Guess Who's Texting You_ Evaluating the Security of Smartphone Messaging Applications

Guess Who's Texting You_ Evaluating the Security of Smartphone Messaging Applications
Download Document
Showing pages : 1 - 2 of 9
This preview has blurred sections. Sign up to view the full version! View Full Document
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, Edgar Weippl SBA Research gGmbH Vienna, Austria (1stletterfirstname)(lastname) Abstract In recent months a new generation of mobile messag- ing and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little atten- tion has so far been paid to the security measures (or lack thereof) implemented by these providers. In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user's phone number as a unique token to identify accounts, which fur- ther encumbers the implementation of security barriers. Fi- nally, experimental results show that major security flaws exist in most of the tested applications, allowing attack- ers to hijack accounts, spoof sender-IDs or enumerate sub- scribers. 1 Introduction In the past few months, several new smartphone mes- saging and VoIP services with a novel user authentication concept were introduced. These new-generation commu- nication applications aim at replacing traditional text mes- saging (SMS) and only require the user's phone number for registration. Contrary to well-known instant messaging ser- vices, no additional authentication mechanisms other than the phone number are used by these applications. In this paper we focus on the security of applications that are using this novel authentication concept. Due to this limitation, services such as Skype, Facebook Chat and Google Chat were regarded as out of scope. Note that these services have been the subject of an ample amount of past research. The common advantages of the tools we examined lie in very simple and fast setup routines combined with the possi- bility to incorporate existing on-device address books. Ad- ditionally these services offer communication free of charge and thus pose a low entry barrier to potential customers. However, we find that the very design of most of these mes- saging systems thwarts their security measures, leading to issues such as the possibility for communication without proper sender authentication. The main contribution of our paper is an evaluation of the security of mobile messaging applications with the afore- mentioned properties and the possibilities of abuse in real- world scenarios. Additionally, we draw attention to a num- ber of suitable security mechanisms to prevent the misuse of these systems. The rest of the paper is organized as follows: Section 2 gives an overview of related work. Section 3 out-Section 2 gives an overview of related work....
View Full Document