In today's business landscape, software has become an integral part of operations for all companies, with a growing reliance on third-party components. This increasing complexity in software supply chains has led to a significant reduction in transparency and visibility, posing challenges for effective management and security. Software Bill of Materials (SBOMs) emerges as a promising concept to address this issue by providing detailed information about software components and their supply chain relationships, ultimately enhancing transparency within these supply chains. However, despite its potential benefits, SBOM adoption remains limited in practice. This research examines the perspectives of four key business stakeholders involved in the software supply chain to understand their incentives and disincentives surrounding SBOM adoption. Through a series of in-depth interviews with representatives from each stakeholder group, we aimed to identify stakeholder-specific risks, benefits, concerns, and incentives related to SBOM adoption. The analysis reveals that SBOM adoption potential is notably higher among system integrators and software vendors. These stakeholders perceive the benefits of enhanced transparency and supply chain risk mitigation, which align with their strategic objectives. On the contrary, B2B customers and Individual Developers exhibit the least motivation for SBOM adoption. Their limited interest stems from a perception that SBOMs may impose additional complexities without commensurate benefits. Given that B2B customers and individual developers are the primary consumers and suppliers of SBOMs, respectively, the findings suggest that the overall adoption potential of this technology remains restricted.

In 2019 a quantum computer performed a highly complex operation in 4 minutes, which would have taken the most powerful supercomputers of today around 10,000 years. Performing calculations unimaginably faster than is currently possible may bring great opportunities, but may implicate a threat to digital communications. Digital communication is kept secure through cryptography, which uses mathematical problems to protect sensitive information and communication from malicious acts of cybercrime. Cryptography is widely adopted across the cyberspace. The world’s fastest classical computers of today are unable to break cryptography’s underlying mathematical schemes, ensuring confidentiality and integrity of everyone’s data. However, it is predicted that future quantum computers could theoretically break current cryptography in just a few hours. The moment that a powerful enough quantum computer exists (called Y2Q) thus implicates that cryptography systems will become unusable as digital services are no longer secure. This could have catastrophic consequences for society’s critical digital infrastructures, such as those provided by Dutch banks. This problem is very relevant for banks, because of the sector’s abundance of sensitive data and information streams that rely on cryptography, as well as their critical role in society’s functionality (facilitating payments). Because of the serious disruptions in critical financial infrastructures that the quantum threat could ignite, decision-makers within banks will be needing governing tools to mitigate risks. Adopting new quantum-resistant cryptographic algorithms, known as post-quantum-cryptography (PQC) is absolutely critical in facilitating safety and security from the quantum threat. However, there is currently little or no governance, or guidance, for the management of this transition towards PQC and guidance is urgently needed. The formulation of these guidance-measures is one of the main challenges regarding the transition towards security in the quantum-era. Therefore, this research focusses on ensuring the Dutch banking sector’s safety and security of its digital infrastructures, from the cryptography-related cyber threats posed by quantum computing technology – from not merely a technological perspective, but with a holistic approach, considering the involved socio-technical challenges. In order to provide guidance to decision-makers from Dutch banks, this thesis aims to answer the following research question: How can the Dutch banking sector ensure the safety and security of its digital infrastructures, from the cryptography-related cyber threats posed by quantum computing technology? In order to answer the main research question, the Technology Roadmap (TRM) framework will be used. This framework provides the vital link between a first idea phase (i.e., banks’ digital infrastructures face a threat from quantum computing technologies) and the concrete implementation phase (i.e., how do we ensure protection from this threat?). The TRM is a diagram which consists of features, services, systems, resources, and drivers in relation with one another, that together facilitate an overview of what is required for the banks to become quantum-safe. Constructing this roadmap required three main methods: (1) Exploratory research to identify in which parts of the banks’ processes and operations the vulnerabilities to the quantum threat are the highest. This included describing key concepts within cryptography, PQC-developments, and banking services, as well as stakeholder- and dependency-mapping of the Dutch banking environment. (2) Semi-structured interviews with security architects, payment security specialists, and cryptography specialists from Dutch banks. Herein the perceptions of the Dutch banks on the impact, challenges, resources, capabilities, preparedness, and governance were obtained. (3) TRM development based on thematic analysis of qualitative data derived from semi-structured interviews in which the perceptions were translated into elements fit for the TRM. Lastly, the TRM was validated and revised by presenting it to experts and asking for critique, which enabled the final TRM to be developed. after which conclusions and recommendations could be drawn up. The core banking services were analyzed in terms of the role that cryptography plays to ensure the security of these services, which helped to identify in which parts of the banks’ processes and operations the vulnerabilities to the quantum threat are the highest. The exploratory analysis identified the critical processes that entail the certain infrastructures that need to transition towards PQC. These being within the online payment process, the physical card transaction process, and the ATM transaction process. Within these processes the main vulnerabilities lie in: data channels through external public networks and service providers relating to payment gateways, payment processors, local store webservers, online merchant webservers, card association networks and Point-of-Sale (PoS)-terminals. Less vulnerable infrastructures, due to their primary use of symmetric cryptography, are: ATM networks, internal storage and communication infrastructures, inter-bank data exchange, and ATM controllers. Through combining these insights with findings from the thematic analysis of perceptions derived from the semi-structured interviews, the TRM was developed which presented a 3-phase transition plan that aims to ensure the Dutch banking sector safety and security of its digital infrastructures from cryptography-related cyber threats posed by quantum computing technology. Phase 1 of this transition plan entails the development of a response plan for a potential privacy breach and the development of central cryptographic inventory, through management priority, internal alignment, and experimentation with to-be-standardized PQC algorithms. After PQC algorithms have been standardized, Phase 2 involves the adoption of PQC algorithms in online payment networks, requiring banks to draw up a PQC requirement list for vendors and external service providers. With a hardware replacement strategy in place, Phase 3 entails the replacement of all relevant hardware related to payment processes (payment cards, PoS-terminals, and ATM controllers), updating less prioritized software and network infrastructures, and overcoming technical challenges related to PQC algorithms' larger key-sizes. It is important to note that the implementation of PQC is not a one-time event, but rather an ongoing, ever-evolving, and uncertain process. The continuous development of quantum computing technology means that banks must remain vigilant and adaptable to stay ahead of potential threats, and may need to accelerate certain phases within the transition on a relatively short notice. Additionally, the success of this transition relies heavily on organizational awareness, as well as close collaboration between various stakeholders, vendors, service providers, regulators, and other financial service organizations. Based on this conclusion, this research has made several recommendations to the Dutch banking sector: Accomplish management priority. Management priority is crucial for allocating resources to execute the first steps that have to be taken to ensure quantum-safety. Therefore, the banking sector should shift the focus of management toward addressing the quantum threat and transitioning towards post-quantum cryptography (PQC) as a top priority, integrating quantum-readiness into the key strategic goals of the bank by means of organizational awareness. Organizational awareness can be created through workshops, seminars, and events that are aimed at educating management on the business implications of the quantum threat, as well as presenting them with solutions on addressing this threat. Execute initial risk-free actions. Banks can already take certain risk-free actions in preparation for the PQC-transition, which will strengthen the preparedness of the banks. These actions include: - Developing a privacy breach response plan - Developing a centralized cryptographic inventory - Doubling key-lengths for symmetric-key cryptography algorithms - Developing a hardware replacement strategy Extend continuous collaborative research to PQC. Dutch banks should proactively utilize their existing collaborative structures with other vendors, service providers, regulators, and other financial service organizations., to share their experiences and jointly develop strategies for addressing the quantum threat. This will benefit the Dutch financial market as a whole, as sharing experiences with executing the risk-free actions or experimenting with PQC-algorithms is highly relevant for creating a comprehensive understanding of the practical implications and technical challenges associated with becoming quantum-safe.

In order to combat increasing spam calls, many applications are developed and downloaded to block those calls. Some studies about performance of the applications were previously conducted, however, the actual processes the applications go through to intercept and block the spam calls are not well studied. This research presents a method to systematically explore Android APIs that are responsible for intercepting and blocking the spam calls.

The aim of this research is to provide a structured approach for dynamically analysing Android applications, focusing on applications that block or flag suspected spam caller IDs. This paper discusses ways to determine how an application stores the data regarding the phone numbers, and what APIs it utilizes. In order to develop a methodology of what to search for while performing dynamic analysis, the research in this paper focuses on analysing one such Android application, using it as a template. Additionally, it provides insights and limitations on this analysed application, and potential improvements both on the techniques and tools used.

With the ever-increasing digitalisation of society and the explosion of internet-enabled devices with the Internet of Things (IoT), keeping services and devices secure is becoming more important. Logs play a critical role in sustaining system reliability. Manual analysis of logs has become increasingly difficult, accelerating the development of automated methods for log-anomaly detection. Despite significant progress in automating log analysis, current state-of-the-art methods face challenges dealing with unstable log data, which means that the content of log messages evolves over time. We show that LogBERT, a state-of-the-art technique based on Bidirectional Encoder Representations from Transformers (BERT), cannot deal with unstable log data. On the three most prevalent publicly available log datasets, Mathew's Correlation Coefficient (MCC) score (which measures the correlation between a model's output and the correct labels) of LogBERT dropped by 90% after increasing log data instability from 1% to over 80% normal sequences containing logkeys in the test set. Log data instability was increased by only reassigning samples between the train and test set. Furthermore, we show that the high performance of LogBERT reported in the original paper was achieved because the model relied on a simple heuristic that only worked under specific conditions. To address this issue, we propose a novel sequence anomaly detection technique based on BERT: Vocabulary-Free BERT (VoBERT). VoBERT uses a novel pre-training task we designed specifically for anomaly detection: Vocabulary-Free Masked Language Modeling (VF-MLM). We adapted traditional MLM and removed the fixed vocabulary constraint, which allows VF-MLM to classify out-of-vocabulary logkeys correctly. We highlight that VoBERT is more stable than LogBERT and outperforms the latter in certain situations where log data is very unstable. For the public datasets, the MCC score of the specific train-test split used in the LogBERT paper dropped by 90% after reassigning the train-test split, increasing log data instability. In addition to sequence-level anomaly predictions, we evaluated all approaches on element level, providing a more granular performance assessment. To assess the generalisation of the experimental results to real-world scenarios, we conducted a case study evaluating the anomaly detection models on real-world security event data collected at a large bank (50,000+ employees). We found that the simple heuristic did not work for this real-world data, having a negative correlation with the correct results. VoBERT showed performance on par with LogBERT on this real-world security event dataset. We urge future researchers to evaluate their methods on real-world data, as we showed that the commonly used public datasets do not represent real-world scenarios. Furthermore, it is important to assess how difficult it is to detect anomalies in datasets used for evaluation. When a simple heuristic can perform well, such datasets might not be well suited to evaluate a complex anomaly detection model. This thesis is a proof of concept for the novel pre-training task VF-MLM and paves the way for future work to refine this technique further, as well as to develop additional robust and adaptable solutions for log and security event anomaly detection.

Intrusion detection systems (IDSs) are essential for protecting computer systems and networks from malicious attacks. However, IDSs face challenges in dealing with dynamic and imbalanced data, as well as limited label availability. In this thesis, we propose a novel elastic gradient boosting decision tree algorithm, namely Elastic CatBoost Uncertainty (eCBU), that adapts to concept drifts and copes with label scarcity by using a novel sequential uncertainty estimation method. We compare our method with state-of-the-art techniques on synthetic and real-world datasets and show that it achieves comparable accuracy and higher robustness to limited label availability in intrusion detection tasks.

Phishing attacks are a growing cause of cybersecurity incidents such as data breaches. With these attacks, malicious actors try to gain access to systems by exploiting the vulnerability of employees. Particularly, intruders use different tricks to create convincing phishing emails to force people to behave less securely. Unfortunately, technological applications are insufficient in detecting all possible phishing attempts. As the consequences of a successful breach can be disastrous for a company, especially in the banking sector, pressure is put on employees to recognise and report potential phishing emails. To aid them in this task, phishing training is provided by employers. Employees are taught what phishing emails look like and which actions they should take if an email appears malicious. However, the effectiveness of these training sessions is difficult to evaluate. To understand the interaction of employees with phishing emails without influencing their behaviour, we study the emails employees report as suspicious to characterise the security culture at a bank. A better understanding of the behaviour provides grounds for recommendations to improve anti-phishing training and create a safer environment. The newfound metrics can provide an alternative to current methods. This research uses Exploratory Data Analysis (EDA) to evaluate the email reporting behaviour of employees at a bank to answer the Research Question How can email reporting patterns in a large organisation measure the relationship between phishing training, reported emails and employee behaviour? With this case study, we apply EDA to a large dataset containing bank employees' reported emails over 16 months. We analysed the reported emails and related them to the provided phishing training events. Moreover, we did a text analysis of the emails' content using the Term Frequency - Inverse Document Frequency (TF-IDF) method. Additionally, we extract the dominant topics of the emails using topic modelling. Lastly, with the help of interviews, the results are tied to employees' experiences to understand their behaviour. The major findings of the research are, firstly, the new metrics we identified to measure the security culture of a company. These metrics were found from both the analysis of employee behaviour over time, as well as the analysis of the email content. From the analysis of the reporting behaviour over time, new metrics include the unique reporters in relation to the total reported emails over time. Besides the unique reporters, unique reported emails can uncover the presence of campaigns. For example, a single email can explain the increase from 50 to 350 daily benign reports. The difference between the total reports and unique reports uncovered this. Secondly, topic analysis and content comparison show similarities between benign and malicious reported emails, indicating an increased vigilance of employees on these attributes. A second finding originates from the analysis of the email components. One of the components was used in all simulation emails, while it was not present in all the benign and malicious reported emails. This shows that the simulation emails can be extended to include different scenarios. Therefore, we recommend the company to extend the phishing simulation emails to contain varied phishing tactics to expose employees to other types of attacks and incorporate all aspects taught during the E-learning. Lastly, the analysis shows no concrete relation between the number of reported emails and the timing of the simulation wave. Although the reported p-value of benign emails after the simulation is 0.03, this significance can also be explained by external factors. With these results, we can measure employees' security culture and awareness in real-world circumstances without influencing the employees' behaviour, providing a new approach to investigating phishing behaviour. Adding to the research of Steves et al. (2020),, the click rates can be explained by more than solely the employees' awareness levels, and new explanations come forward to handle phishing threats. Moreover, the absence of a required test environment for the analysis created a solution for existing gaps. For example, as seen in (Hillman et al., 2023). A limitation of exploratory data analysis is that results are often ambiguous and mainly provide possible directions for future research. Furthermore, external factors influencing the behaviour could provide alternative reasons for the discussed interactions. To conclude, by using the reported emails to measure security behaviour related to phishing, we found new metrics which do not influence the employees in their daily behaviour while still providing insights to improve the tactics of a company in combating phishing attacks. Reporting behaviour can be used to analyse the current anti-phishing tactics of a company and provide suggestions for improvements. Future research should explore the differences in applying the method in other companies and across sectors. Overlap and differences can create an understanding of the diversity in security culture and the effect of external factors. Combining these results with a comprehensive understanding of a company's operations can expose directions for improvement in the security approach. Additionally, the effect of the recommendations can be analysed using the metrics we proposed. This can be done with a follow-up analysis of the behaviour to see whether the desired effect can be observed.

In the past several years, financial applications of the blockchain technology experienced significant growth, development and adoption among the public and institutional investors. With the rise of stablecoins and major events such as the announcement of Facebook’s own cryptocurency Libra in 2019, the EU regulators felt the urgent need to address the digital currencies that may pose financial and security risks if left unsupervised. In 2020, the European Commission introduced the Markets in Crypto-Assets (MiCA) framework to regulate the crypto-asset issuers and service providers located in the EU or serving EU clients from abroad. One of the regulation’s objectives is to address the risks of the crypto-markets while leveraging its benefits, yet there has been no evaluation of the proposed regulation besides the Commission’s own impact assessment. Thus, this research offers an evaluation of the MiCA framework by adopting World Economic Forum’s DeFi white paper risk framework and interviews with the industry experts to generate both qualitative and quantitative data that is used to construct policy considerations for future amendments. By conducting interviews with 8 legal experts, the study provides insights into the strengths and weaknesses of the MiCA framework, while the interviews with 2 respondents from crypto-asset issuer entities, 6 from crypto-asset service providers entities and 3 from institutional investors entities provided further insights into the perceptions of the industry participants on the EU crypto regulation. Moreover, the study presents the risk perceptions of each respondent groups as during the interview rounds the participants were presented 18 risks of DeFi and were asked to select the most 5 critical risks perceived by them. This information is used to reveal what risks are perceived by each group. Lastly, the study presents a content analysis to assess the extent to which the 18 risks ranked by the interviewees are addressed in the MiCA framework. In summary, the results of the study suggest many points of improvement to the MiCA framework with respect to definitions, scoping, classifications and the regulatory approach. Moreover, the results suggest that the policy makers should focus on the unaddressed risks in the future amendments and policies, most importantly on technical and operational risks that have been left out from the framework.

Generative AI is expected to have a significant impact on how business is done, especially for knowledge-intensive domains. Professional usage amongst knowledge workers is already widespread and many of them believe that LLM use for work will make them more efficient, help them generate ideas, and improve the quality of their work. Yet, the technology comes with numerous potential risks, including job displacement, threats to data privacy, unreliability, cybersecurity risks, and non-compliance with new AI regulation. The decision to adopt LLMs for knowledge work is thus a significant one as organisations must carefully weigh up the benefits and drawbacks that these models present. Using a qualitative research approach, this study was aimed at exploring employee and organisational perceptions on the benefits and risks of LLM adoption within the Dutch financial sector. This study was conducted in partnership with a global Professional Services Firm and used their existing network of people and clients to conduct interviews with experts who act as advisors to top management in the decision-making process of new technology adoption such as LLMs. 18 semi-structured interviews were done to collect qualitative data. The research question to be answered is: - How do employees’ and organisations’ perceived benefits and risks of Large Language Models (LLMs) influence financial organisations’ LLM adoption plans? Exactly half of participants (9/18) said that they use LLMs in their own work while the other half stated that they do not due to a lack of perceived benefits. Microsoft was found to be a significant player in the current adoption of LLMs at Dutch financial institutions with 57% of all LLMs used by participants being owned by the software vendor. The most common LLM use cases were literary and creative in nature and included preparing presentation slides (16%), text generation (12%), email composition (12%), and structuring documents (12%). The targeted capabilities that organisations would like to achieve with their future adoption plans include helping programmers write better code, analysing help desk conversations, assisting employees via LLM chatbots, and analysing emails to predict customer questions. Employees were most excited about the potential efficiency and productivity gains that LLMs offer for their work (19%), how LLM usage could free up more time for focused, interesting, and fun work (11%), repetitive tasks becoming automated by LLM (8%), the new opportunities that LLMs present (8%) such as new business models, and improvements to customer service (5%). General overlap can be seen between the targeted capabilities of future LLMs to be adopted and employee expectations. Instead of restricting LLM usage, it is recommended that organisations find ways to incorporate them into their employee workflows by providing clear policies and guidelines. It was found that this approach will be most beneficial to creative and literary workflows like improving writing/grammar/translation, information search, structuring documents, and text generation. To achieve this integration, organisations should write and implement clear usage policies. This will ensure that the benefits of allowing LLM usage at work are enjoyed while mitigating the most important risks.

The power grid is becoming more intertwined with communication technologies, forming what is known as the smart grid. This integration allows for more efficient management of the power grid, which can help reduce emissions. However, the increasing connectivity with communication technology also expands the attack surface for cybercriminals or cybercriminal organisations. In 2015, a Ukrainian power station was attacked via a cyberattack, leading to an outage that affected almost 1.4 million people. The growing interconnection between the power grid and communication technologies can thus have severe impacts. Therefore, this research introduces an interdependent communication network and power grid to investigate how failures in the communication network affect the power grid's robustness. For generating communication networks, we use Python’s NetworkX package, and for the power grid, we use pandapower’s IEEE 118-bus test system. We analyse the robustness of the smart grid by examining two different communication networks: a mesh network and a double-star network. We simulate attacks on the communication network by initiating failures based on random selection, degree, betweenness, and closeness centrality, with an increasing number of node failures. We also distinguish between two failure behaviours: one that includes communication network failure propagation (e.g., the spread of malware or the failure of dependency nodes within the communication network) and one without this failure propagation behaviour. In general, the smart grid shows higher robustness with a mesh communication network. However, under different failure behaviours, attack strategies, and numbers of nodes attacked, this can vary. Prioritisation should focus on reducing communication network failure propagation, as this significantly impacts the robustness of the smart grid. Even though degree centrality and betweenness centrality have the most impact on double-star networks, for mesh networks, closeness centrality should also be considered, especially in scenarios without network failure propagation.

The power grid is becoming more intertwined with communication technologies, forming what is known as the smart grid. This integration allows for more efficient management of the power grid, which can help reduce emissions. However, the increasing connectivity with communication technology also expands the attack surface for cybercriminals or cybercriminal organisations. In 2015, a Ukrainian power station was attacked via a cyberattack, leading to an outage that affected almost 1.4 million people. The growing interconnection between the power grid and communication technologies can thus have severe impacts. Therefore, this research introduces an interdependent communication network and power grid to investigate how failures in the communication network affect the power grid's robustness. For generating communication networks, we use Python’s NetworkX package, and for the power grid, we use pandapower’s IEEE 118-bus test system. We analyse the robustness of the smart grid by examining two different communication networks: a mesh network and a double-star network. We simulate attacks on the communication network by initiating failures based on random selection, degree, betweenness, and closeness centrality, with an increasing number of node failures. We also distinguish between two failure behaviours: one that includes communication network failure propagation (e.g., the spread of malware or the failure of dependency nodes within the communication network) and one without this failure propagation behaviour. In general, the smart grid shows higher robustness with a mesh communication network. However, under different failure behaviours, attack strategies, and numbers of nodes attacked, this can vary. Prioritisation should focus on reducing communication network failure propagation, as this significantly impacts the robustness of the smart grid. Even though degree centrality and betweenness centrality have the most impact on double-star networks, for mesh networks, closeness centrality should also be considered, especially in scenarios without network failure propagation.

Increasing digitalization of systems bring about the grand challenge of keeping these systems secure from malicious prying eyes, and thus highlighting the need for increased Cybersecurity practices. Ransomware is among the most prevalent cybersecurity threats in our current digital era. The attacks are mainly done by advanced persistent threats (ATPs) to increase the impact done to organizations worldwide. Ransomware encrypt data using advanced cryptographic measures and lock users out of their systems to ask for a ransom that is typically paid through bitcoins. ATPs also exfiltrate sensitive data and utilize double and triple extortion methods where they either blackmail the organization with the public release or selling of their data, or they go to the customers to blackmail them, so they pressure the organization into paying the ransom. Defense against Ransomware is possible but in many cases, by the time, ransomware is detected the malicious actors already have strong access into the systems and data. All is not lost however as organizations can bring back their systems and data if there are backup & recovery policies that have been established prior. This thesis systematically explores the ransomware topic scoped on backups & recovery to identify how ransomware attack backups, what are the best practices for backups & recovery, and the corresponding challenges for organizations to produce policy recommendations. To this end, three methods are used. The methods are: semi-systematic literature review, qualitative content analysis, and semi-structured interviews. A triangulation of these methods over cybersecurity frameworks, expert knowledge and backup software provider reports establish essential insights. The main recommendations made are that organizations must ensure that they regularly must create redundant, airgapped, offline, and offsite backups that are stored in multiple storage media. Furthermore organizations must establish proper cyber hygiene practices in order to protect their backups. Lastly, organizations must ensure that they can test and maintain resilient backup & recovery policies through establishing responsibility and accountability of different stakeholders, streamlining their IT environments, and having a cybersecurity-enabling approach to organizational IT governance. The research is a rigorous and comprehensive overview of the backup & recovery topic against ransomware and is academically relevant as it fills research gaps on: how ransomware attacks target backups & recovery specifically, what the best practices offered by the most credible cybersecurity frameworks are, and why organizations still fail in setting up proper backup & recovery practices. The EPA relevance is characterized through navigating a branch of the grand challenge of cybersecurity, namely ransomware. This is a grand challenge as there are a plethora of stakeholders on an organizational level who have different opinions and views on the topic at hand where organizations are comprised of teams in different countries, subject to different regulations, etc. Therefore it is essential in this complex environment to see what could be made as policy recommendations for organizations of all levels against the treat of ransomware with respect to backup & recovery practices.

Spam calls are a widespread problem as people receive about 14 spam calls per month on average. In response, tens of applications are available in Google’s Play Store that aim to block these calls. While these apps have hundreds of millions of installations, there’s a lack of research into these applications. Research has been done on the user experience of these apps, but the inner workings of the apps have not been explored. Analyzing the inner workings can provide useful insights to combat spam calls more effectively. In this paper, we analyze the elements of the AndroidManifest.xml file of a set of 10 spam call blocking applications to identify aspects that are related to the blocking of spam calls and to find commonalities among the apps. Occurrences of specific elements and their attributes are summarized in this paper. Permissions related to managing phone calls and accessing the internet were found to be common, and services were identified that screen and manage phone calls. 2 apps were found to allow other apps to use their phone number information database, but this analysis did not identify usages by other apps. A complete analysis of all available spam call blocking apps could show the general usage of these and other components.

Applications on Android phones which block spam calls could be argued a necessity for people unfortunate enough to have their number on spam lists. Third-party applications provide exten- sive, up-to-date blocklists to screen incoming calls. This paper analyses and describes how these types of applications store and access their data. First we analyse which applications keep their data offline on disk, then we take a look at applications which use the internet to query an in- coming phone call. We found four applications use a combination of both, two applications using exclusively online resources and four applications using offline resources only.

Spam calls are becoming an increasing problem, with people receiving multiple spam calls per month on average. Multiple Android applications exist that are able to detect spam calls and display a warning or block such calls. Little is known however on how these applications work and what numbers they block. In this research, the following question is investigated: Can we do a brute force dynamic analysis on Android spam call blocking apps, to extract caller ID information from apps that cannot be or is not extracted through static analysis? A tool is created that is capable of doing such a dynamic analysis, by installing such an app on an emulator, sending emulated phone calls to the emulator, and using screenshot comparison techniques to determine whether the call is classified as allowed or blocked by the respective app. The tool developed in this research can, fully automated, test caller IDs on 8 different Android apps. Apart from a number of initial setup steps to install and configure the apps in the emulator, the tool takes about 1.5 seconds on average to analyze 1 caller IDs on one app.