You are cordially invited to attend the PhD Defense of Fernando Kaway CARVALHO OTA on Monday, 27 February 2023 at 14:00 in room JFK-E004.
Members of the defense committee:
- Prof. Dr. Raphaël FRANK, University of Luxembourg, Chairman
- Dr. Jean HILGER, University of Luxembourg, Deputy Chairman
- Prof. Dr. Radu STATE, University of Luxembourg, Supervisor
- Prof. Dr. Thibault CHOLEZ, University of Lorraine, Nancy, France, Member
- Prof. Dr. Omar CHERKAOUI, UQAM, Canada, Member
- Mr. Christophe ATTEN, Spuerkeess Luxembourg, Expert in an Advisory Capacity
- Dr. Jorge Augusto MEIRA, University of Luxembourg, Expert in an Advisory Capacity
Abstract:
The popularization of the Internet and the widespread use of mobile applications have brought about a complete shift in software engineering paradigms. With over half of the world’s population now connected to the Internet, and smartphones generating the majority of Internet traffic, the increased usage and availability of mobile applications have attracted attention from various industries. These industries have transformed their retail channels by using apps as the primary means of communication with clients, resulting in a broader attack surface for actors who can reach the back-end servers through the Representational State Transfer (REST) Application Programming Interfaces (APIs). The exposure of sensitive data raises concerns about user privacy and the enforcement of data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe. Even a properly built secure communication channel, using Transport Layer Security (TLS) for example, can still be exploited if an attacker understands how to create API requests that exploit poorly built business logic. The fast-paced development of APIs in the financial sector, driven by Open Banking regulations, further exposes these institutions to new risks. The data life cycle requires proper protection to maintain privacy, which requires security assurance in every communication, storage, and processing of data. The research questions posed in this work include: How can the back-end server guarantee that it is receiving data from a legitimate instance of the mobile application? Can the data processing be protected from those with access to the processing platforms? Can a user share data ensuring proper data governance? The author aims to address these questions in order to ensure secure data processing and protection of user privacy in the rapidly evolving mobile applications ecosystem.