Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications

In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers. In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.

[1]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[2]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[3]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[4]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[5]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[6]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[7]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[8]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[9]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[10]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[11]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[12]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[13]  Christopher Krügel,et al.  Abusing Social Networks for Automated User Profiling , 2010, RAID.

[14]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[15]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[16]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.