EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI

 Introduction.  Related Work  Mobile Messaging Applications  Evaluation  Methodology  Experimental Setup  Conclusion  References OUTLINE

In all these applications users’ phone numbers are used as a unique token to identity accounts. Several new smartphone messaging and VoIP services with a novel client authentication are introduced. The new-era communication applications aim at substituting traditional text messaging (sms)and request the client’s telephone number. INTRODUCTION

EXAMPLES

An immeasurable number of conventions has been intended to give secure client verification, in view of public key cryptography and the use of a PKI. Because of the relentlessly growth of cell phones these platforms have started the enthusiasm of the security group. The security highlights and properties of Android and in addition iOS have been generally considered. RELATED WORK

They utilize the client's telephone number as the premise for ID. During the setup handle, the product requests that the client enter the telephone number of the gadget. MOBILE MESSAGE APPLICATIONS

Wi-Fi tablets can be activated using the telephone number of another gadget. These applications use the telephone number just to identify the clients and do not attempt to communicate over the mobile network. All the applications we discussed execute measures to keep users from impersonating others by attempting to form a number they don’t control. CONTINUED…..

Methodology Experimental Setup EVALUATION

Authentication Mechanism and Account Hijacking Sender ID Spoofing and Message Manipulation Unrequested Sms /Phone CallsEnumerationModifying Status Messages METHODOLOGY

To read encrypted HTTPS traffic from and to the tested applications, we set up a SSL proxy that acted as a man-in-the middle. Experimental setup for intercepting SSL EXPERIMENTAL SETUP

The attacker targets for connecting cell phone and the telephone number to the exploited person. AUTHENTICATION MECHANISM AND ACCOUNT HIJACKING

WhatsappTango and VoypiEasy Talk Viber and Wow Talk Hey Tell EXAMPLES

To prevent Another person utilizing the victimized person’s number, a confirmation SMS with a 4-digit PIN is sent. An attacker could misuse this process to hijack any whatsapp account. Blocking the communication between the telephone and the server to listen stealthily the PIN. SSL intermediary for security. WHATSAPP

Applications request the client’s telephone number. If the number is not enlisted for the service yet, no conformation is finished. Just if the number is known to the system, a conformation process by means of SMS (like WhatsApp) is performed. As long as the number is not enlisted for Tango or Voypi, an attacker can hijack it without SMS conformation. TANGO & VOYPI

Utilizes SMS for verification. After enrollment, the server sends a code via SMS. Code is entered into app for conformation. The server then answers with either “OK” or “ERROR. We can hijack by modifying this message from “ERROR” to “OK”. EASY TALK

Application requests user’s telephone number and sends an authentication request to the server. Server sends code through SMS message to the clients telephone or call from viber. Code is entered in the app. Server believes the customer easily and there is no validation. VIBER

SMS-Conformation registration. Enters telephone number into the application. Server creates an irregular conformation code and sends through SMS. Wow Talk

No conformation required. During the setup process the client needs to choose his or her own cellphone number from the address book. This gadget is then connected to the picked number without check. HEY TELL

SENDER ID SPOOFYING SENDER ID SPOOFING VOYPI FORFONE There is no validation needed to send message, hence id spoof IMSI, UDID are utilized for authentication so spoofing is tough

UNREQUESTED SMS/PHONE CALLS SMS messages or even telephone calls are used during telephone number verification process. A malicious client could utilize another client's number in the setup procedure to create irritating messages or telephone calls on victims telephone without uncovering his character.

ENUMERATION Another security part is their capacity to automatically import the client's contacts and compare the numbers to effectively enrolled numbers on the server. The server gives back a subset of the client's contact list that are registered. A possible threat resulting from a user account enumeration is the identification of active phone numbers. DEFINITION A large range of the numbers in San Diego zone code 619 is divided into chunks of 5000 numbers each and made a standard address book transfer as performed by WhatsApp. The whole process completed in under 2.5 hours. EXAMPLE

MODIFYING STATUS MESSAGES We analyzed the protocol for setting the status message and explore possible vulnerabilities that could result in unauthorized modification of status messages. Privacy-related design error. It shows the owner of a given phone number who installed the messenger application, but also the status message of a user is visible to people that have stored this user in their address book.

TABULAR VIEW ON ATTACKS

Broken authentication mechanism are vulnerable to account hijacking attacks. Most applications also suffer from account enumeration because of software design and implementation errors. Extreme effect on the privacy of clients.

content/uploads/publications/ndss2012_final.pdf content/uploads/publications/ndss2012_final.pdf messaging/7c79afdc-9a8f-4488-aea1-84fd0d7975b2 messaging/7c79afdc-9a8f-4488-aea1-84fd0d7975b2 with-fast-trending-security-app/ with-fast-trending-security-app/ play.com/app/gp3e1e50h1f5i0/Ironchat,%20Secure%20Messaging. html play.com/app/gp3e1e50h1f5i0/Ironchat,%20Secure%20Messaging. html REFERENCES

THANK YOU