Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter.

Similar presentations


Presentation on theme: "Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter."— Presentation transcript:

1 Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar Weippl SBA Research gGmbH Vienna, Austria

2 Outline Introduction Related Work Mobile Messaging Applications Evaluation Results Conclusion

3 Introduction In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services with a novel user authentication concept offer free calls and text messages. The main contribution of our paper is an evaluation of the security of mobile messaging.

4 Introduction

5 Related Work User authentication is a popular field of research in information security, especially applied to distributed systems or for web services. Smartphone application security without mobile messaging services has been evaluated in the past. Recently, cloud storage services have attracted the interest of security researchers analyzing the implications of faulty authentication in that area.

6 Mobile Messaging Application All applications analyzed in this paper have one thing in common: They use the user’s phone number as the basis for identification. iOS don’t allow applications to access the phone number, but Android can. Benefit of typing number is that a WiFi-only tablet can be activated using the phone number of another device. Attacker could enter other’s phone number and hijack account.

7 Messaging Application

8 Evaluation Authentication Mechanism and Account Hijacking Sender ID Spoofing/Message Manipulation Unrequested SMS/phone calls Enumeration Modifying Status Messages

9 Authentication Mechanism and Account Hijacking Attacker Victim Server Victim’s phone Code (SMS) Code

10 Sender ID Spoofing/Message Manipulation Attacker Victim Server Message Modify Sender ID

11 Unrequested SMS/phone calls Attacker Victim1 Server Victim1’s phone Code (SMS) Victim2’s phone Victim2 Code (SMS)

12 Enumeration AttackerServer Attacker’s Address Book Other user’s information

13 Modifying Status Messages We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages. In practice, this approach would likely be combined with some sort of enumeration attack.

14 Experimental Setup

15 Result

16 Account Hijacking

17 WhatsApp

18 WowTalk

19 EasyTalk

20 HeyTell No verification.

21 Viber, Forfone, eBuddy XMS The authentication mechanisms of Forfone and eBuddy XMS are similar to Viber’s.

22 Tango, Voypi If the number is not registered for the service yet, no verification is done. Only if the number is already known to the system, a verification process via SMS is performed.

23 Sender ID Spoofing Other applications use the Extensible Messaging and Presence Protocol (XMPP).

24 Unrequested SMS All examined applications had some kind of timeout that thwarted real mass spamming.

25 Unrequested SMS (Cont.)

26 Enumeration we selected the US area code 619, which covers the southern half of the city of San Diego, CA and enumerated the entire number range from to valid phone numbers use WhatsApp. (2.5 hours)

27 Other Vulnerabilities WhatsApp WowTalk Voypi

28 Conclusion Future work might include security assessments of upcoming solutions slated for mass adoption such as Apple’s iMessage. Furthermore, research towards an authentication scheme suitable as a best practice template for newly developed applications would be a welcome addition.


Download ppt "Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter."

Similar presentations


Ads by Google