Assessing vulnerability of mobile messaging apps to man-in-the-middle (MitM) attack
Автор: Rishabh Dudheria
Журнал: International Journal of Computer Network and Information Security @ijcnis
Статья в выпуске: 7 vol.10, 2018 года.
Бесплатный доступ
Mobile apps are gaining in popularity and are becoming an indispensable part of our digital lives. Several mobile apps (such as messaging apps) contain personal/private information of the users. Inevitably, the compromise of accounts associated with such sensitive apps can result in disastrous consequences for the end user. Recently, Password Reset Man-in-the-Middle (PRMitM) attack was proposed at the application level in which an attacker can take over a user’s web account while the user is trying to access/download resources from the attacker’s website. In this work, we adapt this attack so that it can be applied in the context of mobile messaging apps. Specifically, we analyze 20 popular mobile messaging apps for vulnerability to MitM attack, 10 of which support secure communication through end-to-end encryption. Based on our holistic analysis, we have identified 10 of the tested apps as being vulnerable to MitM attack and elaborated on the corresponding attack scenarios. On comparing the secure messaging apps to non-secure messaging apps for vulnerability to MitM attack, we found that an app’s features and design choices decide if it is susceptible to MitM attack irrespective of whether it provides end-to-end encryption or not. Further, we have proposed design improvements to increase the overall security of all mobile messaging apps against MitM attack.
Security, MitM attack, Mobile apps, Phone number verification, Password reset, Privacy
Короткий адрес: https://sciup.org/15015615
IDR: 15015615 | DOI: 10.5815/ijcnis.2018.07.03
Список литературы Assessing vulnerability of mobile messaging apps to man-in-the-middle (MitM) attack
- Simon Khalaf and Lali Kesiraju, “U.S. Consumers Time-Spent on Mobile Crosses 5 Hours a Day,” Flurry Analytics, Tech. Rep., Mar. 2017. [Online]. Available: http://flurrymobile.tumblr.com/post/157921590345/us-consumers-time-spent-on-mobile-crosses-5
- Simon Khalaf, “On Their Tenth Anniversary, Mobile Apps Start Eating Their Own,” Flurry Analytics, Tech. Rep., Jan. 2017. [Online]. Available: http://flurrymobile.tumblr.com/post/155761509355/on-their-tenth-anniversary-mobile- apps-start
- Messenger - Text and Video Chat for Free. Facebook. (Dec. 2017). [Online]. Available: https://play.google.com/store/apps/details?id=com.facebook.orca
- WhatsApp Messenger. WhatsApp Inc. (Dec. 2017). [Online]. Available: https://play.google.com/store/apps/ details?id=com.whatsapp
- N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan, “The Password Reset MitM Attack,” in 2017 IEEE Symposium on Security and Privacy, SP 2017, May 2017, pp. 251–267.
- (2017, Oct.) End-to-end encryption. Wikipedia. [Online]. Available: https://en.wikipedia.org/wiki/End-to-end_ encryption
- P. Grassi, M. Garcia, and J. Fenton, Digital Identity Guidelines, National Institute of Standards and Technology (NIST) Std. 800-63-3, June 2017.
- Joseph Schwartz. (2016, May) The Most Popular Messaging App in Every Country. SimilarWeb. [Online]. Available: https://www.similarweb.com/blog/worldwide- messaging-apps
- Alisia Watson. (2016, Sep.) 12 Most Used Messaging Apps. engadget.[Online].Available: https://www.engadget. com/2016 /09/30/12-most-used-messaging-apps/
- Leslie Walker. (2017, Jul.) The 10 Best Mobile Messaging Apps. lifewire. [Online]. Available: https://www.lifewire.com/best-mobile-messaging-apps-2654839
- Google Play. Google Inc. (Dec. 2017). [Online]. Available: https://play.google.com/store?hl=en
- (2016, Oct.) Snapchat, Skype among apps not protecting users privacy. Amnesty International. [Online]. Available: https://www.amnesty.org/en/latest/news/2016/10/snapchat-skype-among-apps-not-protecting-users-privacy/
- (2017, Nov.) Comparison of instant messaging clients. Wikipedia.[Online].Available: https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients
- A. Mylonas, A. Kastania, and D. Gritzalis, “Delegate the smartphone user? Security awareness in smartphone platforms,” Computers & Security, vol. 34, pp. 47–66, 2013.