evaluating security of smart phone messaging applications presented by sudheer akurathi
TRANSCRIPT
EVALUATING SECURITY OF SMART PHONE MESSAGING
APPLICATIONS
PRESENTED BY
SUDHEER AKURATHI
Introduction.
Related Work
Mobile Messaging Applications
Evaluation
Methodology
Experimental Setup
Conclusion
References
OUTLINE
• In all these applications users’ phone numbers are used as a unique token to identity accounts.
• Several new smartphone messaging and VoIP services with a novel client authentication are introduced.
• The new-era communication applications aim at substituting traditional text messaging (sms)and request the client’s telephone number.
INTRODUCTION
EXAMPLES
• An immeasurable number of conventions has been intended to give secure client verification, in view of public key cryptography and the use of a PKI.
• Because of the relentlessly growth of cell phones these platforms have started the enthusiasm of the security group.
• The security highlights and properties of Android and in addition iOS have been generally considered.
RELATED WORK
They utilize the client's telephone number as the premise for ID. During the setup handle, the product requests that the client enter the telephone number of the gadget.
MOBILE MESSAGE APPLICATIONS
• Wi-Fi tablets can be activated using the telephone number of another gadget.
• These applications use the telephone number just to identify the clients and do not attempt to communicate over the mobile network.
• All the applications we discussed execute measures to keep users from impersonating others by attempting to form a number they don’t control.
CONTINUED…..
• Methodology
• Experimental Setup
EVALUATION
Authentication Mechanism and Account Hijacking
Sender ID Spoofing and Message Manipulation
Unrequested Sms /Phone Calls
Enumeration
Modifying Status Messages
METHODOLOGY
• To read encrypted HTTPS traffic from and to the tested applications, we set up a SSL proxy that acted as a man-in-the middle.
Experimental setup for intercepting SSL
EXPERIMENTAL SETUP
• The attacker targets for connecting cell phone and the telephone number to the exploited person.
AUTHENTICATION MECHANISM AND ACCOUNT HIJACKING
Tango and Voypi
Easy Talk
Viber and Wow Talk
Hey Tell
EXAMPLES
• To prevent Another person utilizing the victimized person’s number, a confirmation SMS with a 4-digit PIN is sent.
• An attacker could misuse this process to hijack any whatsapp account.
• Blocking the communication between the telephone and the server to listen stealthily the PIN.
• SSL intermediary for security.
• Applications request the client’s telephone number. If the number is not enlisted for the service yet, no conformation is finished. Just if the number is known to the system , a conformation process by means of SMS (like WhatsApp) is performed.
• As long as the number is not enlisted for Tango or Voypi, an attacker can hijack it without SMS conformation.
TANGO & VOYPI
• Utilizes SMS for verification.
• After enrollment, the server sends a code via SMS.
• Code is entered into app for conformation.
• The server then answers with either “OK” or “ERROR.
• We can hijack by modifying this message from “ERROR” to “OK”.
EASY TALK
• Application requests user’s telephone number and sends an authentication request to the server.
• Server sends code through SMS message to the clients telephone or call from viber.
• Code is entered in the app.
• Server believes the customer easily and there is no validation.
VIBER
• SMS-Conformation registration.
• Enters telephone number into the application.
• Server creates an irregular conformation code and sends through SMS.
Wow Talk
• No conformation required.
• During the setup process the client needs to choose his or her own cellphone number from the address book.
• This gadget is then connected to the picked number without check.
HEY TELL
SENDER ID SPOOFYING
SENDER ID SPOOFING
VOYPI
FORFONE
There is no validation needed to send message , hence id spoof
IMSI , UDID
are utilized for
authentication
so spoofing is
tough
UNREQUESTED SMS/PHONE CALLS
• SMS messages or even telephone calls are used during telephone number verification process.
• A malicious client could utilize another client's number in the setup procedure to create irritating messages or telephone calls on victims telephone without uncovering his character.
ENUMERATION
• Another security part is their capacity to automatically import the client's contacts and compare the numbers to effectively enrolled numbers on the server. The server gives back a subset of the client's contact list that are registered.
• A possible threat resulting from a user account enumeration is the identification of active phone numbers.
DEFINITION
• A large range of the numbers in San Diego zone code 619 is divided into chunks of 5000 numbers each and made a standard address book transfer as performed by WhatsApp.
• The whole process completed in under 2.5 hours.EXAMPLE
MODIFYING STATUS MESSAGES
We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages.
Privacy-related design error. It shows the owner of a given phone number who installed the messenger application , but also the status message of a user is visible to people that have stored this user in their address book.
TABULAR VIEW ON ATTACKS
• Broken authentication mechanism are vulnerable to account hijacking attacks.
• Most applications also suffer from account enumeration because of software design and implementation errors.
• Extreme effect on the privacy of clients.
CONCLUSION
• https://www.sba-research.org/wp-content/uploads/publications/ndss2012_final.pdf
• http://en.wikipedia.org/wiki/Proxy_server
• http://www.windowsphone.com/en-us/store/app/at-t-secure-messaging/7c79afdc-9a8f-4488-aea1-84fd0d7975b2
• http://www.thenewstribe.com/2015/01/16/lock-your-whatsapp-with-fast-trending-security-app/
• http://freedomhacker.net/secure-messaging-apps-for-smart-phones/
• http://www.general-play.com/app/gp3e1e50h1f5i0/Ironchat,%20Secure%20Messaging.html
REFERENCES
THANK YOU