M. Mannan - Publications

[DBLP] [Google Scholar] [Code/project]

2024

• Racing for TLS Certificate Validation: A Hijacker's Guide to the Android TLS Galaxy. Sajjad Pourali, Xiufen Yu, Lianying Zhao, Mohammad Mannan, and Amr Youssef. USENIX Security Symposium, Aug 14-16, 2024, Philadelphia, PA, USA.
• TEE-Receipt: A TEE-based Non-repudiation Framework for Web Applications. Mahmoud Hofny, Lianying Zhao, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Oct 28-30, 2024, Dubai, UAE.
• Poster: Detecting Ransomware Attacks by Analyzing Replicated Block Snapshots Using Neural Networks. Seok Min Hong, Beom Heyn Kim, Mohammad Mannan. ACM Conference on Computer and Communications Security (CCS 2024), Oct 14-18, 2024, Salt Lake City, UT, USA.
• LURK-T: Limited Use of Remote Keys with Added Trust in TLS 1.3. (author copy, IEEE Copy). Behnam Shobiri, Sajjad Pourali, Daniel Migault, Ioana Boureanu, Stere Preda, M. Mannan, and A. Youssef. IEEE Transactions on Network Science and Engineering (TNSE) (accepted July 2024).
• "Trust Me Over My Privacy Policy": Privacy Discrepancies in Romantic AI Chatbot Apps. Abdelrahman Ragab, M. Mannan and A. Youssef. Workshop on Socio-Technical Aspects in Security (STAST, co-located with IEEE EuroSP 2024), July 12, 2024, Vienna, Austria.
• WARNE: A Stalkerware Evidence Collection Tool. Philippe Mangeard, Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef. Digital Forensics Research Conference Europe (DFRWS EU 2024), March 19-22, 2024, Zaragoza, Spain.

2023

• On Detecting and Measuring Exploitable JavaScript Functions in Real-World Applications (author copy, Oct 23, 2023, ACM Copy). Maryna Kluban, M. Mannan, A. Youssef. ACM Transactions on Privacy and Security, volume 27, issue 1, Feb. 2024.
• No Place to Hide: Privacy Exposure in Anti-Stalkerware Apps and Support Websites. Philippe Mangeard, Xiufen Yu, M. Mannan and A. Youssef. Nordic Conference on Secure IT Systems (NordSec 2023), November 16-17, 2023, Oslo, Norway.
• Try on, Spied on? Privacy Analysis of Virtual Try-On Websites and Android Apps. Abdelrahman Ragab, M. Mannan and A. Youssef. Workshop on Data Privacy Management (DPM, co-located with ESORICS 2023), September 28, 2023, the Hague, the Netherlands.
• Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case. Supraja Baskaran, Lianying Zhao, Mohammad Mannan, Amr Youssef. Symposium on Research in Attacks, Intrusions and Defenses (RAID 2023), Oct 16 - 18, 2023, Hong Kong.
• Security Weaknesses in IoT Management Platforms (IEEE copy). Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef. IEEE Internet of Things Journal, volume 11, issue 1, Jan. 2024. List of CVEs.
• All Your Shops Are Belong to Us: Security Weaknesses in E-commerce Platforms. Rohan Pagey, Mohammad Mannan, Amr Youssef. The Web Conference (WWW 2023), Apr 30 - May 4, 2023, Austin, TX, USA. List of CVEs.
• All Your IoT Devices Are Belong to Us: Security Weaknesses in IoT Management Platforms. Bhaskar Tejaswi, Mohammad Mannan, Amr Youssef. ACM Conference on Data and Application Security and Privacy (ACM CODASPY'23), Apr 24-26, 2023, Charlotte, NC, USA.
• "My Privacy for their Security": Employees' Privacy Perspectives and Expectations when using Enterprise Security Software. Jonah Stegman, Patrick J. Trottier, Caroline Hillier, Hassan Khan, Mohammad Mannan. USENIX Security Symposium, Aug 9-11, 2023.

2022

• Leaky Kits: The Increased Risk of Data Exposure from Phishing Kits. Bhaskar Tejaswi, Nayanamana Samarasinghe, Sajjad Pourali, Mohammad Mannan, Amr Youssef. Symposium on Electronic Crime Research (APWG eCrime'22), Nov 30 - Dec 2, 2022, online, presentation video. Best Student Paper Award!
• Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps (ACM CCS version). Sajjad Pourali, Nayanamana Samarasinghe, M. Mannan. ACM Conference on Computer and Communications Security (CCS 2022), Nov 7-11, 2022, Los Angeles, CA, USA.
• [Opinion] "Free" as in Freedom to Protest? (IEEE copy). Fabio Massacci, Antonino Sabetta, Jelena Mirkovic, Toby Murray, Hamed Okhravi, Mohammad Mannan, Anderson Rocha, Eric Bodden, Daniel E. Geer, Jr., IEEE Security and Privacy Magazine, Sept-Oct. 2022, pp. 16-21, vol. 20, issue 5.
• No Salvation from Trackers: Privacy Analysis of Religious Websites and Mobile Apps. Nayanamana Samarasinghe, Pranay Kapoor, M. Mannan and A. Youssef. Workshop on Data Privacy Management (DPM, co-located with ESORICS 2022), September 29, 2022, Copenhagen, Denmark.
• APTHunter: Detecting Advanced Persistent Threats in Early Stages (Author copy, ACM Copy). M. Mahmoud, M. Mannan, and A. Youssef. ACM Digital Threats: Research and Practice (DTRAP), volume 4, issue 1, article no. 11, pp 1-31, March 2023 (accepted August 2022).
• Silver Surfers on the Tech Wave: Privacy Analysis of Android Apps for the Elderly. Pranay Kapoor, Rohan Pagey, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Oct 17-19, 2022, Online. (See also CVE-2022-30083)
• Not so Immutable: Upgradeability of Smart Contracts on Ethereum. Mehdi Salehi, Jeremy Clark, M. Mannan. arXiv copy (June 1, 2022). Presentation video. Workshop on Trusted Smart Contracts (WTSC), co-located with Financial Cryptography and Data Security 2022, May 6, 2022, Online. Talk "Immutability vs. Upgradeability in Ethereum: Myth vs. Reality" at Blockchain Technology Symposium (BTS 2022), June 7-10, 2022, Online.
• Got Sick and Tracked: Privacy Analysis of Hospital Websites. Xiufen Yu, Nayanamana Samarasinghe, M. Mannan, and A. Youssef. Workshop on Traffic Measurements for Cybersecurity (WTMC 2022), co-located with IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2022), June 6, 2022, Genoa, Italy.
• Blindfold: Keeping Private Keys in PKIs and CDNs out of Sight (author copy, Apr 16, 2022; Elsevier copy; arXiv). Hisham Galal, M. Mannan, A. Youssef. Elsevier Computers & Security, volume 118, July 2022.
• SAUSAGE: Security Analysis of Unix domain Socket usAGE in Android. Mounir Elgharabawy, Blas Kojusner, M. Mannan, Kevin R. B. Butler, Byron Williams, and A. Youssef. IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2022), June 6-10, 2022, Genoa, Italy. Distinguished Paper Award Finalists. Artifact. (See also CVE-2021-25461)
• Et tu, Brute? Privacy Analysis of Government Websites and Mobile Apps. N. Samarasinghe, A. Adhikari, M. Mannan, A. Youssef. The Web Conference (WWW 2022), 25-29 Apr. 2022, Lyon, France. Presentation. Data set
• On Measuring Vulnerable JavaScript Functions in the Wild. M. Kluban, M. Mannan, and A. Youssef. ACM Asia Conference on Computer and Communications Security (ASIACCS 2022), May 30 - June 3, 2022, Nagasaki, Japan. Code/dataset. (See also CVE-2021-44906, CVE-2021-44908, CVE-2021-42581, CVE-2021-43138)

2021

• CDNs' Dark Side: Security Problems in CDN-to-Origin Connections (Author copy, Nov 21, 2021, ACM Copy). B. Shobiri, M. Mannan, and A. Youssef. ACM Digital Threats: Research and Practice (DTRAP), volume 4, issue 1, March 2023 (accepted November 2021).
• Horus: A Security Assessment Framework for Android Crypto Wallets. Md Shahab Uddin, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Sept 6-9, 2021, Online.
• Red-Black Coins: Dai without liquidations. Presentation video. Mehdi Salehi, Jeremy Clark, M. Mannan. Workshop on Decentralized Finance (DeFi), co-located with Financial Cryptography and Data Security 2021, Mar 5, 2021, Online.
• On securing cloud-hosted cyber-physical systems using trusted execution environments. Amir Mohammad Naseri, Walter Lucia, Mohammad Mannan, Amr Youssef. IEEE International Conference on Autonomous Systems (IEEE ICAS 2021), Aug 11-13, 2021, Montreal, Canada.
• Parental controls - Safer Internet solutions or new pitfalls? (IEEE copy) S. Ali, M. Elgharabawy, Q. Duchaussoy, M. Mannan, and A. Youssef. IEEE Security & Privacy Magazine, accepted for SPSI: ACSAC Nov/Dec 2021. (Euro S&P 2021 poster and FTC PrivacyCon 2021 presentation)
• [Patent] Protection system and method against unauthorized data alteration. L. Zhao, M. Mannan. US Patent (Apr 13, 2021).
• [Opinion] Perspectives on the SolarWinds Incident (IEEE copy). Sean Peisert, Bruce Schneier, Hamed Okhravi, Fabio Massacci, Terry Benzel, Carl Landwehr, Mohammad Mannan, Jelena Mirkovic, Atul Prakash, James Bret Michael. IEEE Security and Privacy Magazine, Mar-Apr. 2021, pp. 7-13, vol. 19, issue 2.

2020

• Betrayed by the Guardian: Security and Privacy Risks of Parental Control Solutions. Presentation video. S. Ali, M. Elgharabawy, Q. Duchaussoy, M. Mannan, and A. Youssef. Annual Computer Security Applications Conference (ACSAC 2020), Dec 7-11, 2020, Online. Distinguished Paper Award!
  • Selected press (CBC, CTV, ACM Technews, La Presse)
• Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices. Kuniyasu Suzaki, Akira Tsukamoto, Andy Green, M. Mannan. Annual Computer Security Applications Conference (ACSAC 2020), Dec 7-11, 2020, Online.
• On Cloaking Behaviors of Malicious Websites. (Author copy, Nov 28, 2020; Elsevier copy.) N. Samarasinghe and M. Mannan. Elsevier Computers & Security, volume 101, Feb 2021.
• LURK: Server-Controlled TLS Delegation. Ioana Boureanu, Daniel Migault, Stere Preda, Hyame Assem Alamedine, Sanjay Mishra, Frederic Fieau, and M. Mannan. IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2020), Dec 29, 2020 - Jan 1, 2021, Guangzhou, China. Extended version (Oct 29, 2020).
• Chaperone: Real-time Locking and Loss Prevention for Smartphones. (Usenix page) Jiayi Chen, Urs Hengartner, Hassan Khan, Mohammad Mannan. USENIX Security Symposium, Aug 12-14, 2020.
  • Selected press: U. Waterloo, Kitchener Today, Waterloo Chronicle, The Record
• ByPass: Reconsidering the Usability of Password Managers. Elizabeth Stobert, Tina Safaie, Heather Molyneaux, Mohammad Mannan, Amr Youssef. EAI International Conference on Security and Privacy in Communication Networks (SecureComm), Oct 21-23, 2020.
• Securing Applications against Side-Channel Attacks through Resource Access Veto. (Author copy, Sept 12, 2020; ACM Copy). T. Osman, M. Mannan, U. Hengartner and A. Youssef. ACM Digital Threats: Research and Practice (DTRAP), volume 1, number 4 (29 pages), December 2020.
• [Guest Editors' Introduction] Confronting the Limitations of Hardware-Assisted Security (IEEE copy). M. Mannan and N. Asokan. IEEE Security and Privacy Magazine, Sept-Oct. 2020, pp. 6-7, vol. 18.

2019

• AppVeto: Mobile Application Self-Defense through Resource Access Veto. T. Osman, M. Mannan, U. Hengartner and A. Youssef. Annual Computer Security Applications Conference (ACSAC 2019), Dec 9-13, 2019, San Juan, Puerto Rico.
• On Privacy Risks of Public WiFi Captive Portals. S. Ali, T. Osman, M. Mannan and A. Youssef. Workshop on Data Privacy Management (DPM, co-located with ESORICS 2019), September 26-27, 2019, Luxembourg. arXiv version: July 3, 2019.
  • Selected press (CBC, CTV, Montreal Gazette, CJAD)
• The Sorry State of TLS Security in Enterprise Interception Appliances. (Author copy, July 11, 2019; ACM Copy). L. Waked, M. Mannan, A. Youssef. ACM Digital Threats: Research and Practice (DTRAP), volume 1, number 2 (26 pages), May 2020.
• Towards a Global Perspective on Web Tracking. (Author copy, July 30, 2019; Elsevier copy.) N. Samarasinghe and M. Mannan. Elsevier Computers & Security, volume 87, Nov. 2019.
• On the Null Relationship between Personality Types and Passwords. Amit Maraj, Miguel Vargas Martin, Matthew Shane and M. Mannan. Conference on Privacy, Security and Trust (PST 2019), August 26-28, 2019. Fredericton, NB,Canada.
• [Techreport] Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carnavalet and M. Mannan. arXiv:1905.05224 (version: May 17, 2019).
  • Selected press (The Register, Le Figaro)
• DeviceVeil: Robust Authentication for Individual USB Devices Using Physical Unclonable Functions. Kuniyasu Suzaki, Yohei Hori, Kazukuni Kobara, M. Mannan. IEEE/IFIP Dependable Systems and Networks (DSN 2019), June 24-27, 2019. Portland, Oregon, USA.
• TEE-aided Write Protection Against Privileged Data Tampering. L. Zhao, M. Mannan. Network and Distributed System Security Symposium (NDSS 2019), Feb. 24-27, 2019, San Diego, CA, USA.
  • Selected press (Montreal Gazette, La Presse, CTV, CBC, The Suburban)
• [Patent] Password triggered trusted encrytpion key deletion. L. Zhao, M. Mannan. US Patent (Dec 24, 2019).
• One-Time Programs Made Practical. L. Zhao, J. Choi, D. Demirag, K. Butler, M. Mannan, E. Ayday, J. Clark. Financial Cryptography and Data Security (FC 2019), Feb. 18-22, 2019, St. Kitts.

2018

• Playing With Danger: A Taxonomy and Evaluation of Threats to Smart Toys. S. Shasha, M. Mahmoud, M. Mannan, A. Youssef. IEEE Internet of Things Journal, 6(2): 2986-3002 (April 2019). arXiv version: Oct. 25, 2018.
• [Techreport] The Sorry State of TLS Security in Enterprise Interception Appliances. L. Waked, M. Mannan, A. Youssef. arXiv:1809.08729 (version: Sept. 24, 2018).
  • Selected press (Slashdot, ZDNet, The Register)
• Another Look at TLS Ecosystems in Networked Devices vs. Web Servers. (Author copy, Sept. 30, 2018; Elsevier copy.) N. Samarasinghe and M. Mannan. Elsevier Computers & Security, volume 80, Jan. 2019.
• Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials. A. Kurnikov, A. Paverd, M. Mannan, N. Asokan. Workshop on Security, Privacy, and Identity Management in the Cloud (SECPID at ARES EU Projects Symposium 2018), Aug. 27-30, 2018, Hamburg, Germany. arXiv version: June 2, 2018.
• On Understanding Permission Usage Contextuality in Android Apps. (Short paper, Version: May 31, 2018, © Springer/LNCS). Md Zakir Hossen and M. Mannan. IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2018), July 16-18, 2018, Bergamo, Italy.
• To Intercept or not to Intercept: Analyzing TLS Interception in Network Appliances. (© ACM). L. Waked, M. Mannan, A. Youssef. ACM Asia Conference on Computer and Communications Security (ASIACCS 2018), June 4-8, Songdo, Incheon, Korea.
• SafeKeeper: Protecting Web Passwords using Trusted Execution Environments. K. Krawiecka, A. Kurnikov, A. Paverd, M. Mannan, N. Asokan. The Web Conference (WWW 2018), 23-27 Apr. 2018, Lyon, France. (WWW Poster, arXiv version: Apr. 23, 2018).
• Using SafeKeeper to Protect Web Passwords. A. Kurnikov, K. Krawiecka, A. Paverd, M. Mannan, N. Asokan. The Web Conference Companion (WWW 2018 Companion), 23-27 Apr. 2018, Lyon, France.
  • Featured at The Morning Paper (May 22, 2018)

2017

• Towards a Comprehensive Analytical Framework for Smart Toy Privacy Practices. (Version: Nov. 29, 2017, © ACM). M. Mahmoud, Md Zakir Hossen, H. Barakat, M. Mannan and A. Youssef. Socio-Technical Aspects in Security and Trust (STAST, workshop at ACSAC 2017), Dec. 5, 2017, Orlando, FL, USA (Best Paper Award).
• [Techreport] Protecting Web Passwords from Rogue Servers using Trusted Execution Environments. K. Krawiecka, A. Kurnikov, A. Paverd, M. Mannan, N. Asokan. arXiv:1709.01261 (version: Sept. 5, 2017).
• Short Paper: TLS Ecosystems in Networked Devices vs. Web Servers. (© Springer) Extended version: Mar. 17, 2017. N. Samarasinghe and M. Mannan. Financial Cryptography and Data Security 2017 (FC'17), Apr. 3-7, 2017, Malta.

2016

• Hypnoguard: Protecting Secrets across Sleep-wake Cycles. (© ACM) Extended version: Aug. 11, 2016. L. Zhao and M. Mannan. ACM Conference on Computer and Communications Security (CCS 2016), Oct. 24-28, 2016, Vienna, Austria.
  • Selected press (Daily Dot, Gizmodo, PC Magazine, CNN-News18, The Statesman)
• Deceptive Deletion Triggers under Coercion (Author version: July 28, 2016). DOI: 10.1109/TIFS.2016.2598523. L. Zhao and M. Mannan. IEEE Transactions on Information Forensics and Security (TIFS), 11(12): 2763-2776 (December 2016).
• Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2016), Feb. 21-24, 2016, San Diego, CA, USA.
  • Selected press (BBC, Daily Mail, The Register, La Presse, Daily Express)
• An Evaluation of Recent Secure Deduplication Proposals. (Pre-print version: Oct. 19, 2015, © Elsevier) DOI: 10.1016/j.jisa.2015.08.001. V. Rabotka and M. Mannan. Elsevier Journal of Information Security and Applications (JISA), Special Issue on "Security and Privacy in Cloud Computing", volumes 27-28, pages 3-18 (April-May 2016).

2015

• Peace vs. Privacy: Leveraging Conflicting Jurisdictions for Email Security (Post-proceedings version: Nov. 3, 2015, © ACM). M. Mannan, A. Shahkar, A. Saberi Pirouz and V. Rabotka. New Security Paradigms Workshop 2015 (NSPW'15), Twente, The Netherlands, Sept. 8-11, 2015.
• A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM) ACM Author-Izer Copy. X. de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015).
  • Project website
  • Selected press (Slashdot, NetworkWorld, PCMag, CTVMontreal)
• Gracewipe: Secure and Verifiable Deletion under Coercion. L. Zhao and M. Mannan. Network and Distributed System Security Symposium (NDSS 2015), Feb. 8-11, 2015, San Diego, CA, USA.

2014

• Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), Dec. 8-12, 2014, New Orleans, Louisiana, USA.
  • Extended version.
  • Media coverage (on an earlier version): Slashdot (Oct 24, 2013) TheRegister.co.uk (Nov 6, 2013), TheRegister.co.uk (Nov 18, 2013), Threatpost.com (Apr 16, 2014).
• From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS 2014), Feb. 23-26, 2014, San Diego, CA, USA.
  • Project website
  • Password checker tool
  • Extended version (Jan. 6, 2013)
• Mobiflage: Deniable Storage Encryption for Mobile Devices. (Pre-print version: Dec. 2, 2013, © IEEE). DOI: 10.1109/TDSC.2013.56. A. Skillen, M. Mannan. IEEE Transactions on Dependable and Secure Computing (TDSC), Special Issue on "Security and Privacy in Mobile Platforms", 11(3):224-237 (May/June), 2014.
• Detection of Malicious Payload Distribution Channels in DNS . (Version: February 12, 2014, © IEEE). A. Mert Kara, H. Binsalleeh, M. Mannan, A. Youssef, M. Debbabi. Communications and Information Systems Security Symposium (CISS), IEEE International Conference on Communications 2014 (ICC'14), Sydney, Australia, June 10-14, 2014.
• [Techreport] FriendlyMail: Confidential and Verified Emails among Friends. (Version: March 20, 2014). A. Saberi Pirouz, V. Rabotka, M. Mannan. Spectrum, Concordia University.

2013

• Explicit Authentication Response Considered Harmful. (Post-proceedings version: October 26, 2013). L. Zhao, M. Mannan. New Security Paradigms Workshop 2013 (NSPW'13), Banff, Canada, Sept. 9-12, 2013.
• On Implementing Deniable Storage Encryption for Mobile Devices. (Version: December 3, 2012). A. Skillen and M. Mannan. Network and Distributed System Security Symposium (NDSS 2013), Feb. 24-27, 2013, San Diego, CA, USA.
• [Techreport] Myphrase: Passwords from your Own Words. (Version: January 25, 2013). A. Skillen, M. Mannan. Spectrum, Concordia University.

2012

• Lightweight Client-side Methods for Detecting Email Forgery. (Version: July 23, 2012 © Springer). E. Lin, J. Aycock, and M. Mannan. Workshop on Information Security Applications (WISA2012), Aug. 16-18, 2012, Jeju Island, South Korea, LNCS Volume 7690, pp 254-269.
• Passwords for Both Mobile and Desktop Computers: ObPwd for Firefox and Android. (Author copy, version: July 12, 2012). M. Mannan, P.C. van Oorschot. USENIX ;login: 37(4): 28-37 (Aug. 2012). Magazine version: main article, appendix.
• Revisiting Defenses Against Large-Scale Online Password Guessing Attacks. (Pre-print version: Nov. 1, 2011, © IEEE). DOI: 10.1109/TDSC.2011.24. M. Alsaleh, M. Mannan, P.C. van Oorschot. IEEE Transactions on Dependable and Secure Computing (TDSC), 9(1): 128-141 (Jan/Feb 2012).

2011

• Unicorn: Two-Factor Attestation for Data Security. (Version: Aug. 11, 2011 © ACM). M. Mannan, B.H. Kim, A. Ganjali, D. Lie. ACM Conference on Computer and Communications Security (CCS 2011), Oct. 17-21, 2011, Chicago, IL, USA.
  • Seminar (David Lie): University of Texas, Austin, USA, Feb. 2, 2012 (Featured by The Daily Texan)
  • Workshop (David Lie): EaGL-SysNet, University at Buffalo, NY, USA, August 20, 2011
  • Seminar: TechnoTalks, Vanier College, Montreal, Canada, Sept. 21, 2011
• User Study, Analysis, and Usable Security of Passwords Based on Digital Objects (Author version: Feb. 11, 2011). DOI: 10.1109/TIFS.2011.2116781. R. Biddle, M. Mannan, P.C. van Oorschot, T. Whalen. IEEE Transactions on Information Forensics and Security (TIFS), 6(3): 970-979 (Sept. 2011). Extended version in Technical Report TR-10-02, (version Feb. 16, 2010), School of Computer Science, Carleton University.
• Mercury: Recovering Forgotten Passwords Using Personal Devices. (Pre-proceedings version: Dec. 17, 2010). Slides (pdf). Android prototype and server code. M. Mannan, D. Barrera, C. Brown, D. Lie, P.C. van Oorschot. Financial Cryptography and Data Security 2011 (FC'11), St. Lucia, Feb. 28 - Mar. 4 2011.
• Leveraging Personal Devices for Stronger Password Authentication from Untrusted Computers (Author version: August 12, 2010). DOI: 10.3233/JCS-2010-0412. M. Mannan, P.C. van Oorschot. Journal of Computer Security, 19(4): 703-750 (2011). Extends the FC'07 paper (see below).

2009

• Reducing Threats from Flawed Security APIs: The Banking PIN Case. (Authors' copy, version: March 31, 2009, © Elsevier). M. Mannan, P.C. van Oorschot. Elsevier Computers & Security, volume 28, issue 6, Sept. 2009. Extends the FC'08 short paper (see below).
• Authentication and Securing Personal Information in an Untrusted Internet. M. Mannan. Ph.D. thesis, Carleton University, April 2009.

2008

• Localization of Credential Information to Address Increasingly Inevitable Data Breaches. (Version Nov. 1, 2008, © ACM). Slides (pdf). M. Mannan, P.C. van Oorschot. New Security Paradigms Workshop 2008 (NSPW'08), Lake Tahoe, California, USA, Sept. 22-25, 2008. Tech Report (Version: July 18, 2008).
• Digital Objects as Passwords. (Version: July 14, 2008, © USENIX). Slides (pdf). Prototype download. M. Mannan, P.C. van Oorschot. USENIX Hot Topics in Security 2008 (HotSec'08), San Jose, California, USA, July 29, 2008.
  • Selected press
• Privacy-Enhanced Sharing of Personal Content on the Web. (Version: Feb. 24, 2008 © IW3C2). Slides (pdf). M. Mannan, P.C. van Oorschot. World Wide Web conference (WWW2008), April 21-25, 2008, Beijing, China.
• Weighing Down ``The Unbearable Lightness of PIN Cracking.'' (Short paper, post-proceedings version: March 10, 2008, © IFCA). M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2008 (FC'08), Jan. 28-31, 2008, Cozumel, Mexico.
  • Tech Report (Extended version: April 29, 2008)
  • Presentation slides (pdf) from Analysis of Security API workshop (ASA-2, co-located with CSF 2008)

2007

• Security and Usability: The Gap in Real-World Online Banking. (Post-proceedings version: October 19, 2007). Slides (pdf). M. Mannan, P.C. van Oorschot. New Security Paradigms Workshop 2007 (NSPW'07), New Hampshire, USA, Sept. 18-21 2007.
  • Selected press
• Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. (Post-proceedings version: March 30, 2007, © IFCA). Slides (pdf). AVISPA test code. M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2007 (FC'07), Lowlands, Scarborough, Trinidad and Tobago, Feb. 12-15 2007. Tech Report (Extended version: March 30, 2007).

2006

• A Protocol for Secure Public Instant Messaging. (Version: March 30, 2006, © IFCA). Slides (pdf). AVISPA test code. M. Mannan, P.C. van Oorschot. Financial Cryptography and Data Security 2006 (FC'06), Feb. 27 - Mar. 2, 2006, Anguilla, British West Indies. Proceedings: Springer LNCS 4107. The extended version of this paper is available as a Tech Report.

2005

• On Instant Messaging Worms, Analysis and Countermeasures. Slides (pdf). M. Mannan, P.C. van Oorschot. Third Workshop on Rapid Malcode (WORM 2005), Fairfax, VA, USA, November 11, 2005. © ACM.
• Secure Public Instant Messaging. M. Mannan, Master's thesis, Carleton University, August 2005.

2004

• Secure Public Instant Messaging: A Survey. M. Mannan, P.C. van Oorschot. Second Annual Conference on Privacy, Security and Trust (PST), Fredericton, NB, pp 69-77, October 13-15, 2004. Slides (ppt).