Top

Published in:

2018 | OriginalPaper | Chapter

Sensitive Data in Smartphone Applications: Where Does It Go? Can It Be Intercepted?

Authors : Eirini Anthi, George Theodorakopoulos

Published in: Security and Privacy in Communication Networks

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

We explore the ecosystem of smartphone applications with respect to their privacy practices towards sensitive user data. In particular, we examine 96 free mobile applications across 10 categories, in both the Apple App Store and Google Play Store, to investigate how securely they transmit and handle user data. For each application, we perform wireless packet sniffing and a series of man-in-the-middle (MITM) attacks to capture personal identifying information, such as usernames, passwords, etc. During the wireless packet sniffing, we monitor the traffic from the device when a specific application is in use to examine if any sensitive data is transmitted unencrypted. At the same time, we reveal and assess the list of ciphers that each application uses to establish a secure connection. During the MITM attacks, we use a variety of methods to try to decrypt the transmitted information.

The results show that although all tested applications establish a secure TLS connection with the server, 85% of them support weak ciphers. Additionally, 60% of iOS and 25% of Android applications transmit unencrypted user data over the Wi-Fi network. By performing a MITM attack we capture the username, password, and email in various apps, e.g. Instagram, Blackboard, Ebay, and Spotify. We manage to bypass certificate pinning in 75% of the iOS applications, including Facebook. Finally, we observe that data is being forwarded to third party domains (mostly to domains that belong to Google and Apple).

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Framework for Acquiring and Analyzing Traces from Cryptographic Devices

next chapter Fault-Tolerant and Scalable Key Management Protocol for IoT-Based Collaborative Groups

The supplemental material has been placed in our institutional repository due to space constraints. It can be accessed at this link: http://orca.cf.ac.uk/id/eprint/101448.

This procedure involves privately notifying affected software vendors of vulnerabilities. The vendors then typically address the vulnerability at some later date, and the researcher reveals full details publicly at or after this time [18].

RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2. https://tools.ietf.org/html/rfc5246. Accessed 05 Jan 2017

Diquet, A.: iOS SSL Kill Switch (2016). https://github.com/iSECPartners/ios-ssl-kill-switch. Accessed 20 Apr 2017

AlFardan, N.: On the Security of RC4 in TLS. http://www.isg.rhul.ac.uk/tls/. Accessed 25 Apr 2017

Appanalysis. Realtime Privacy Monitoring on Smartphones (2016). http://www.appanalysis.org/index.html/. Accessed 9 Apr 2017

Apple. Ad for Developers. Apple Developer. https://developer.apple.com/iad/. Accessed 03 May 2017

Ball, T.: The concept of dynamic analysis. In: Nierstrasz, O., Lemoine, M. (eds.) ESEC/SIGSOFT FSE -1999. LNCS, vol. 1687, pp. 216–234. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48166-4_14CrossRef

Blanchou, M.: iSECPartners/Android-SSL-TrustKiller. Bypass SSL certificate pinning for most applications. https://github.com/iSECPartners/Android-SSL-TrustKiller. Accessed 03 May 2017

Boneh, D., Inguva, S., Baker, I.: SSL, MITM Proxy (2007). http://crypto.stanford.edu/ssl-mitm

Boyles, J.L., Smith, A., Madden, M.: Privacy and data management on mobile devices. Pew Internet Am. Life Project 4 (2012)

10.

Carnegie Mellon University. Knowledge of Location Sharing by Apps Prompts Privacy Action (2015). https://www.sciencedaily.com/releases/2015/03/150323132846.html. Accessed 4 Apr 2017

11.

Cohen, A.: The iPhone Jailbreak: A Win Against Copyright Creep. Time.com (2010)

12.

Elenkov, N.: Certificate Pinning in Android 4.2 (2012)

13.

ENISA. Top Ten Smartphone Risks (2016). https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/top-ten-risks. Accessed 4 Apr 2017

14.

MIT Laboratory for Computer Science and RSA Data Security. RFC 1321 - The MD5 Message-Digest Algorithm. https://tools.ietf.org/html/rfc1321. Accessed 25 Apr 2017

15.

Fox, M.A., King, P.F., Ramasubramani, S.: Method and apparatus for maintaining security in a push server. US Patent 6,421,781, 16 July 2002

16.

FTC. Federal Trade Commission (2016). https://www.ftc.gov/search/site/fitness~app. Accessed 9 Apr 2017

17.

Google. Monetize and Promote with Google Ads.Google Developers. https://developers.google.com/ads/?hl=en. Accessed 03 May 2017

18.

Google. Rebooting Responsible Disclosure: A Focus on Protecting End Users. https://security.googleblog.com/2010/07/rebooting-responsible-disclosure-focus.html. Accessed 30 Apr 2017

19.

Internet Engineering Task Force (IETF). RFC 7465 - Prohibiting RC4 Cipher Suites. https://tools.ietf.org/html/rfc7465#section-1. Accessed 25 Apr 2017

20.

Zang, J., Dummit, K., Graves, J., Lisker, P., Sweeney, L.: Who knows what about me? A survey of behind the scenes personal data sharing to third parties by mobile apps (2015). http://techscience.org/a/2015103001/. Accessed 14 Feb 2017

21.

Mense, A., Steger, S., Sulek, M., Jukic-Sunaric, D., Mészáros, A.: Analyzing privacy risks of mhealth applications. Stud. Health Technol. Inform. 221, 41 (2016)

22.

Cooney, M.: 10 Common Mobile Security Problems to Attack (2012). http://www.pcworld.com/article/2010278/10-common-mobile-security-problems-to-attack.html. Accessed 4 Apr 2017

23.

mitmproxy. About certificates (2016). Accessed 20 Apr 2017

24.

mitmproxy. How mitmproxy works (2016). Accessed 20 Apr 2017

25.

Moeller, B., Langley, A.: RFC 7507: TLS fallback signaling cipher suite value (SCSV) for preventing protocol downgrade attacks (2015)

26.

Orebaugh, A., Ramirez, G., Beale, J.: Wireshark & Ethereal Network Protocol Analyzer Toolkit. Syngress, Rockland (2006)

27.

OWASP. Man-in-the-Middle Attack (2016). https://www.owasp.org/index.php/Man-in-the-middle_attack/. Accessed 18 Apr 2017

28.

OWASP. O-Saft (2016). https://www.owasp.org/index.php/O-Saft/. Accessed 20 Apr 2017

29.

OWASP. Transport Layer Protection Cheat Sheet (2016). https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet. Accessed 18 Apr 2017

30.

Pangu. Pangu Jailbreak (2016). http://en.pangu.io. Accessed 20 Apr 2017

31.

Paul, S., Preneel, B.: On the (in)security of stream ciphers based on arrays and modular addition. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 69–83. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_5CrossRef

32.

Raoa, A., Kakhkib, A.M., Razaghpanahe, A., Tangc, A., Wangd, S., Sherryc, J., Gille, P., Krishnamurthyd, A., Legouta, A., Misloveb, A., et al.: Using the middle to meddle with mobile. Technical report, Northeastern University (2013)

33.

Rescorla, E.: SSL and TLS: Designing and Building Secure Systems, vol. 1. Addison-Wesley Reading, Boston (2001)

34.

Smith, A.: Us Smartphone Use in 2015. Pew Research Center, pp. 18–29 (2015). Accessed 1 Apr 2017

35.

Statista. The Hidden Dangers of Public WiFi (2016). http://www.privatewifi.com/wp-content/uploads/2015/01/PWF_whitepaper_v6.pdf/. Accessed 5 Apr 2017

36.

Statista. Number of Smartphone Users Worldwide from 2014 to 2019 (2016). http://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/. Accessed 1 Apr 2017

37.

Stuttard, D.: Burp Suite (2007)

38.

Thurm, S., Kane, Y.I.: Your apps are watching you. Wall Str. J. 17, 1 (2010)

39.

Chell, D., Erasmus, T., Colley, S., Whitehouse, O.: The Mobile Application Hacker’s Handbook, 1st edn. Wiley, Hoboken (2015)

40.

Varshney, U., Vetter, R.: Mobile commerce: framework, applications and networking support. Mob. Netw. Appl. 7(3), 185–198 (2002)CrossRef

41.

Victor, H.: Android’s Google play beats app store with over 1 million apps, now officially largest (2013). Accessed 16 Jan 2014

Title: Sensitive Data in Smartphone Applications: Where Does It Go? Can It Be Intercepted?
Authors: Eirini Anthi
George Theodorakopoulos
Publisher: Springer International Publishing
Book: Security and Privacy in Communication Networks
Print ISBN: 978-3-319-78815-9

Electronic ISBN: 978-3-319-78816-6

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-319-78816-6_21

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner