion app. We found that these data flows occur without the users’ explicit consent, introducing the risk of violating user expectations. Second, we conducted an in-lab user study to assess users’ understanding of permissions when subject to cross-device communication (n = 63). We found that 66.7% of the users are unaware of the possibility of cross-device sensitive data flows, which impairs their understanding of permissions in the context of wearable devices and puts their sensitive data at risk. We also showed that users are vulnerable to a new class of attacks that we call cross-device permission phishing attacks on wearable devices. Lastly, we performed a preliminary study on other watch platforms (i.e., Apple’s watchOS, Fitbit, Garmin OS) and found that all these platforms suffer from similar privacy issues. As countermeasures for the potential privacy violations in cross-device apps, we suggest improvements in the system prompts and the permission model to enable users to make better-informed decisions, as well as on app markets to identify malicious cross-device data flows. View details
    (In)Security of File Uploads in Node.js
    Harun Oz
    Abbas Acar
    Ahmet Aris
    Amin Kharraz
    Selcuk Uluagac
    The Web conference (WWW) (2024)
    Preview abstract File upload is a critical feature incorporated by a myriad of web applications to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing and social media. While file upload is an essential component of web applications, the lack of rigorous checks on the file name, type, and content of the uploaded files can result in security issues, often referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world applications in the Node.js ecosystem. To automate our analysis, we propose NodeSec– a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSec generates unique payloads and thoroughly evaluates the application’s file upload security against 13 distinct UFU-type attacks. Utilizing NodeSec, we analyze the most popular file upload libraries and real-world ap- plications in the Node.js ecosystem. Our results reveal that some real-world web applications are vulnerable to UFU attacks and dis- close serious security bugs in file upload libraries. As of this writing, we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that the dynamic features of Node.js applications introduce security shortcomings and that web developers should be cautious when implementing file upload features in their applications. View details
    The Android Platform Security Model (2023)
    Jeff Vander Stoep
    Chad Brubaker
    Dianne Hackborn
    Michael Specter
    Arxiv, Cornell University (2023)
    Preview abstract Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility, Android’s security model must strike a difficult balance between security, privacy, and usability for end users; provide assurances for app developers; and maintain system performance under tight hardware constraints. This paper aims to both document the assumed threat model and discuss its implications, with a focus on the ecosystem context in which Android exists. We analyze how different security measures in past and current Android implementations work together to mitigate these threats, and, where there are special cases in applying the security model in practice; we discuss these deliberate deviations and examine their impact. View details
    Evaluating User Behavior in Smartphone Security: A Psychometric Perspective
    Hsiao-Ying Huang
    Soteris Demetriou
    Muhammad Hassan
    Carl A. Gunter
    Masooda Bashir
    USENIX SOUPS (2023)
    Preview abstract Smartphones have become an essential part of our modern society. Their popularity and ever-increasing relevance in our daily lives make these devices an integral part of our comput- ing ecosystem. Yet, we know little about smartphone users and their security behaviors. In this paper, we report our de- velopment and testing of a new 14-item Smartphone Security Behavioral Scale (SSBS) which provides a measurement of users’ smartphone security behavior considering both tech- nical and social strategies. For example, a technical strategy would be resetting the advertising ID while a social strategy would be downloading mobile applications only from an offi- cial source.The initial analysis of two-component behavioral model, based on technical versus social protection strategies, demonstrates high reliability and good fit for the social com- ponent of the behavioral scale. The technical component of the scale, which has theoretical significance, shows a marginal fit and could benefit from further improvement. This newly de- veloped measure of smartphone security behavior is inspired by the theory of planned behavior and draws inspiration from a well-known scale of cybersecurity behavioral intention, the Security Behavior Intention Scale (SeBIS). The psychomet- rics of SSBS were established by surveying 1011 participants. We believe SSBS measures can enhance the understanding of human security behavior for both security researchers and HCI designers. View details
    RøB: Ransomware over Modern Web Browsers
    Harun Oz
    Ahmet Aris
    Abbas Acar
    Leonardo Babun
    Selcuk Uluagac
    USENIX Security (2023)
    Preview abstract File System Access (FSA) API enables web applications to interact with files on the users’ local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RØB as a malicious web application that encrypts the user’s files from the browser. We use RØB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RØB can encrypt the victim’s local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RØB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, filesystem-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RØBlike browser-based ransomware strains and shows that the emerging API documentation (in this case the popular FSA) can be equivocal in terms of reflecting the extent of the threat. View details
    Smartphone Security Behavioral Scale: A New Psychometric Measurement for Smartphone Security
    Hsiao-Ying Huang
    Soteris Demetriou
    Rini Banerjee
    Carl A Gunter
    Masooda Bashir
    Cornell University (2020)
    Preview abstract Despite widespread use of smartphones, there is no measurement standard targeted at smartphone security behaviors. In this paper we translate a well-known cybersecurity behavioral scale into the smartphone domain and show that we can improve on this translation by following an established psychometrics approach surveying 1011 participants. We design a new 14-item Smartphone Security Behavioral Scale (SSBS) exhibiting high reliability and good fit to a two-component behavioural model based on technical versus social protection strategies. We then demonstrate how SSBS can be applied to measure the influence of mental health issues on smartphone security behavior intentions. We found significant correlations that predict SSBS profiles from three types of MHIs. Conversely, we are able to predict presence of MHIs using SSBS profiles. We obtain prediction AUCs of 72.1% for Internet addiction, 75.8% for depression and 66.2% for insomnia. View details
    See No Evil: Phishing for Permissions with False Transparency
    Jingyu Qian
    Carl A. Gunter
    USENIX Security, USENIX (2020)
    Preview abstract Android introduced runtime permissions in order to provide users with more contextual information to make informed decisions as well as with finer granularity when dealing with permissions. In this work, we identified that the correct operation of the runtime permission model relies on certain implicit assumptions which can conveniently be broken by adversaries to illegitimately obtain permissions from the background while impersonating foreground apps. We call this detrimental scenario false transparency attacks. These attacks constitute a serious security threat to the Android platform as they invalidate the security guarantees of 1) runtime permissions by enabling background apps to spoof the context and identity of foreground apps when requesting permissions and of 2) Android permissions altogether by allowing adversaries to exploit users’ trust in other apps to obtain permissions. We demonstrated via a user study we conducted on Amazon Mechanical Turk that mobile users’ comprehension of runtime permissions renders them susceptible to this attack vector. We carefully designed our attacks to launch strategically in order to appear persuasive and verified the validity of our design strategies through our user study. To demonstrate the feasibility of our attacks, we conducted an in-lab user study in a realistic setting and showed that none of the subjects noticed our attacks. Finally, we discuss why the existing defenses against mobile phishing fail in the context of false transparency attacks. In particular, we disclose the security vulnerabilities we identified in a key security mechanism added in Android 10. We then propose a list of countermeasures to be implemented on the Android platform and on app stores to practically tackle false transparency attacks. View details