Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications
Guess Who’s Texting You?
Evaluating the Security of Smartphone Messaging Applications
Sebastian Schrittwieser, Peter Fr¨ hwirt, Peter Kieseberg, Manuel Leithner, u Martin Mulazzani, Markus Huber, Edgar Weippl
SBA Research gGmbH
Vienna, Austria
(1stletterfirstname)(lastname)@sba-research.org
Abstract
In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced.
These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.
1
been the subject of an ample amount of past research.
The common advantages of the tools we examined lie in very simple and fast setup routines combined with the possibility to incorporate existing on-device address books. Additionally these services offer communication free of charge and thus pose a low entry barrier to potential customers.
However, we find that the very design of most of these messaging systems thwarts their security measures, leading to issues such as the possibility for communication without proper sender authentication.
The main contribution of our paper is an evaluation of the security of mobile messaging
Evaluating the Security of Smartphone Messaging Applications
Sebastian Schrittwieser, Peter Fr¨ hwirt, Peter Kieseberg, Manuel Leithner, u Martin Mulazzani, Markus Huber, Edgar Weippl
SBA Research gGmbH
Vienna, Austria
(1stletterfirstname)(lastname)@sba-research.org
Abstract
In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced.
These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.
1
been the subject of an ample amount of past research.
The common advantages of the tools we examined lie in very simple and fast setup routines combined with the possibility to incorporate existing on-device address books. Additionally these services offer communication free of charge and thus pose a low entry barrier to potential customers.
However, we find that the very design of most of these messaging systems thwarts their security measures, leading to issues such as the possibility for communication without proper sender authentication.
The main contribution of our paper is an evaluation of the security of mobile messaging
References: user profiling. In Recent Advances in Intrusion Detection: 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010, Proceedings, volume 6307, page 422 [2] M. Bishop. Computer Security: Art and Science. AddisonWesley, 2002. [3] L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege escalation attacks on android. Information Security, pages 346–360, 2011. Information Theory, IEEE Transactions on, 22(6):644–654, 1976. [5] M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In Network and Distributed System Security Symposium (NDSS), 2011. USENIX Security Symposium, 2011. [9] W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. Security & Privacy, IEEE, 7(1):50–57, 2009. CA, 2011. Intrepidus group, 2011. Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems (TOCS), 10(4):265–310, 1992. [14] M. Marlinspike. Website of sslsniff tool, 2011. [Online; retrieved Jun 21st, 2011], Online at http://www. 32(9):33–38, 1994. [17] Whisper Systems. Whisper systems, 2011. [Online; retrieved Aug 21st, 2011], http://www.whispersys. [18] A. Whitten and J. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, pages 169–184, 1999. [19] XMPP Foundation. XMPP Standard, 2011. [Online; retrieved Jun 21st, 2011], http://xmpp.org/l.