Dangerous Wi-Fi access point: attacks to benign smartphone applications

Personalization by means of third party application is one of the greatest advantages of smartphones. For example, when a user looks for a path to destination, he can download and install a navigation application with ease from official online market such as Google Play and Appstore. Such applications require an access to the Internet, and most users prefer Wi-Fi networks which are free to use, to mobile networks which cost a fee. For this reason, when they have no access to free Wi-Fi networks, most smartphone users choose to try to use unknown Wi-Fi access points (AP). However, this can be highly dangerous, because such unknown APs are sometimes installed by an adversary with malicious intentions such as stealing information or session hijacking. Today, smartphones contains all kinds of personal information of the users including e-mail address, passwords, schedules, business document, personal photographs, etc., making them an easy target for malicious users. If an adversary takes smartphone, he will get all of information of the users. For this reason, smartphone security has become very important today. In wireless environments, malicious users can easily eavesdrop on and intervene in communication between an end-user and the internet service providers, meaning more vulnerability to man-in-the-middle attacks. In this paper, we try to reveal the risk of using unknown APs by presenting demonstration results. The testbed is composed of two smartphones, two APs, and one server. The compromised AP forwards messages of victim smartphone to the fake server by using domain name system spoofing. Thus, the application that is running on the victim smartphone transfers HTTP request to the fake server. As a result, this application displays the abnormal pop-up advertisement, which contains malicious codes and links. Our demonstration shows that merely connecting to compromise APs can make a malicious behavior even the applications are benign.

[1]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[2]  Stefan Poslad,et al.  Ubiquitous Computing: Smart Devices, Environments and Interactions , 2009 .

[3]  Mazdak Zamani,et al.  A Novel Approach for Rogue Access Point Detection on the Client-Side , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[4]  Stefan Kraxberger,et al.  Android Security Permissions - Can We Trust Them? , 2011, MobiSec.

[5]  Michael Rohs,et al.  The smart phone: a ubiquitous input device , 2006, IEEE Pervasive Computing.

[6]  Yvonne Rogers,et al.  Moving on from Weiser's Vision of Calm Computing: Engaging UbiComp Experiences , 2006, UbiComp.

[7]  Friedemann Mattern,et al.  The Vision and Technical Foundations of Ubiquitous Computing , 2001 .

[8]  James H. Aylor,et al.  Computer for the 21st Century , 1999, Computer.

[9]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[10]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[11]  Tor-Morten Grønli,et al.  Context-aware and automatic configuration of mobile devices in cloud-enabled ubiquitous computing , 2014, Personal and Ubiquitous Computing.

[12]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[13]  Paul Dourish,et al.  Yesterday’s tomorrows: notes on ubiquitous computing’s dominant vision , 2007, Personal and Ubiquitous Computing.

[14]  Partha Dasgupta,et al.  Countering rogues in wireless networks , 2003, 2003 International Conference on Parallel Processing Workshops, 2003. Proceedings..

[15]  Andrew T. Campbell,et al.  From Smart to Cognitive Phones , 2012, IEEE Pervasive Computing.

[16]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[17]  Emmanuel Agu,et al.  Malicious WiFi networks: A first look , 2012, 37th Annual IEEE Conference on Local Computer Networks - Workshops.

[18]  Marco Gruteser,et al.  A Methodological Assessment of Location Privacy Risks in Wireless Hotspot Networks , 2003, SPC.

[19]  Antonio Lioy,et al.  Dependability in Wireless Networks: Can We Rely on WiFi? , 2007, IEEE Security & Privacy.

[20]  Byeong-Ho Kang,et al.  Ubiquitous Computing Environment Threats and Defensive Measures , 2007 .

[21]  Chris J. Mitchell,et al.  Security vulnerabilities in DNS and DNSSEC , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[22]  Matthias Baldauf,et al.  A survey on context-aware systems , 2007, Int. J. Ad Hoc Ubiquitous Comput..

[23]  Louise Barkhuus,et al.  Empowerment through seamfulness: smart phones in everyday life , 2011, Personal and Ubiquitous Computing.

[24]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[25]  George Roussos,et al.  Enabling pervasive computing with smart phones , 2005, IEEE Pervasive Computing.

[26]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[27]  Choon Seong Leem,et al.  A Business Model (BM) Development Methodology in Ubiquitous Computing Environments , 2005, ICCSA.

[28]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[29]  Bing Mao,et al.  DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware , 2013, ASIA CCS '13.

[30]  Hyunuk Hwang,et al.  A Study on MITM (Man in the Middle) Vulnerability in Wireless Network Using 802.1X and EAP , 2008, 2008 International Conference on Information Science and Security (ICISS 2008).

[31]  Jeom Goo Kim,et al.  IKEv2 authentication exchange model and performance analysis in mobile IPv6 networks , 2013, Personal and Ubiquitous Computing.

[32]  Rui Chen,et al.  Research Article Phishing Susceptibility: An Investigation Into the Processing of a Targeted Spear Phishing Email , 2012, IEEE Transactions on Professional Communication.