 
                Güliz Seray Tuncay
            Dr. Güliz Seray Tuncay is a Senior Research Scientist in the Platforms Security and Privacy team at Google. She received her Ph.D. from the University of Illinois at Urbana-Champaign in 2019. Her Ph.D. thesis titled "Practical least privilege for cross-origin interactions on mobile operating systems" was the runner up of the ACM SIGSAC Doctoral Dissertation Award. Güliz was selected as a Rising Star in EECS in 2019.
Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
        
        Güliz's research interests include mobile and IoT security, usable security, web security, and mobile computing. She has published her academic work in top-tier venues, including ACM Computer and Communications Security (CCS), IEEE Security & Privacy, USENIX Security, and ISOC Network and Distributed System Security (NDSS) Symposium. In 2018, her work on Android permissions received the Distinguished Paper Award at the NDSS Symposium.
Güliz is an active member of the research community. She has served as a technical program committee member for several prestigious venues, including ACM CCS, NDSS, USENIX Security, as well as several prestigious IEEE workshops and competitions such as the CSAW Applied research competition.
Güliz is passionate about using her research to make mobile devices more secure and private. She believes that everyone should be able to use mobile devices without fear of being hacked or having their privacy violated.
For more information, please visit www.gulizseray.com
Research Areas
      Authored Publications
    
  
  
  
    
    
  
      
        Sort By
        
        
    
    
        
        
          
              Preview abstract
          
          
              Storage on Android has evolved significantly over the years, with each new Android version introducing changes aimed at enhancing usability, security, and privacy. While these updates typically help with restricting app access to storage through various mechanisms, they may occasionally introduce new complexities and vulnerabilities. A prime example is the introduction of scoped storage in Android 10, which fundamentally changed how apps interact with files. While intended to enhance user privacy by limiting broad access to shared storage, scoped storage has also presented developers with new challenges and potential vulnerabilities to address. However, despite its significance for user privacy and app functionality, no systematic studies have been performed to study Android’s scoped storage at depth from a security perspective. In this paper, we present the first systematic security analysis of the scoped storage mechanism. To this end, we design and implement a testing tool, named ScopeVerif, that relies on differential analysis to uncover security issues and implementation inconsistencies in Android’s storage. Specifically, ScopeVerif takes a list of security properties and checks if there are any file operations that violate any security properties defined in the official Android documentation. Additionally, we conduct a comprehensive analysis across different Android versions as well as a cross-OEM analysis to identify discrepancies in different implementations and their security implications. Our study identifies both known and unknown issues of scoped storage. Our cross-version analysis highlights undocumented changes as well as partially fixed security loopholes across versions. Additionally, we discovered several vulnerabilities in scoped storage implementations by different OEMs. These vulnerabilities stem from deviations from the documented and correct behavior, which potentially poses security risks. The affected OEMs and Google have acknowledged our findings and offered us bug bounties in response.
              
  
View details
          
        
      
    
        
          
            
              Ransomware over Modern Web Browsers: A Novel Strain and A New Defense Mechanism
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Harun Oz
                      
                    
                
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Ahmet Aris
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Leonardo Babun
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Selcuk Uluagac
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Abbas Acar
                      
                    
                  
              
            
          
          
          
          
             ACM Transactions on the Web (2025)
          
          
        
        
        
          
              Preview abstract
          
          
              Ransomware is an increasingly prevalent form of malware targeting end-users, governments, and businesses. As it has evolved,
adversaries added new capabilities to their arsenal. Throughout the ransomware evolution, the adversaries propose a next-generation
browser-based ransomware, RøB, that performs its malicious actions via emerging web technologies, File System Access API (FSA) and
WebAssembly (Wasm). RøB uses this API through the victims’ browsers; hence, it does not require the victims to download and install
malicious binaries. We performed extensive evaluations with 3 different OSs, 23 file formats, 29 distinct directories, 5 cloud providers,
and 4 antivirus solutions. Our evaluations show that RøB can encrypt various types of files in the local and cloud-integrated directories,
external storage devices, and network-shared folders of victims. Our experiments also reveal that popular cloud solutions, Box
Individual and Apple iCloud can be severely affected by RøB. Moreover, we conducted tests with commercial antivirus software such
as AVG, Avast, Kaspersky, Malware Bytes that perform sensitive directory and suspicious behavior monitoring against ransomware.
We verified that RøB can evade these antivirus software and encrypt victim files. Moreover, existing ransomware detection solutions
in the literature also cannot be a remedy against RøB due to its distinct features. Therefore, in this paper, we also propose broguard,
a new detection system for RøB-like attacks. broguard monitors the web applications that use the FSA API via function hooking and
uses a machine learning classifier to detect RøB-like attacks in real-time without any file loss. Performance evaluations of broguard
on a comprehensive dataset show that broguard can detect RøB-like browser-based ransomware attacks with over 99% accuracy and
minimal overhead.
              
  
View details
          
        
      
    
        
          
            
              Android Permissions: Evolution, Attacks, and Best Practices
            
          
        
        
          
            
              
                
                  
                    
                
              
            
          
          
          
          
    
    
    
    
    
            IEEE Security & Privacy (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              In this article, we study the evolution of Android permissions. We describe the rationale behind key changes in Android’s permission model and disclose two permission-related security vulnerabilities we discovered. Finally, we provide developers actionable insights to proactively address permission-related security and privacy risks during development.
              
  
View details
          
        
      
    
        
          
            
              Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Doguhan Yeke
                      
                    
                
              
            
              
                
                  
                    
                    
                      
                        Muhammad Ibrahim
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Habiba Farukh
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Abdullah Imran
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Antonio Bianchi
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Z. Berkay Celik
                      
                    
                  
              
            
          
          
          
          
            IEEE Symposium on Security and Privacy (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              Wearable devices are becoming increasingly important, helping us stay healthy and connected. There are a variety
of app-based wearable platforms that can be used to manage
these devices. The apps on wearable devices often work with a
companion app on users’ smartphones. The wearable device and
the smartphone typically use two separate permission models
that work synchronously to protect sensitive data. However, this
design creates an opaque view of the management of permission-
protected data, resulting in over-privileged data access without
the user’s explicit consent. In this paper, we performed the first
systematic analysis of the interaction between the Android and
Wear OS permission models. Our analysis is two-fold. First,
through taint analysis, we showed that cross-device flows of
permission-protected data happen in the wild, demonstrating
that 28 apps (out of the 150 we studied) on Google Play
have sensitive data flows between the wearable app and its
companion app. We found that these data flows occur without
the users’ explicit consent, introducing the risk of violating
user expectations. Second, we conducted an in-lab user study
to assess users’ understanding of permissions when subject to
cross-device communication (n = 63). We found that 66.7% of
the users are unaware of the possibility of cross-device sensitive
data flows, which impairs their understanding of permissions in
the context of wearable devices and puts their sensitive data at
risk. We also showed that users are vulnerable to a new class of
attacks that we call cross-device permission phishing attacks on
wearable devices. Lastly, we performed a preliminary study on
other watch platforms (i.e., Apple’s watchOS, Fitbit, Garmin
OS) and found that all these platforms suffer from similar
privacy issues. As countermeasures for the potential privacy
violations in cross-device apps, we suggest improvements in the
system prompts and the permission model to enable users to
make better-informed decisions, as well as on app markets to
identify malicious cross-device data flows.
              
  
View details
          
        
      
    
        
          
            
              (In)Security of File Uploads in Node.js
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Harun Oz
                      
                    
                
              
            
              
                
                  
                    
                    
                      
                        Abbas Acar
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Ahmet Aris
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Amin Kharraz
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Selcuk Uluagac
                      
                    
                  
              
            
          
          
          
          
            The Web conference (WWW) (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              File upload is a critical feature incorporated by a myriad of web
applications to enable users to share and manage their files conveniently. It has been used in many useful services such as file-sharing
and social media. While file upload is an essential component of
web applications, the lack of rigorous checks on the file name, type,
and content of the uploaded files can result in security issues, often
referred to as Unrestricted File Upload (UFU). In this study, we analyze the (in)security of popular file upload libraries and real-world
applications in the Node.js ecosystem. To automate our analysis, we
propose NodeSec– a tool designed to analyze file upload insecurities in Node.js applications and libraries. NodeSec generates unique
payloads and thoroughly evaluates the application’s file upload security against 13 distinct UFU-type attacks. Utilizing NodeSec, we
analyze the most popular file upload libraries and real-world ap-
plications in the Node.js ecosystem. Our results reveal that some
real-world web applications are vulnerable to UFU attacks and dis-
close serious security bugs in file upload libraries. As of this writing,
we received 19 CVEs and two US-CERT cases for the security issues that we reported. Our findings provide strong evidence that
the dynamic features of Node.js applications introduce security
shortcomings and that web developers should be cautious when
implementing file upload features in their applications.
              
  
View details
          
        
      
    
        
          
            
              With Great Power Comes Great Responsibility: Security and Privacy Issues of Modern Browser APIs
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Harun Oz
                      
                    
                
              
            
              
                
                  
                    
                    
                      
                        Daniele Cono D’Elia
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Abbas Acar
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Riccardo Lazzeretti
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Selcuk Uluagac
                      
                    
                  
              
            
          
          
          
          
            IEEE Security and Privacy (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              This paper discusses security and privacy issues in modern Browser
APIs by categorizing them based on their functionality. With this study, we aim to
alert the community about these issues and motivate further research into
analyzing the security and privacy concerns within modern Browser APIs.
              
  
View details
          
        
      
    
        
          
            
              On the Robustness of Image-based Malware Detection against Adversarial Attacks
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Yassine Mekdad
                      
                    
                
              
            
              
                
                  
                    
                    
                      
                        Harun Oz
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Ahmet Aris
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Leonardo Babun
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Faraz Naseem
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Selcuk Uluagac
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Nasir Ghani
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Abbas Acar
                      
                    
                  
              
            
          
          
          
          
             Network Security Empowered by Artificial Intelligence, Springer (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              Machine and deep learning models are now one of the most valuable tools in the arsenal of computer security practitioners. Their success has been demonstrated in various network-security-oriented applications such as intrusion detection, cyber threat intelligence, vulnerability discovery, and malware detection. Nevertheless, recent research studies have shown that crafted adversarial samples can be used to evade malware detection models. Even though several defense mechanisms such as adversarial training have been proposed in the malware detection domain to address this issue, they unfortunately suffer from model poisoning and low detection accuracy. In this chapter, we assess the robustness of image-based malware classifier against four different adversarial attacks: (a) random and benign brute-force byte append attacks for black-box settings and (b) random and benign Fast Gradient Sign Method (FGSM) attacks for white-box settings. To this end, we implement a Convolutional Neural Network (CNN) to classify the image representations of Windows Portable Executable (PE) malware with a detection accuracy of 95.05%. Then, we evaluate its robustness along with MalConv, a state-of-the-art malware classifier, by applying a set of functionality-preserving adversarial attacks. Our experimental results demonstrate that image-based classifier exhibits a lower evasion rate of 5% compared to MalConv that achieves an evasion rate ranging between 44 and 54% in black-box settings. However, in white-box settings, both models fail against random byte and benign byte FGSM attacks, with an evasion rate of more than 46%.
              
  
View details
          
        
      
    
        
          
            
              50 Shades of Support: A Device-Centric Analysis of Android Security Updates
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Abbas Acar
                      
                    
                
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Esteban Luques
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Harun Oz
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Ahmet Aris
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Selcuk Uluagac
                      
                    
                  
              
            
          
          
          
          
            Network and Distributed System Security (NDSS) Symposium (2024)
          
          
        
        
        
          
              Preview abstract
          
          
              Android is by far the most popular OS with over
three billion active mobile devices. As in any software, uncovering
vulnerabilities on Android devices and applying timely patches
are both critical. Android Open Source Project (AOSP) has
initiated efforts to improve the traceability of security updates
through Security Patch Levels (SPLs) assigned to devices. While
this initiative provided better traceability for the vulnerabilities,
it has not entirely resolved the issues related to the timeliness
and availability of security updates for end users. Recent studies
on Android security updates have focused on the issue of delay
during the security update roll-out, largely attributing this to
factors related to fragmentation. However, these studies fail to
capture the entire Android ecosystem as they primarily examine
flagship devices or do not paint a comprehensive picture of the
Android devices’ lifecycle due to the datasets spanning over a
short timeframe. To address this gap in the literature, we utilize
a device-centric approach to analyze the security update behavior
of Android devices. Our approach aims to understand the security
update distribution behavior of OEMs (e.g., Samsung) by using
a representative set of devices from each OEM and characterize
the complete lifecycle of an average Android device. We obtained
367K official security update records from public sources, span-
ning from 2014 to 2023. Our dataset contains 599 unique devices
from four major OEMs that are used in 97 countries and are
associated with 109 carriers. We identify significant differences
in the roll-out of security updates across different OEMs, device
models/types, and geographical regions across the world. Our
findings show that the reasons for the delay in the roll-out of
security updates are not limited to fragmentation but also involve
OEM-specific factors. Our analysis also uncovers certain key
issues that can be readily addressed as well as exemplary practices
that can be immediately adopted by OEMs in practice.
              
  
View details
          
        
      
    
        
          
            
              Evaluating User Behavior in Smartphone Security: A Psychometric Perspective
            
          
        
        
          
            
              
                
                  
                    
    
    
    
    
    
                      
                        Hsiao-Ying Huang
                      
                    
                
              
            
              
                
                  
                    
                    
                      
                        Soteris Demetriou
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Muhammad Hassan
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Carl A. Gunter
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Masooda Bashir
                      
                    
                  
              
            
          
          
          
          
            USENIX SOUPS (2023)
          
          
        
        
        
          
              Preview abstract
          
          
              Smartphones have become an essential part of our modern
society. Their popularity and ever-increasing relevance in our
daily lives make these devices an integral part of our comput-
ing ecosystem. Yet, we know little about smartphone users
and their security behaviors. In this paper, we report our de-
velopment and testing of a new 14-item Smartphone Security
Behavioral Scale (SSBS) which provides a measurement of
users’ smartphone security behavior considering both tech-
nical and social strategies. For example, a technical strategy
would be resetting the advertising ID while a social strategy
would be downloading mobile applications only from an offi-
cial source.The initial analysis of two-component behavioral
model, based on technical versus social protection strategies,
demonstrates high reliability and good fit for the social com-
ponent of the behavioral scale. The technical component of
the scale, which has theoretical significance, shows a marginal
fit and could benefit from further improvement. This newly de-
veloped measure of smartphone security behavior is inspired
by the theory of planned behavior and draws inspiration from
a well-known scale of cybersecurity behavioral intention, the
Security Behavior Intention Scale (SeBIS). The psychomet-
rics of SSBS were established by surveying 1011 participants.
We believe SSBS measures can enhance the understanding
of human security behavior for both security researchers and
HCI designers.
              
  
View details
          
        
      
    
        
          
            
              The Android Platform Security Model (2023)
            
          
        
        
          
            
              
                
                  
                    
                
              
            
              
                
                  
                    
                    
    
    
    
    
    
                      
                        Jeff Vander Stoep
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Chad Brubaker
                      
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Dianne Hackborn
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
              
                
                  
                    
                    
                      
                        Roger Piqueras Jover
                      
                    
                  
              
            
              
                
                  
                    
                    
                  
              
            
          
          
          
          
            Arxiv, Cornell University (2023)
          
          
        
        
        
          
              Preview abstract
          
          
              Android is the most widely deployed end-user focused operating system. With its growing set of use cases
encompassing communication, navigation, media consumption, entertainment, finance, health, and access to
sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical
threats in a wide variety of scenarios while being useful to non-security experts. To support this flexibility,
Android’s security model must strike a difficult balance between security, privacy, and usability for end users;
provide assurances for app developers; and maintain system performance under tight hardware constraints.
This paper aims to both document the assumed threat model and discuss its implications, with a focus on
the ecosystem context in which Android exists. We analyze how different security measures in past and
current Android implementations work together to mitigate these threats, and, where there are special cases
in applying the security model in practice; we discuss these deliberate deviations and examine their impact.
              
  
View details
          
        
      
    