What's new with WhatsApp & Co.? Revisiting the Security of Smartphone Messaging Applications

In recent years mobile messaging and VoIP applications for smartphones have seen a massive surge in popularity, which has also sparked the interest in research related to the security of these applications. Various security researchers and institutions have performed in-depth analyses of specific applications or vulnerabilities. This paper gives an overview of the status quo in terms of security for a number of selected applications in comparison to a previous evaluation conducted two years ago, as well as performing an analysis on some new applications. The evaluation methods mostly focus on known vulnerabilities in connection with authentication and validation mechanisms but also describe some newly identified attack vectors. The results show a predominantly positive trend for new applications, which are mostly being developed with robust security and privacy features, while some of the older applications have shown little to no progress in this regard or have even introduced new vulnerabilities in recent versions.

[1]  Dengguo Feng,et al.  Bind your phone number with caution: automated user profiling through address book matching on smartphone , 2013, ASIA CCS '13.

[2]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[3]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[4]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[5]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[6]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[7]  Edgar R. Weippl,et al.  Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[8]  Ioannis Kounelis,et al.  The mobileak project: Forensics methodology for mobile application privacy assessment , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[9]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[10]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[11]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[12]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[13]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[14]  Mark Zuckerberg 500 Million Stories , 2010 .