TULIPS Research Group

The overall goal of this project is to develop a usable SSL/TLS API by studying how developers with limited security background approach adding encryption to their projects, followed by identifying common sources of error, and then iteratively designing an API that supports adding security as part of the developer's typical work model.

SSL/TLS is used to encrypt communication between devices on the internet, but many developers make errors when attempting to incorporate these libraries into their projects, leading to serious security problems such as data leakage and potential compromise of devices. It is estimated that as many as 88% of Android apps contain at least one cryptographic API usage mistake, e.g., using constants for keys, salt, seeds, or choosing the wrong encryption mode [1].

Just like any other human computer interface, APIs need to be designed to be usable, minimize accidental error, and generally support the workflow of users. When these principles are not taken into account, it becomes easy for even highly skilled developers to make mistakes. While several HCI methods exist for exploring API usability and creating new API designs, in general there have been few attempts to apply them to security libraries.

[1] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in Android applications. In Proc. ACM CCS’13, pages 73–84. ACM, 2013.

Publications

"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students [bibtex]
M. Tahaei, A. Jenkins, K. Vaniea, M.K. Wolters; In Workshop on Socio-Technical Aspects in SecuriTy (STAST). 2019.
@inproceedings{tahaei2019stast,
author = {Tahaei, Mohammad and Jenkins, Adam and Vaniea, Kami and Wolters, Maria K.},
booktitle = {Workshop on Socio-Technical Aspects in SecuriTy (STAST)},
month = sep,
title = {"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students},
url = {https://tulipslab.org/papers/On_the_Security_Mindsets_of_Computer_Science_Students.pdf},
year = {2019},
month_numeric = {9}
}

hide
A Survey on Developer-Centred Security [bibtex]
M. Tahaei, K. Vaniea; In European Workshop on Usable Security (EuroUSEC). 2019.
@inproceedings{tahaei2019survey,
author = {Tahaei, Mohammad and Vaniea, Kami},
booktitle = {European Workshop on Usable Security (EuroUSEC)},
month = jun,
organization = {IEEE},
pages = {129--138},
resources = {https://www.wiki.ed.ac.uk/display/TRG/Usable+Security+and+Privacy+for+Software+Developers},
title = {A Survey on Developer-Centred Security},
url = {https://tulipslab.org/papers/A_Survey_on_Developer_Centred_Security.pdf},
year = {2019},
month_numeric = {6}
}

hide
Understanding Privacy-Related Questions on Stack Overflow [bibtex]
M. Tahaei, K. Vaniea, N. Saphra; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2020.
@inproceedings{tahaei2020chi,
author = {Tahaei, Mohammad and Vaniea, Kami and Saphra, Naomi},
booktitle = {Proceedings of the SIGCHI Conference on Human Factors in Computing Systems},
month = apr,
organization = {ACM},
title = {Understanding Privacy-Related Questions on Stack Overflow},
url = {https://tulipslab.org/papers/tahaei2020SO.pdf},
year = {2020},
month_numeric = {4}
}

hide
Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them [bibtex]
M. Tahaei, K. Vaniea, K. Beznosov, M.K. Wolters; In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 2021.
@inproceedings{tahaei2021SAT,
author = {Tahaei, Mohammad and Vaniea, Kami and Beznosov, Konstantin and Wolters, Maria K.},
month = may,
organization = {ACM},
title = {Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them},
url = {https://tulipslab.org/papers/tahaei2021SAT.pdf},
year = {2021},
pages = {1--17},
doi = {10.1145/3411764.3445616},
booktitle = {Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems},
articleno = {691},
numpages = {17},
keywords = {static analysis tools, software developers, security notifications, usable security},
location = {Yokohama, Japan},
series = {CHI '21},
month_numeric = {5}
}

hide
Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges [bibtex]
M. Tahaei, A. Frik, K. Vaniea; In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 2021.
@inproceedings{tahaei2021privchamp,
author = {Tahaei, Mohammad and Frik, Alisa and Vaniea, Kami},
month = may,
organization = {ACM},
title = {Privacy Champions in Software Teams: Understanding Their Motivations, Strategies, and Challenges},
url = {https://tulipslab.org/papers/tahaei2021privchamp.pdf},
year = {2021},
isbn = {9781450380966},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
doi = {10.1145/3411764.3445768},
booktitle = {Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems},
articleno = {693},
numpages = {15},
pages = {1-15},
keywords = {user privacy, software development, privacy champions},
location = {Yokohama, Japan},
series = {CHI '21},
month_numeric = {5}
}

hide
``Developers are Responsible'': What Ad Networks Tell Developers About Privacy [bibtex]
M. Tahaei, K. Vaniea; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems Late Breaking Work. 2021.
@inproceedings{tahaei2021AdNetworkLBW,
author = {Tahaei, Mohammad and Vaniea, Kami},
booktitle = {Proceedings of the SIGCHI Conference on Human Factors in Computing Systems Late Breaking Work},
month = apr,
title = {``Developers are Responsible'': What Ad Networks Tell Developers About Privacy},
url = {https://tulipslab.org/papers/tahaei2021AdNetworkLBW.pdf},
year = {2021},
pages = {1-11},
articleno = {253},
doi = {10.1145/3411763.3451805},
month_numeric = {4}
}

hide
Code-Level Dark Patterns: Exploring Ad~Networks' Misleading Code Samples with Negative Consequences for Users [bibtex]
M. Tahaei, K. Vaniea; In ``What Can CHI Do About Dark Patterns?'' Workshop at CHI Conference on Human Factors in Computing Systems (CHI '21). 2021.
@inproceedings{tahaei2021codeLevel,
author = {Tahaei, Mohammad and Vaniea, Kami},
booktitle = {``What Can CHI Do About Dark Patterns?'' Workshop at CHI Conference on Human Factors in Computing Systems (CHI '21)},
month = may,
publisher = {University of Edinburgh},
title = {Code-Level Dark Patterns: Exploring Ad~Networks' Misleading Code Samples with Negative Consequences for Users},
url = {https://tulipslab.org/papers/tahaei2021-darkpatterns.pdf},
year = {2021},
pages = {1--5},
month_numeric = {5}
}

hide
Deciding on Personalized Ads: Nudging Developers About User Privacy [bibtex]
M. Tahaei, A. Frik, K. Vaniea; In Symposium On Usable Privacy and Security (SOUPS). 2021.
@inproceedings{tahaei2021soups,
author = {Tahaei, Mohammad and Frik, Alisa and Vaniea, Kami},
booktitle = {Symposium On Usable Privacy and Security (SOUPS)},
month = aug,
title = {Deciding on Personalized Ads: Nudging Developers About User Privacy},
url = {https://tulipslab.org/papers/tahaei2021soups.pdf},
year = {2021},
month_numeric = {8}
}

hide
Understanding Privacy-Related Advice on Stack Overflow [bibtex]
M. Tahaei, T. Li, K. Vaniea; In Proceedings on Privacy Enhancing Technologies. 2022.
@article{tahaei2022pets,
author = {Tahaei, Mohammad and Li, Tianshi and Vaniea, Kami},
doi = {10.2478/popets-2022-0038},
journal = {Proceedings on Privacy Enhancing Technologies},
number = {2},
pages = {114--131},
title = {Understanding Privacy-Related Advice on Stack Overflow},
url = {https://doi.org/10.2478/popets-2022-0038; https://tulipslab.org/papers/tahaei2022pets.pdf},
volume = {2022},
year = {2022}
}

hide
Recruiting Participants with Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List [bibtex]
M. Tahaei, K. Vaniea; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2022.
@inproceedings{tahaei2022chi,
author = {Tahaei, Mohammad and Vaniea, Kami},
booktitle = {Proceedings of the SIGCHI Conference on Human Factors in Computing Systems},
month = may,
organization = {ACM},
title = {Recruiting Participants with Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List},
pages = {1-15},
url = {https://tulipslab.org/papers/tahaei2022chi.pdf},
year = {2022},
doi = {10.1145/3491102.3501957},
month_numeric = {5}
}

hide
Lessons Learned From Recruiting Participants With Programming Skills for Empirical Privacy and Security Studies [bibtex]
M. Tahaei, K. Vaniea; In 1st International Workshop on Recruiting Participants for Empirical Software Engineering (RoPES'22). 2022.
@inproceedings{tahaei2022ropes,
author = {Tahaei, Mohammad and Vaniea, Kami},
booktitle = {1st International Workshop on Recruiting Participants for Empirical Software Engineering (RoPES'22)},
month = may,
title = {Lessons Learned From Recruiting Participants With Programming Skills for Empirical Privacy and Security Studies},
url = {https://tulipslab.org/papers/tahaei2022ropes.pdf},
year = {2022},
pages = {1-3},
month_numeric = {5}
}

hide
Embedding Privacy Into Design Through Software Developers: Challenges and Solutions [bibtex]
M. Tahaei, K. Vaniea, A. Rashid; In IEEE Security & Privacy. 2023.
@article{tahaei2023sp,
author = {Tahaei, Mohammad and Vaniea, Kami and Rashid, Awais},
journal = {IEEE Security & Privacy},
title = {Embedding Privacy Into Design Through Software Developers: Challenges and Solutions},
year = {2023},
volume = {21},
number = {1},
pages = {49-57},
doi = {10.1109/MSEC.2022.3204364},
url = {https://ieeexplore.ieee.org/document/9904426}
}

hide

People

Funding

Research and projects here are partially funded by the following groups:

Microsoft Research Studentship Award

Additional Resources

All the additional resources for the publications such as interview scripts, datasets, and presentations are available in our wiki page.

Related Student Projects

The following are projects completed by interns, undergraduate, and masters students related to the project.

Usability Analysis and Improvement of Two Cryptographic Prototyping Frameworks

Ma Qing Gao (2017-2018, Masters Thesis)

Supervisor: Markulf Kohlweiss

Cryptography schemes can be the core solution for ensuring computer security. This project focuses on conducting two usability lab study to evaluate the usability of two existing. This project focuses on conducting two usability lab study to evaluate the usability of two existing cryptographic prototyping frameworks, which are the three existing Python cryptography programming libraries: Charm, Petlib and Bplib. The final outcomes of this thesis were: (1) giving the weakness and improvement suggestion of the documentation and error respond of these libraries. (2) identify the syntax of which library is more acceptable and understandable by cryptographers.

Putting the 'S' in HTTPS: Automatically Fixing Insecure HTTP and Flawed HTTPS Connections in Android

Vesko Stefanov (2017-2018, Undergraduate Thesis)

Supervisor: Kami Vaniea

Cryptographic solutions like HTTPS protect information in transit, but only if they are used correctly by developers. In this project, I develop an early prototype of an Android application which checks all outgoing connections from the device and where possible auto-upgrades them to HTTPS connections. I also test how feasible it is to auto-upgrade HTTP connections in terms of the ability of remote servers to accept the upgraded connections.

Thesis

Encrypt me if you can: Helping developers add Transport Layer Security to Android applications

Dimple Gulrajani (2016-2017, Undergraduate Thesis)

Supervisor: Kami Vaniea

An alarming number of mobile applications on the Google Play store do not encrypt their communications leaving them open to Man In The Middle attacks. This thesis analyzes why this is the case and presents a new tutorial to help developers correctly use TLS.

TULiPS

Technology Usability Lab in Privacy and Security

Developer Centered Security and Privacy