The International Association for the Exchange
of Students for Technical Experience



Ref. No:  UK-2019-200-06
Country: United Kingdom
Company information

Employer: Cardiff University
Address: --
Business or product: Computer Science & Informatics
Official responsible: --
Phone number: --
Fax: --
E-mail: --
Website: http://www.cs.cf.ac.uk
Working place: Cardiff
Nearest internat. airport: Cardiff
Nearest public transport: Cardiff Queen St.
Number of employees: 500
Working hours per week: 40.0
Daily working hours: 8.0

Student required

General discipline: Computer and Information Sciences
Field of study: Computer Programming, Specific Applications
Study level:
Previous training: No
Language required for training:
English excellent
Other requirements:

Work offered

Kind of work:
In the next few months there will be surge of Augmented Reality apps. As a result, there is a very real security risk to organizations that don’t prepare for the impact that AR will have on their networks and security. For example, an employee pointing their device at a printer in the office, to receive instruction on how to change the toner or clear a paper jam; or a mechanical engineer using a tablet to get information on repairing critical equipment in an airplane. It is easy to see the inherent risks. The traffic that enables all this magic to happen is crossing the business network, revealing details such as IP addresses, location, type of device, user permissions, and more. If a hacker intercepts that traffic – as they have already been able to with Pokémon GO traffic (a popular game on mobile devices) – it could reveal too much about the user and the network.

The Pokémon GO app – like many other AR apps – uses the device’s location data to deliver the appropriate information to users, according to their surroundings. It isn’t difficult to imagine a hacker combining that location data with other personal information (let’s not forget that the original Pokémon GO user agreement allowed Niantic to access user information including Google profiles, histories and past searches), to build up detailed, targeted pictures of users’ behaviour. That sort of data is valuable to a criminal. Also, communication between the Pokémon GO app and its servers is done via HTTPS, but early versions of the app did not support certificate pinning, making it easy perform man-in-the-middle exploits to intercept data.

As such, it’s easy to see the types of user-specific data that AR apps reveal as part of their normal functions – and the possibilities this presents to hackers for snooping and data manipulation if the application’s security has any vulnerabilities. Other threats such as sniffing, data manipulation and man-in-middle can make the content unreliable even if the source is authentic. AR lacks a uniform or standardized security standard. AR Markup Language (ARML) doesn’t have comprehensive security controls and neither are they followed universally. Additionally, AR portals depend on web browsers, but these browsers do not support AR functionality. This project will utilise tools and techniques from Human-Computer Interaction in addressing security related issues in AR headsets. For example, system state and security functions should: (1) be visible, (2) be easy to use, (3) be suitable for advanced as well as first time users, (4) avoid heavy use of technical vocabulary or advanced terms, (5) handle errors appropriately, (6) allow customization without risk to be trapped, (7) be easy to setup security settings, (8) be suitable help and documentation for the available security, (9) make the user feel protected, (10) not reduce performance.
Category: Research and development
Number of weeks offered: min. 8 | max. 8
Within period: from 27.05.2019 to 31.07.2019
Work closed:
Gross pay: 295 GBP per week
Max. deduction to be expected: tax


Lodging will be arranged by: IAESTE
Canteen facilities available at work: Yes
Estimated cost of lodging: 100 GBP per week
Estimated cost of living incl. lodging: 200 GBP per week

Additional information

Deadline for nomination: 26.04.2019
Not public info:
Additional information: --
Reserved training:- - - - - - - - - -
Postpraxe:postpraxe COBE
IAESTE internal comment:--