Güliz Seray Tuncay
Dr. Güliz Seray Tuncay is a Senior Research Scientist in the Android Security and Privacy team at Google. She received her Ph.D. from the University of Illinois at Urbana-Champaign in 2019. Her Ph.D. thesis titled "Practical least privilege for cross-origin interactions on mobile operating systems" was the runner up of the ACM SIGSAC Doctoral Dissertation Award. Güliz was selected as a Rising Star in EECS in 2019.
Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
Research Areas
Authored Publications
Sort By
50 Shades of Support: A Device-Centric Analysis of Android Security Updates
Abbas Acar
Esteban Luques
Harun Oz
Ahmet Aris
Selcuk Uluagac
Network and Distributed System Security (NDSS) Symposium (2024)
Preview abstract
Android is by far the most popular OS with over
three billion active mobile devices. As in any software, uncovering
vulnerabilities on Android devices and applying timely patches
are both critical. Android Open Source Project (AOSP) has
initiated efforts to improve the traceability of security updates
through Security Patch Levels (SPLs) assigned to devices. While
this initiative provided better traceability for the vulnerabilities,
it has not entirely resolved the issues related to the timeliness
and availability of security updates for end users. Recent studies
on Android security updates have focused on the issue of delay
during the security update roll-out, largely attributing this to
factors related to fragmentation. However, these studies fail to
capture the entire Android ecosystem as they primarily examine
flagship devices or do not paint a comprehensive picture of the
Android devices’ lifecycle due to the datasets spanning over a
short timeframe. To address this gap in the literature, we utilize
a device-centric approach to analyze the security update behavior
of Android devices. Our approach aims to understand the security
update distribution behavior of OEMs (e.g., Samsung) by using
a representative set of devices from each OEM and characterize
the complete lifecycle of an average Android device. We obtained
367K official security update records from public sources, span-
ning from 2014 to 2023. Our dataset contains 599 unique devices
from four major OEMs that are used in 97 countries and are
associated with 109 carriers. We identify significant differences
in the roll-out of security updates across different OEMs, device
models/types, and geographical regions across the world. Our
findings show that the reasons for the delay in the roll-out of
security updates are not limited to fragmentation but also involve
OEM-specific factors. Our analysis also uncovers certain key
issues that can be readily addressed as well as exemplary practices
that can be immediately adopted by OEMs in practice.
View details
On the Robustness of Image-based Malware Detection against Adversarial Attacks
Yassine Mekdad
Harun Oz
Ahmet Aris
Leonardo Babun
Faraz Naseem
Selcuk Uluagac
Nasir Ghani
Abbas Acar
Network Security Empowered by Artificial Intelligence, Springer (2024)
Preview abstract
Machine and deep learning models are now one of the most valuable tools in the arsenal of computer security practitioners. Their success has been demonstrated in various network-security-oriented applications such as intrusion detection, cyber threat intelligence, vulnerability discovery, and malware detection. Nevertheless, recent research studies have shown that crafted adversarial samples can be used to evade malware detection models. Even though several defense mechanisms such as adversarial training have been proposed in the malware detection domain to address this issue, they unfortunately suffer from model poisoning and low detection accuracy. In this chapter, we assess the robustness of image-based malware classifier against four different adversarial attacks: (a) random and benign brute-force byte append attacks for black-box settings and (b) random and benign Fast Gradient Sign Method (FGSM) attacks for white-box settings. To this end, we implement a Convolutional Neural Network (CNN) to classify the image representations of Windows Portable Executable (PE) malware with a detection accuracy of 95.05%. Then, we evaluate its robustness along with MalConv, a state-of-the-art malware classifier, by applying a set of functionality-preserving adversarial attacks. Our experimental results demonstrate that image-based classifier exhibits a lower evasion rate of 5% compared to MalConv that achieves an evasion rate ranging between 44 and 54% in black-box settings. However, in white-box settings, both models fail against random byte and benign byte FGSM attacks, with an evasion rate of more than 46%.
View details
With Great Power Comes Great Responsibility: Security and Privacy Issues of Modern Browser APIs
Harun Oz
Daniele Cono D’Elia
Abbas Acar
Riccardo Lazzeretti
Selcuk Uluagac
IEEE Security and Privacy (2024)
Preview abstract
This paper discusses security and privacy issues in modern Browser
APIs by categorizing them based on their functionality. With this study, we aim to
alert the community about these issues and motivate further research into
analyzing the security and privacy concerns within modern Browser APIs.
View details
Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables
Doguhan Yeke
Muhammad Ibrahim
Habiba Farukh
Abdullah Imran
Antonio Bianchi
Z. Berkay Celik
IEEE Security and Privacy (2024) (to appear)
Preview abstract
Wearable devices are becoming increasingly important, helping us stay healthy and connected. There are a variety
of app-based wearable platforms that can be used to manage
these devices. The apps on wearable devices often work with a
companion app on users’ smartphones. The wearable device and
the smartphone typically use two separate permission models
that work synchronously to protect sensitive data. However, this
design creates an opaque view of the management of permission-
protected data, resulting in over-privileged data access without
the user’s explicit consent. In this paper, we performed the first
systematic analysis of the interaction between the Android and
Wear OS permission models. Our analysis is two-fold. First,
through taint analysis, we showed that cross-device flows of
permission-protected data happen in the wild, demonstrating
that 28 apps (out of the 150 we studied) on Google Play
have sensitive data flows between the wearable app and its
companion app. We found that these data flows occur without
the users’ explicit consent, introducing the risk of violating
user expectations. Second, we conducted an in-lab user study
to assess users’ understanding of permissions when subject to
cross-device communication (n = 63). We found that 66.7% of
the users are unaware of the possibility of cross-device sensitive
data flows, which impairs their understanding of permissions in
the context of wearable devices and puts their sensitive data at
risk. We also showed that users are vulnerable to a new class of
attacks that we call cross-device permission phishing attacks on
wearable devices. Lastly, we performed a preliminary study on
other watch platforms (i.e., Apple’s watchOS, Fitbit, Garmin
OS) and found that all these platforms suffer from similar
privacy issues. As countermeasures for the potential privacy
violations in cross-device apps, we suggest improvements in the
system prompts and the permission model to enable users to
make better-informed decisions, as well as on app markets to
identify malicious cross-device data flows.
View details
(In)Security of File Uploads in Node.js
Harun Oz
Abbas Acar
Ahmet Aris
Amin Kharraz
Selcuk Uluagac
The Web conference (WWW) (2024)
Preview abstract
File upload is a critical feature incorporated by a myriad of web
applications to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing
and social media. While file upload is an essential component of
web applications, the lack of rigorous checks on the file name, type,
and content of the uploaded files can result in security issues, often
referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world
applications in the Node.js ecosystem. To automate our analysis, we
propose NodeSec– a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSec generates unique
payloads and thoroughly evaluates the application’s file upload security against 13 distinct UFU-type attacks. Utilizing NodeSec, we
analyze the most popular file upload libraries and real-world ap-
plications in the Node.js ecosystem. Our results reveal that some
real-world web applications are vulnerable to UFU attacks and dis-
close serious security bugs in file upload libraries. As of this writing,
we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that
the dynamic features of Node.js applications introduce security
shortcomings and that web developers should be cautious when
implementing file upload features in their applications.
View details
The Android Platform Security Model (2023)
Jeff Vander Stoep
Chad Brubaker
Dianne Hackborn
Michael Specter
Arxiv, Cornell University (2023)
Preview abstract
Android is the most widely deployed end-user focused operating system. With its growing set of use cases
encompassing communication, navigation, media consumption, entertainment, finance, health, and access to
sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical
threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility,
Android’s security model must strike a difficult balance between security, privacy, and usability for end users;
provide assurances for app developers; and maintain system performance under tight hardware constraints.
This paper aims to both document the assumed threat model and discuss its implications, with a focus on
the ecosystem context in which Android exists. We analyze how different security measures in past and
current Android implementations work together to mitigate these threats, and, where there are special cases
in applying the security model in practice; we discuss these deliberate deviations and examine their impact.
View details
Evaluating User Behavior in Smartphone Security: A Psychometric Perspective
Hsiao-Ying Huang
Soteris Demetriou
Muhammad Hassan
Carl A. Gunter
Masooda Bashir
USENIX SOUPS (2023)
Preview abstract
Smartphones have become an essential part of our modern
society. Their popularity and ever-increasing relevance in our
daily lives make these devices an integral part of our comput-
ing ecosystem. Yet, we know little about smartphone users
and their security behaviors. In this paper, we report our de-
velopment and testing of a new 14-item Smartphone Security
Behavioral Scale (SSBS) which provides a measurement of
users’ smartphone security behavior considering both tech-
nical and social strategies. For example, a technical strategy
would be resetting the advertising ID while a social strategy
would be downloading mobile applications only from an offi-
cial source.The initial analysis of two-component behavioral
model, based on technical versus social protection strategies,
demonstrates high reliability and good fit for the social com-
ponent of the behavioral scale. The technical component of
the scale, which has theoretical significance, shows a marginal
fit and could benefit from further improvement. This newly de-
veloped measure of smartphone security behavior is inspired
by the theory of planned behavior and draws inspiration from
a well-known scale of cybersecurity behavioral intention, the
Security Behavior Intention Scale (SeBIS). The psychomet-
rics of SSBS were established by surveying 1011 participants.
We believe SSBS measures can enhance the understanding
of human security behavior for both security researchers and
HCI designers.
View details
RøB: Ransomware over Modern Web Browsers
Harun Oz
Ahmet Aris
Abbas Acar
Leonardo Babun
Selcuk Uluagac
USENIX Security (2023)
Preview abstract
File System Access (FSA) API enables web applications to
interact with files on the users’ local devices. Even though it
can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries
to cause significant harm. In this paper, for the first time in the
literature, we extensively study this new attack vector that can
be used to develop a powerful new ransomware strain over
a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware
called RØB as a malicious web application that encrypts the
user’s files from the browser. We use RØB to perform impact
analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it.
Our evaluations show that RØB can encrypt the victim’s local
files including cloud-integrated directories, external storage
devices, and network-shared folders regardless of the access
limitations imposed by the API. Moreover, we evaluate and
show how the existing defense solutions fall short against
RØB in terms of their feasibility. We propose three potential
defense solutions to mitigate this new attack vector. These
solutions operate at different levels (i.e., browser-level, filesystem-level, and user-level) and are orthogonal to each other.
Our work strives to raise awareness of the dangers of RØBlike browser-based ransomware strains and shows that the
emerging API documentation (in this case the popular FSA)
can be equivocal in terms of reflecting the extent of the threat.
View details
Smartphone Security Behavioral Scale: A New Psychometric Measurement for Smartphone Security
Hsiao-Ying Huang
Soteris Demetriou
Rini Banerjee
Carl A Gunter
Masooda Bashir
Cornell University (2020)
Preview abstract
Despite widespread use of smartphones, there is no measurement standard targeted at smartphone security behaviors. In this paper we translate a well-known cybersecurity behavioral scale into the smartphone domain and show that we can improve on this translation by following an established psychometrics approach surveying 1011 participants. We design a new 14-item Smartphone Security Behavioral Scale (SSBS) exhibiting high reliability and good fit to a two-component behavioural model based on technical versus social protection strategies. We then demonstrate how SSBS can be applied to measure the influence of mental health issues on smartphone security behavior intentions. We found significant correlations that predict SSBS profiles from three types of MHIs. Conversely, we are able to predict presence of MHIs using SSBS profiles. We obtain prediction AUCs of 72.1% for Internet addiction, 75.8% for depression and 66.2% for insomnia.
View details
Preview abstract
Android introduced runtime permissions in order to provide users with more contextual information to make informed decisions as well as with finer granularity when dealing with
permissions. In this work, we identified that the correct operation of the runtime permission model relies on certain implicit assumptions which can conveniently be broken by
adversaries to illegitimately obtain permissions from the background while impersonating foreground apps. We call this detrimental scenario false transparency attacks. These attacks
constitute a serious security threat to the Android platform as
they invalidate the security guarantees of 1) runtime permissions by enabling background apps to spoof the context and identity of foreground apps when requesting permissions and
of 2) Android permissions altogether by allowing adversaries
to exploit users’ trust in other apps to obtain permissions.
We demonstrated via a user study we conducted on Amazon Mechanical Turk that mobile users’ comprehension of runtime permissions renders them susceptible to this attack
vector. We carefully designed our attacks to launch strategically in order to appear persuasive and verified the validity of our design strategies through our user study. To demonstrate the feasibility of our attacks, we conducted an in-lab user study in a realistic setting and showed that none of the
subjects noticed our attacks. Finally, we discuss why the existing defenses against mobile phishing fail in the context of false transparency attacks. In particular, we disclose the security vulnerabilities we identified in a key security mechanism added in Android 10. We then propose a list of countermeasures to be implemented on the Android platform and on app stores to practically tackle false transparency attacks.
View details