Mobile Security Evangelos Markatos FORTH-ICS and University of Crete

Slides:

Advertisements

Similar presentations

GOOGLE'S DIET NO MORE COOKIES COMM 365/103 Daniel Bilches Medinas

Advertisements

Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Master the MULTI-SCREEN WORLD. AGENDA  What is a multi-screen website  The growing importance of multi-screen sites  What Google recommends  Turning.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Topic: Security / Privacy “Your Apps Are Watching You” Source: The Wall Street Journal Online Presented By: Corey Campbell.

Staying Safe Online Keep your Information Secure.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

A Measurement Study of Tracking in Paid Mobile Applications Suranga Seneviratne  ✪, Harini Kolamunna, Aruna Seneviratne  ✪ UNSW  NICTA, Australia ✪

Christine Laham, Fahed Abdu, David Dezano,Shelly Kim.

1 Tradedoubler & Mobile Mobile web & app tracking technical overview.

Ad placed based on my visit to a page on Lulu.com.

Protecting Students on the School Computer Network Enfield High School.

Hidden Surveillance by Consumer Health Information Websites Jacquelyn Burkell and Alexandre Fortier Faculty of Information and Media Studies University.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Presenter: Le Quoc Thanh SPYWARE ANALYSIS AND DETECTION.

By Michael P. Kassner Compromising Web sites has become cybercriminals’ favorite method to get malware installed on computers. Here are 10 ways to beef-

You’re Leaving Footprints TROPE: Teachers’ Resources for Online Privacy Education 1.

Personal Privacy and the Public Internet John E. Carter Kennesaw State University IT 3700.

Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.

Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.

COOKIES Gloria Soria Network Security COSC 356. What is a Cookie? A cookie is a piece of text that a Web Server can store on a user's hard disk. Cookies.

Android and IOS Permissions Why are they here and what do they want from me?

E-safety Parent Workshop Helping to keep your children safe online.

Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.

Internet Basics 10/23/2012. What is the Internet? It’s a world-wide network of computer networks. It grows hourly and involves national governments, communities,

Analysis of Privacy Expectations on Google Play Store Dan Rosenthal.

Office 365 Upsell Paths.

WELCOME Mobile Applications Testing

What mobile ads know about mobile users

Master the MULTI-SCREEN WORLD.

Facebook privacy policy

IT Security Awareness Day October 19, 2016

BUILD SECURE PRODUCTS AND SERVICES

Managing Windows Security

The Invisible Trail: Third-Party Tracking on the Web

DATA SECURITY FOR MEDICAL RESEARCH

What Mobile Ads know about mobile users

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Hotspot Shield Protect Your Online Identity

VPN Joshua Turner.

Apps VS Mobile Websites Which is better?

Software Applications for end-users

Practical Censorship Evasion Leveraging Content Delivery Networks

Anonymous Communication

MICROSOFT OUTLOOK and Outlook service Provider

Internet and security.

Master the MULTI-SCREEN WORLD.

What Mobile Ads Know About Mobile Users

Physical activities and activity tracker

How to register and use the app for Law Enforcement users?

How to register and use ODMAP for Fire/EMS and other partners

Call AVG Antivirus Support | Fix Your PC

Riding Someone Else’s Wave with CSRF

Anonymous Communication

The HIRMEOS Metrics Services

Firefox focus Lana Marinculic.

Data Portability It’s Mine, Mine, Mine!

Anonymous Communication

Presentation transcript:

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete Full Professor, head of DCS http://www.ics.forth.gr/dcs/ Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Ack: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 690972 and from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement No. 786669

Roadmap Overall area The problem Methodology Results Summary

Roadmap Overall area The problem Methodology Results Summary

Let us start with a question: Are smartphones secure? Smartphones seem to be secure! Apps are downloaded from Google Store or Apple Store and thus are probably safe Apps do not have malware Someone checked them before they are published Smartphones are a “closed” environment Which leaves little room for attackers So: Smartphones do not seem to have malware and thus they seem to be secure

The issue with smartphones Smartphone security is different from traditional desktop/laptop security In desktops attackers are interested in the device! Desktops/laptops (devices) are being compromised to be used as bots (in botnets) In smartphones “attackers” are interested not so much in the device as in Data Tracking information Personal information User preferences

How do attackers get data from smartphones? Choice 1: they may compromise a smartphone It may be difficult It may be illegal Choice 2: use Apps! Create a popular app Convince people to install it Collect data through the app Choice 3: use cookies! Third-party cookies, tracking cookies In this line of research we focus on choices “2” and “3”

Roadmap Overall area The problem Methodology Results Summary

As people use their smartphones Overall Problem As people use their smartphones to browse the web or execute apps, what kind information is collected about them?? We do not assume compromised devices Just regular devices Using regular web browsers Using ordinary apps

Relevant Publications P. Papadopoulos, N. Kourtellis, E. P. Markatos: Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. WWW 2019 P. Papadopoulos, N. Kourtellis, E. P. Markatos: The Cost of Digital Advertisement: Comparing User and Advertiser Views. WWW 2018. E. P. Papadopoulos, M. Diamantaris, P. Papadopoulos, T. Petsas, S. Ioannidis, E. P. Markatos: The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps. WWW 2017. Best Paper Honorable Mention.

Suppose that you would like to access a service such as facebook. Problem Definition Suppose that you would like to access a service such as facebook. There are two options to do it A: use the facebook app B: use a browser and go to www.facebook.com Question: What information do the two options leak? Which option leaks the most?

Which is the entity that leaks the information? Third Party Trackers Collect users’ data to provide Personalized Advertisement Web sites have Cookies! Mobile apps have Third party libraries! For Ads, Analytics, etc.

Third-party Libraries Third-party libraries Inherit all the apps’ permissions If the app can access the camera So does the third party library If the app can access the user’s contacts If the app can access the SIM card

What kinds of data can be leaked? An online service may leak Personal Data E.g. birthdate, email, gender, age, etc. Device-specific data e.g. identifiers The android identifier The SIM card identifier The apps installed in the smartphone, etc.

Methodology: How did we measure it? Went to Alexa (ranks web sites) Collected the top 300 services Chose those that had an app (116 services) For each of the 116 services We accessed them through the app Through the web browser And found what information they leak

Roadmap Overall area The problem Methodology Results Summary

Our Dataset

Roadmap Overall area The problem Methodology Results Summary

First experiment: Are there third party libraries in apps? 56.67% of apps contain at least one analytics- or ad-related library 9 in-app libraries!

Second experiment: What do they leak? Nexus 6 running Android 6.0.1 Capture traffic: Raspberry Pi  mitmproxy SSL-capable monitoring proxy Run each service for 20 mins: through web (Firefox browser) through app Filter possible leaked identifiers using pattern matching

Privacy Leaks: What we found 58% of the apps leak the Android ID identifier not accessible by websites unique for each device Allows for tracking (even between different apps!) 9.5% of the apps leak at least one SIM Card ID 3.5% of the apps leak the list of installed apps can be used to find the user’s interests 4.3% of the apps leak Nearby Access Points

Roadmap Overall area The problem Methodology Results Summary

In Summary... Question: Results: What kinds of information do smartphones leak? Do apps or browsers leak more? Results: Both apps and browsers leak information Apps leak significantly more (device identifiers, installed apps, nearby APs, etc.) allowing trackers to infer user interests, gender, even behavioral patterns

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete Full Professor, head of DCS http://www.ics.forth.gr/dcs/ Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Ack: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 690972 and from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement No. 786669

Our approach: antiTrackDroid Blocks outgoing requests to third-parties Core design principles: app-independent no additional infrastructure (VPN, proxy) by leveraging Xposed framework: intercepts every outgoing request checks destination’s domain name against a blacklist of mobile trackers

antiTrackDroid – Privacy Performance Run the 30 top leaking apps in with and without antiTrackDroid antiTrackDroid Reduce the number of leaked identifiers by 27.41% on the average Functionality across apps remains the same

antiTrackDroid – Latency Overhead < 1ms antiTrackDroid: adds overhead in benign requests < 1ms/request reduces overall latency in case of blocked requests