Security and privacy of smartphone messaging applications

Purpose – This paper aims to give an overview on a number of selected applications in comparison to a previous evaluation conducted two years ago, as well as performing an analysis on several new applications. Mobile messaging and VoIP applications for smartphones have seen a massive surge in popularity, which has also sparked the interest in research related to their security and privacy protection, leading to in-depth analyses of specific applications or vulnerabilities. Design/methodology/approach – The evaluation methods mostly focus on known vulnerabilities in connection with authentication and validation mechanisms but also describe some newly identified attack vectors. Findings – The results show a positive trend for new applications, which are mostly being developed with security and privacy features, whereas some of the older applications have shown little progress or have even introduced new vulnerabilities. In addition, this paper shows privacy implications of smartphone messaging that are not ...

[1]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[2]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[3]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[4]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[5]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[6]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[7]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[8]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[9]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[10]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[11]  Marcel Heupel Porting and evaluating the performance of IDEMIX and TOR anonymity on modern smartphones. Portierung und Bewertung der Laufzeit von IDEMIX und TOR-Anonymität aufmodernen Smart-phones , 2010 .

[12]  Mark Zuckerberg 500 Million Stories , 2010 .

[13]  Dengguo Feng,et al.  Bind your phone number with caution: automated user profiling through address book matching on smartphone , 2013, ASIA CCS '13.

[14]  Ioannis Kounelis,et al.  The mobileak project: Forensics methodology for mobile application privacy assessment , 2012, 2012 International Conference for Internet Technology and Secured Transactions.