Presentation is loading. Please wait.

Presentation is loading. Please wait.

EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.

Published byAmberlynn Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI."— Presentation transcript:

1 EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI

2  Introduction.  Related Work  Mobile Messaging Applications  Evaluation  Methodology  Experimental Setup  Conclusion  References OUTLINE

3 In all these applications users’ phone numbers are used as a unique token to identity accounts. Several new smartphone messaging and VoIP services with a novel client authentication are introduced. The new-era communication applications aim at substituting traditional text messaging (sms)and request the client’s telephone number. INTRODUCTION

4 EXAMPLES

5 An immeasurable number of conventions has been intended to give secure client verification, in view of public key cryptography and the use of a PKI. Because of the relentlessly growth of cell phones these platforms have started the enthusiasm of the security group. The security highlights and properties of Android and in addition iOS have been generally considered. RELATED WORK

6 They utilize the client's telephone number as the premise for ID. During the setup handle, the product requests that the client enter the telephone number of the gadget. MOBILE MESSAGE APPLICATIONS

7 Wi-Fi tablets can be activated using the telephone number of another gadget. These applications use the telephone number just to identify the clients and do not attempt to communicate over the mobile network. All the applications we discussed execute measures to keep users from impersonating others by attempting to form a number they don’t control. CONTINUED…..

8 Methodology Experimental Setup EVALUATION

9 Authentication Mechanism and Account Hijacking Sender ID Spoofing and Message Manipulation Unrequested Sms /Phone CallsEnumerationModifying Status Messages METHODOLOGY

10 To read encrypted HTTPS traffic from and to the tested applications, we set up a SSL proxy that acted as a man-in-the middle. Experimental setup for intercepting SSL EXPERIMENTAL SETUP

11 The attacker targets for connecting cell phone and the telephone number to the exploited person. AUTHENTICATION MECHANISM AND ACCOUNT HIJACKING

12 WhatsappTango and VoypiEasy Talk Viber and Wow Talk Hey Tell EXAMPLES

13 To prevent Another person utilizing the victimized person’s number, a confirmation SMS with a 4-digit PIN is sent. An attacker could misuse this process to hijack any whatsapp account. Blocking the communication between the telephone and the server to listen stealthily the PIN. SSL intermediary for security. WHATSAPP

14 Applications request the client’s telephone number. If the number is not enlisted for the service yet, no conformation is finished. Just if the number is known to the system, a conformation process by means of SMS (like WhatsApp) is performed. As long as the number is not enlisted for Tango or Voypi, an attacker can hijack it without SMS conformation. TANGO & VOYPI

15 Utilizes SMS for verification. After enrollment, the server sends a code via SMS. Code is entered into app for conformation. The server then answers with either “OK” or “ERROR. We can hijack by modifying this message from “ERROR” to “OK”. EASY TALK

16 Application requests user’s telephone number and sends an authentication request to the server. Server sends code through SMS message to the clients telephone or call from viber. Code is entered in the app. Server believes the customer easily and there is no validation. VIBER

17 SMS-Conformation registration. Enters telephone number into the application. Server creates an irregular conformation code and sends through SMS. Wow Talk

18 No conformation required. During the setup process the client needs to choose his or her own cellphone number from the address book. This gadget is then connected to the picked number without check. HEY TELL

19 SENDER ID SPOOFYING SENDER ID SPOOFING VOYPI FORFONE There is no validation needed to send message, hence id spoof IMSI, UDID are utilized for authentication so spoofing is tough

20 UNREQUESTED SMS/PHONE CALLS SMS messages or even telephone calls are used during telephone number verification process. A malicious client could utilize another client's number in the setup procedure to create irritating messages or telephone calls on victims telephone without uncovering his character.

21 ENUMERATION Another security part is their capacity to automatically import the client's contacts and compare the numbers to effectively enrolled numbers on the server. The server gives back a subset of the client's contact list that are registered. A possible threat resulting from a user account enumeration is the identification of active phone numbers. DEFINITION A large range of the numbers in San Diego zone code 619 is divided into chunks of 5000 numbers each and made a standard address book transfer as performed by WhatsApp. The whole process completed in under 2.5 hours. EXAMPLE

22 MODIFYING STATUS MESSAGES We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages. Privacy-related design error. It shows the owner of a given phone number who installed the messenger application, but also the status message of a user is visible to people that have stored this user in their address book.

23 TABULAR VIEW ON ATTACKS

24 Broken authentication mechanism are vulnerable to account hijacking attacks. Most applications also suffer from account enumeration because of software design and implementation errors. Extreme effect on the privacy of clients.

25 https://www.sba-research.org/wp- content/uploads/publications/ndss2012_final.pdf https://www.sba-research.org/wp- content/uploads/publications/ndss2012_final.pdf http://en.wikipedia.org/wiki/Proxy_server http://www.windowsphone.com/en-us/store/app/at-t-secure- messaging/7c79afdc-9a8f-4488-aea1-84fd0d7975b2 http://www.windowsphone.com/en-us/store/app/at-t-secure- messaging/7c79afdc-9a8f-4488-aea1-84fd0d7975b2 http://www.thenewstribe.com/2015/01/16/lock-your-whatsapp- with-fast-trending-security-app/ http://www.thenewstribe.com/2015/01/16/lock-your-whatsapp- with-fast-trending-security-app/ http://freedomhacker.net/secure-messaging-apps-for-smart-phones/ http://www.general- play.com/app/gp3e1e50h1f5i0/Ironchat,%20Secure%20Messaging. html http://www.general- play.com/app/gp3e1e50h1f5i0/Ironchat,%20Secure%20Messaging. html REFERENCES

26

27 THANK YOU

Download ppt "EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI."

Similar presentations

Module: 201 Create and Manage Your Agent Account.

Module: 201 Create and Manage Your Agent Account.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter.

Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications (NDSS Symposium 2012) Sebastian Schrittwieser, Peter Frühwirt, Peter.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Cellular Networks and Mobile Computing COMS 6998-1, Fall 2012 Instructor: Li Erran Li

Cellular Networks and Mobile Computing COMS , Fall 2012 Instructor: Li Erran Li
SSL From Your Smartphone Support for Android Smartphones www.sharetech.com.twwww.sharetech.com.tw / www.higuard.comwww.higuard.com.

SSL From Your Smartphone Support for Android Smartphones /

Similar presentations

Ads by Google