Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete

Published byVasco Farias Modified over 5 years ago

Similar presentations

Presentation on theme: "Mobile Security Evangelos Markatos FORTH-ICS and University of Crete"— Presentation transcript:

1 Mobile Security Evangelos Markatos FORTH-ICS and University of Crete
Full Professor, head of DCS Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Ack: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No and from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement No

2 Roadmap Overall area The problem Methodology Results Summary

3 Roadmap Overall area The problem Methodology Results Summary

4 Let us start with a question: Are smartphones secure?
Smartphones seem to be secure! Apps are downloaded from Google Store or Apple Store and thus are probably safe Apps do not have malware Someone checked them before they are published Smartphones are a “closed” environment Which leaves little room for attackers So: Smartphones do not seem to have malware and thus they seem to be secure

5 The issue with smartphones
Smartphone security is different from traditional desktop/laptop security In desktops attackers are interested in the device! Desktops/laptops (devices) are being compromised to be used as bots (in botnets) In smartphones “attackers” are interested not so much in the device as in Data Tracking information Personal information User preferences

6 How do attackers get data from smartphones?
Choice 1: they may compromise a smartphone It may be difficult It may be illegal Choice 2: use Apps! Create a popular app Convince people to install it Collect data through the app Choice 3: use cookies! Third-party cookies, tracking cookies In this line of research we focus on choices “2” and “3”

7 Roadmap Overall area The problem Methodology Results Summary

8 As people use their smartphones
Overall Problem As people use their smartphones to browse the web or execute apps, what kind information is collected about them?? We do not assume compromised devices Just regular devices Using regular web browsers Using ordinary apps

9 Relevant Publications
P. Papadopoulos, N. Kourtellis, E. P. Markatos: Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. WWW 2019 P. Papadopoulos, N. Kourtellis, E. P. Markatos: The Cost of Digital Advertisement: Comparing User and Advertiser Views. WWW 2018. E. P. Papadopoulos, M. Diamantaris, P. Papadopoulos, T. Petsas, S. Ioannidis, E. P. Markatos: The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps. WWW Best Paper Honorable Mention.

10 Suppose that you would like to access a service such as facebook.
Problem Definition Suppose that you would like to access a service such as facebook. There are two options to do it A: use the facebook app B: use a browser and go to Question: What information do the two options leak? Which option leaks the most?

11 Which is the entity that leaks the information?
Third Party Trackers Collect users’ data to provide Personalized Advertisement Web sites have Cookies! Mobile apps have Third party libraries! For Ads, Analytics, etc.

12 Third-party Libraries
Third-party libraries Inherit all the apps’ permissions If the app can access the camera So does the third party library If the app can access the user’s contacts If the app can access the SIM card

13 What kinds of data can be leaked?
An online service may leak Personal Data E.g. birthdate, , gender, age, etc. Device-specific data e.g. identifiers The android identifier The SIM card identifier The apps installed in the smartphone, etc.

14 Methodology: How did we measure it?
Went to Alexa (ranks web sites) Collected the top 300 services Chose those that had an app (116 services) For each of the 116 services We accessed them through the app Through the web browser And found what information they leak

15 Roadmap Overall area The problem Methodology Results Summary

16 Our Dataset

17 Roadmap Overall area The problem Methodology Results Summary

18 First experiment: Are there third party libraries in apps?
56.67% of apps contain at least one analytics- or ad-related library 9 in-app libraries!

19 Second experiment: What do they leak?
Nexus 6 running Android 6.0.1 Capture traffic: Raspberry Pi  mitmproxy SSL-capable monitoring proxy Run each service for 20 mins: through web (Firefox browser) through app Filter possible leaked identifiers using pattern matching

20 Privacy Leaks: What we found
58% of the apps leak the Android ID identifier not accessible by websites unique for each device Allows for tracking (even between different apps!) 9.5% of the apps leak at least one SIM Card ID 3.5% of the apps leak the list of installed apps can be used to find the user’s interests 4.3% of the apps leak Nearby Access Points

21

22 Roadmap Overall area The problem Methodology Results Summary

23 In Summary... Question: Results:
What kinds of information do smartphones leak? Do apps or browsers leak more? Results: Both apps and browsers leak information Apps leak significantly more (device identifiers, installed apps, nearby APs, etc.)  allowing trackers to infer user interests, gender, even behavioral patterns

24 Mobile Security Evangelos Markatos FORTH-ICS and University of Crete
Full Professor, head of DCS Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Ack: This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No and from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement No

25 Our approach: antiTrackDroid
Blocks outgoing requests to third-parties Core design principles: app-independent no additional infrastructure (VPN, proxy) by leveraging Xposed framework: intercepts every outgoing request  checks destination’s domain name against a blacklist of mobile trackers

26 antiTrackDroid – Privacy Performance
Run the 30 top leaking apps in with and without antiTrackDroid antiTrackDroid Reduce the number of leaked identifiers by % on the average Functionality across apps remains the same

27 antiTrackDroid – Latency Overhead
< 1ms antiTrackDroid: adds overhead in benign requests < 1ms/request reduces overall latency in case of blocked requests

Download ppt "Mobile Security Evangelos Markatos FORTH-ICS and University of Crete"

Similar presentations

GOOGLE'S DIET NO MORE COOKIES COMM 365/103 Daniel Bilches Medinas 11157120.

GOOGLE'S DIET NO MORE COOKIES COMM 365/103 Daniel Bilches Medinas
Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.

Browser Comparisons Internet Explorer 8 & 9, Chrome 11 and Firefox 4 Security, Privacy, Add-ons & Convenience.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Master the MULTI-SCREEN WORLD. AGENDA  What is a multi-screen website  The growing importance of multi-screen sites  What Google recommends  Turning.

Master the MULTI-SCREEN WORLD. AGENDA  What is a multi-screen website  The growing importance of multi-screen sites  What Google recommends  Turning.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.

Tracking, Privacy, You & The 21 st Century When you talk online the internet listens.
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.

Apps VS Mobile Websites Which is better?. Bizness Apps Survey Bizness Apps surveyed over 500 small business owners with both a mobile app and a mobile.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.

Protecting your Family From the dark places on the Internet Going beyond the standard PC Filter, and dealing with the multiple devices that access the.
Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.
Topic: Security / Privacy “Your Apps Are Watching You” Source: The Wall Street Journal Online Presented By: Corey Campbell.

Topic: Security / Privacy “Your Apps Are Watching You” Source: The Wall Street Journal Online Presented By: Corey Campbell.
Staying Safe Online Keep your Information Secure.

Staying Safe Online Keep your Information Secure.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
A Measurement Study of Tracking in Paid Mobile Applications Suranga Seneviratne  ✪, Harini Kolamunna, Aruna Seneviratne  ✪ UNSW  NICTA, Australia ✪

A Measurement Study of Tracking in Paid Mobile Applications Suranga Seneviratne  ✪, Harini Kolamunna, Aruna Seneviratne  ✪ UNSW  NICTA, Australia ✪
Christine Laham, Fahed Abdu, David Dezano,Shelly Kim.

Christine Laham, Fahed Abdu, David Dezano,Shelly Kim.
1 Tradedoubler & Mobile Mobile web & app tracking technical overview.

1 Tradedoubler & Mobile Mobile web & app tracking technical overview.
Ad placed based on my visit to a page on Lulu.com.

Ad placed based on my visit to a page on Lulu.com.

Similar presentations

Ads by Google