slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) PowerPoint Presentation
Download Presentation
Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)

Loading in 2 Seconds...

play fullscreen
1 / 28

Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012). Sebastian Schrittwieser , Peter Frühwirt , Peter Kieseberg , Manuel Leithner , Martin Mulazzani , Markus Huber, and Edgar Weippl SBA Research gGmbH Vienna, Austria.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)' - nalani


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Guess Who’s Texting You?Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012)

Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar Weippl

SBA Research gGmbH

Vienna, Austria

outline

Introduction

  • Related Work
  • Mobile Messaging Applications
  • Evaluation
  • Results
  • Conclusion
Outline
introduction

In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced.

  • These services with a novel user authentication concept offer free calls and text messages.
  • The main contribution of our paper is an evaluation of the security of mobile messaging.
Introduction
related work

User authentication is a popular field of research in information security, especially applied to distributed systems or for web services.

  • Smartphone application security without mobile messaging services has been evaluated in the past.
  • Recently, cloud storage services have attracted the interest of security researchers analyzing the implications of faulty authentication in that area.
Related Work
mobile messaging application

All applications analyzed in this paper have one thing in common: They use the user’s phone number as the basis for identification.

  • iOS don’t allow applications to access the phone number, but Android can.
  • Benefit of typing number is that a WiFi-only tablet can be activated using the phone number of another device.
  • Attacker could enter other’s phone number and hijack account.
Mobile Messaging Application
evaluation

Authentication Mechanism and Account Hijacking

  • Sender ID Spoofing/Message Manipulation
  • Unrequested SMS/phone calls
  • Enumeration
  • Modifying Status Messages
Evaluation
unrequested sms phone calls

Victim1

Victim1’s phone

Code

(SMS)

Code

(SMS)

Victim2’s phone

Attacker

Server

Victim2

Unrequested SMS/phone calls
enumeration

Attacker’s Address Book

Attacker

Server

Other user’s information

Enumeration
modifying status messages

We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages.

  • In practice, this approach would likely be combined with some sort of enumeration attack.
Modifying Status Messages
tango voypi

If the number is not registered for the service yet, no verification is done.

  • Only if the number is already known to the system, a verification process via SMS is performed.
Tango, Voypi
enumeration1

we selected the US area code 619, which covers the southern half of the city of San Diego, CA and enumerated the entire number range from 000-0000 to 999-9999.

  • 21095 valid phone numbers use WhatsApp. (2.5 hours)
Enumeration
conclusion

Future work might include security assessments of upcoming solutions slated for mass adoption such as Apple’s iMessage.

  • Furthermore, research towards an authentication scheme suitable as a best practice template for newly developed applications would be a welcome addition.
Conclusion