Associate Professor

Mobile Security

Mobile Security (2025-2026)

Language: The course and the exam will be in English.

Credits: 6 CFU.

Lectures mode:

  • Before the lecture, the teacher publishes a recorded video illustrating the topics of the incoming lecture. Students have to watch the video before attending the lecture.
  • At the start of the lecture, the teacher releases a brief questionnaire to check if the students have understood the main concepts described in the recorded lecture. The questionnaire is administered through the Moodle platform. The teacher, then, answers to any doubt or question.
  • The teacher releases a new assignment which will be solved by all groups. For every assignment, a group will be chosen to illustrate the solution through a presentation.
  • During the next lecture, the group presents its solution and answers to questions from the teacher and from the other students. Each member of the group can get up to 3 points, which will be summed up with the grade obtained at the final exam.

The course is very practical and it requires a high participation from the students. Thus, even if not mandatory, the participation in the class is strongly recommended to benefit from the interaction with other students and the teacher.

Schedule: I semester (course schedule is published HERE).

Course Content

“Mobile Security” is a hands-on course. The exercises are in the format of Capture The Flag (CTF) challenges: the students are asked to solve a problem and to find the “flag”, which is nothing more than a string located somewhere.

Topics of the course are the following ones:

  • Internal architecture of the Android Operating System.
  • Mobile app components (Activity, Service, Content Provider, Broadcast Receiver).
  • Mobile app analysis techniques.
  • Mobile app reverse engineering techniques.
  • Mobile app vulnerability assessment.
  • Static and dynamic analysis techniques for mobile apps.
  • Mobile app vulnerability exploitation.

Prerequisites:

  • It is highly recommended to have background knowledge on any object-oriented programming language (e.g., Java).
  • Knowledge about cybersecurity fundamentals (e.g., cryptography, access control, authentication) can be helpful, but not mandatory.

Grading Criteria

The final exam will be a set of multiple choice questions covering all the topics of the course.

The exam will have 33 points among which:

  • 18 points achievable through theoretical questions (18 questions, each one weighted 1 point)
  • 15 points achievable through practical questions

The bonus cumulated through the presentation during the course is summed to the grade obtained at the exam. Since the participation is not mandatory, a student can get the maximum grade (i.e., 30L) even without attending the course.

Special Project Option for This Year

Over the past few years, I have been working with my group on the virtualization technique and we have been using it for designing new attacks and new defence. Among the different projects, we have developed a solution, called VirtualPatch, to address the delay in distributing security patches for the Android OS.

The purpose of the project is to port the current VirtualPatch version, developed on top of VirtualApp on Android 9, to VirtualXposed on Android 13.

Since the project requires deep knowledge of the Android internals that will not be introduced during the course, I suggest to work on it in a small group (3/4 students).

Students choosing this option will have to present their design and implementation and to have an oral exam over the whole course contents.

Readings: