SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies. Within a network of more than 70 companies, 15 Austrian and international universities and research institutions, and many additional international research partners we jointly work on research challenges ranging from organizational to technical security to strengthen Europe’s Cybersecurity capabilities.
ISIS @ TU Wien IAIK @ TU Graz DKE @ Uni Wien NM @ WU Wien FH St. Pölten AIT

SBA Research moved to a new location!

Our new address: Floragasse 7, 1040 Vienna, Austria Effective since: June 25, 2019 More at:


OCG Arbeitskreis IT-Sicherheit: Young Researchers Day

Heute findet der 1st Young Researcher’s Day statt, der im Rahmen des OCG-Arbeitskreises IT-Sicherheit von uns mitgestaltet wird.

Guest Talk: Dominik Malcik

Dominik Malcik presents his research activities at Brno University of Technology.

Feb. 21st 2pm. @ SBA-Research

Guest Talk: Darren Carlson – Dynamix: A Community-centric, Plug-and-Play Context Framework

Dynamix: A Community-centric, Plug-and-Play Context Framework

Mobile users increasingly expect software applications to adapt fluidly across a broad range of everyday situations, environments and hardware platforms. Although contextual information is widely recognized as an essential foundation of self-adapting software, existing context modeling and management techniques presuppose significant domain expertise in the areas of mobile, distributed and ubiquitous computing. As a consequence, mobile developers transitioning from enterprise and desktop scenarios face significant (and often prohibitive) complexity when creating context-aware applications. To mitigate this complexity, we are developing Dynamix, a community-centric, plug-and-play context framework. Dynamix simplifies mobile application development through an extensible, OSGi-based framework that runs as a background service on a user’s Android-based device, modeling context information from the environment using the device itself as a sensing, processing and communications platform. Context modeling is performed by a tailored set of plug-ins, which are dynamically provisioned to the device over-the-air during runtime. Dynamix mediates the flow of context events (from plug-ins to applications) using a configurable Context Firewall, which enables users to precisely manage the privacy risk level of the contextual information available to each application. To foster the emergence of a vibrant open-source developer community, Dynamix defines an open plug-in model and open Web-based repository architecture, which enable external domain experts to create and share context plug-ins with the mobile developer community. This talk presents an overview of the Dynamix architecture (including our preliminary mobile security model), describes our prototype implementation and presents initial results.

Vienna ACM SIGSAC Chapter

The Vienna ACM SIGSAC Chapter has been chartered by ACM’s Chief Operating Officer on February 13, 2012. SBA Research is strongly involved in this chapter.


Manuel Leithner: Book Review “Coding for Penetration Testers by Jason Andress and Ryan Linn”

” (Without meaning to advocate over-reliance on it, penetration tests usually require a certain suite of tools. While standard utilities such as nmap, dirbuster and sqlmap tend to meet the needs of testers in most situations, some tricky assessments call for custom development or at least a skilled combination of tools. This is where Coding for Penetration Testers by Jason Andress and Ryan Linn comes in continue…)” (Computers & Security 31 (2012), p. 252)


1st Young Researcher’s Day – 01.03.2012

Ingrid Schaumüller-Bichl and Edgar Weippl cordially invite to the 1st Young Researcher’s Day which will take place during the OCG working group „IT security“ on 01/03/2012.

The basic idea behind this event is the desire that every Austrian institution that offers a security course or teaching focus, provides their best students with the opportunity to present their own work in order to further a “youth network”. Details about the program can be found here: 1st Young Researcher’s Day

The Young Researcher’s Day takes place on the premises of the OCG (Dampfschiffstraße 4, 1030 Vienna).

We ask you to register until 27/02/2012: Yvonne Poul (

ARES 2011 Special Issue: Journal of Wireless Mobile Networks,…

Journal of Wireless Mobile Networks, Ubiquitous computing, and Dependable Applications. ARES 2011 Special Issue
Volume 2, Number 4 (December, 2011), Advances in Applied Security.

Media coverage of our NDSS paper

futurezone, & have a story about our work.

Gravierende Schwachstellen in Kurznachrichtendiensten für Smartphones gefunden

Smartphone-Applikationen zum Versenden von kostenlosen Kurznachrichten erfreuen sich auch in Österreich zunehmender Beliebtheit, allen voran WhatsApp, das auf bereits mehr als 180 000 Smartphones in Österreich installiert ist. Die einfache Konfiguration – das Anlegen eines Benutzerkontos ist nicht erforderlich – trägt einerseits zu dieser rasanten Verbreitung bei, andererseits sorgt dieses Konzept auch für gravierende Schwachstellen wie aktuelle Forschungsarbeitendes Wiener IT-Sicherheitskompetenzzentrums SBA Research zeigt.

Von neun getesteten Applikationen für iPhone und Android konnte keine einzige restlos überzeugen und die teils gravierenden Sicherheitslücken, welche die Privatsphäre der Nutzer gefährden, überraschten selbst die Sicherheitsforscher von SBA Research. So konnten etwa Benutzerkonten mühelos übernommen werden und in weiterer Folge Nachrichten dieser Nutzer empfangen und gesendet werden. Auch gelang es den Forschern, die Status-Nachrichten aller WhatsApp-Nutzer von ganz Österreich auszulesen und sogar zu verändern. Sicherheitsspezialist Peter Kieseberg erklärt: “Nutzern ist nicht klar, dass diese Systeme ein viel niedrigeres Sicherheitsniveau haben als Dienste, die direkt vom Netzbetreiber zur Verfügung gestellt werden – wie etwa SMS. Sie geben durch die Nutzung dieser neuen Kurznachrichtendienste sensitive Informationen unbewusst der Öffentlichkeit preis. Wer würde annehmen, dass ein Statustext den eigentlich nur die eigenen Kontakte sehen können, durch einen einfachen Trick von jedermann abgerufen werden kann?”.

Der Hersteller von WhatsApp konnte bereits einige der Sicherheitslücken schließen, andere Schwachstellen existieren jedoch nach wie vor. Die Ergebnisse der Sicherheitsanalyse werden Anfang Februar auf der renommierten IT-Sicherheitskonferenz NDSS in San Diego, USA präsentiert.

SBA Research
Peter Kieseberg (, +43 660 3126291)

SBA Research ist ein Forschungsinstitut für Informationssicherheit mit Sitz in Wien. Die Tätigkeit von SBA Research konzentriert sich auf organisatorische und technische Aspekte der Informationssicherheit. Schwerpunkte sind Governance, Risk and Compliance, Datenschutz und Schutz der Privatsphäre, Sicherheit in der Softwareentwicklung und Hardware- und Netzwerksicherheit. SBA Research beschäftigt mehr als 80 Mitarbeiter.

Paper “Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications”

We will present a paper on smartphone message application security at NDSS 2012.

You can find a preprint of the paper here: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.

From the abstract: In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.