investigating mobile messaging security
play

Investigating Mobile Messaging Security Elias Hazboun 27/4/2016 - PowerPoint PPT Presentation

Nov 25, 2023 •229 likes •519 views

Chair for Network Architectures and Services Technische Universit at M unchen Investigating Mobile Messaging Security Elias Hazboun 27/4/2016 Chair for Network Architectures and Services Department of Informatics Technische Universit

  1. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Investigating Mobile Messaging Security Elias Hazboun 27/4/2016 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen E. Hazboun – Investigating Mobile Messaging Security 1

  2. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Motivation Introduction Research Question App Selection Background Approach Security background Related Work Analysis and Results TextSecure Threema WeChat WhatsApp Conclusion E. Hazboun – Investigating Mobile Messaging Security 2

  3. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Introduction ◮ Mobile messaging apps have become very popular. ◮ People are opting to communicate using the Internet instead of sending messages over regular cellular networks. ◮ Unlike Email and other communication protocols, most apps are closed systems. ◮ Hinders interoperability [1]. ◮ No transparency in handling users’ data. ◮ Users are still not well informed about the risks of non-secure digital communication [2]. E. Hazboun – Investigating Mobile Messaging Security 3

  4. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Research Question ◮ Investigate the security properties of a selection of today’s most popular mobile messaging apps in terms of: ◮ Encryption & Authentication. ◮ Standardized security protocol usage. E. Hazboun – Investigating Mobile Messaging Security 4

  5. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen App Selection ◮ Continuation of work done in this chair [3]. ◮ Security in relation to users’ geo-location. ◮ Selection was based on popularity, security measures, architecture and geographical server distribution. ◮ Tested apps were: ◮ WhatsApp ◮ Threema ◮ WeChat ◮ TextSecure E. Hazboun – Investigating Mobile Messaging Security 5

  6. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Approach ◮ Investigating: ◮ Official app documentation ◮ Past research efforts, from scientific community and hackers. ◮ Could be obsolete by newer updates. ◮ Network traffic analysis. ◮ Capture process done by the previous work using two communicating smartphones. ◮ 407 capture files per smartphone per app. ◮ Manual and automated script analysis. E. Hazboun – Investigating Mobile Messaging Security 6

  7. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Layers of Encryption E. Hazboun – Investigating Mobile Messaging Security 7

  8. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Concepts ◮ Perfect Forward Secrecy (PFS) ◮ Compromise of long-term keys used to negotiate session keys, does not compromise the secrecy of past session keys. ◮ Most commonly achieved using ephemeral Diffie-Hellman (DH) key exchange [4]. ◮ Important against an attacker model that can store arbitrary amount of traffic, like governments. ◮ Transprot Layer Protocol (TLS) ◮ De facto Standard protocol for security between client and server on the Internet. E. Hazboun – Investigating Mobile Messaging Security 8

  9. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Security Concepts ◮ Certificate Pinning ◮ Insertion of public key or certificate of the entity with which a software should communicate in the source code. ◮ Removes need to trusted third party certificate authorities. ◮ Asynchronous Messaging Security: ◮ Not all parties are guaranteed to be online at the same time to perform key exchange [5]. ◮ Creates a challenge. Protocols like OpenPGP are used but they lack PFS. ◮ Trusted third parties for key distribution can be used. E. Hazboun – Investigating Mobile Messaging Security 9

  10. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Related Work ◮ Interest has been growing in the past few years, especially in the public eye. ◮ Focus of research include: ◮ Authentication process when registering [6]. ◮ Receiving unsolicited messages. ◮ Phonebook enumeration. ◮ Local security (security of data on smartphone) [7] [8]. ◮ Network traffic based analysis [9] [10]. ◮ Results show a trend of negligence of security from developers, but gets better with app updates. E. Hazboun – Investigating Mobile Messaging Security 10

  11. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen TextSecure ◮ Developed by Open Whisper Systems in 2010. ◮ Only app out of four to be open Source. ◮ End-to-end encryption and hardened security in general as selling feature. ◮ Discontinued and replaced by Signal app and Signal protocol. ◮ Direct code inspection due to open source nature. ◮ Forsch et al [11] found some peculiarities such as unknown key-share attack. ◮ Developers acknowledged it. E. Hazboun – Investigating Mobile Messaging Security 11

  12. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis and Results ◮ End-to-end encryption. ◮ Axolotl ratchet (DH ratchet and key derivation based ratchet). ◮ Guarantees PFS and backward secrecy. ◮ DH ratchet creates keys used for session keys, which are then used to seed key derivation based ratchets to create keys to encrypt messages [12]. ◮ Transport layer encryption. ◮ TLS with self-signed certificate pinning. (The same in all captures) [13]. ◮ Cipher was ECDHE RSA WITH AES 128 GCM SHA256. E. Hazboun – Investigating Mobile Messaging Security 12

  13. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis and Results ◮ When an App registers it: ◮ Creates 100 prekeys (signed key exchange messages) [14]. ◮ Sends them to server. ◮ When a user wants to communicate with another: ◮ Sender asks for next valid prekey. ◮ Calculates a shared secret based on it and encrypts messages with it. ◮ AES is used for symmetric encryption. ◮ Two levels of symmetric encryption are used to protect the sender’s identity from Google Cloud Messaging server. E. Hazboun – Investigating Mobile Messaging Security 13

  14. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Threema ◮ Developed by Threema GmbH, Popular in German speaking countries. ◮ Promises end-to-end encryption and data hosting on swiss based servers. ◮ Partly open source, publishes white paper about security algorithms. ◮ Allowed an external security audit of the app. ◮ Jan Ahrens [15] provided an analysis on Threema protocol. ◮ Dimitrov, Laan and Pineda [16] analysis demonstrated with high probability that certificate pinning is present. E. Hazboun – Investigating Mobile Messaging Security 14

  15. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis and Results ◮ Handshake process is similar to what is described in related work [15]. ◮ No standardized protocol use. ◮ Binary protocol implemented using NaCl Library. ◮ Directory service and media transfer protocol use HTTPS. Cipher suite was in all capture files: ECDHE RSA WITH AES 256 GCM SHA384. ◮ PFS only on transport layer, not end-to-end [17]. ◮ Random padding is used. ◮ Messages with same plaintext size are encrypted into differently sized ciphertexts. E. Hazboun – Investigating Mobile Messaging Security 15

  16. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis and Results Threema End-to-End Encryption [17] E. Hazboun – Investigating Mobile Messaging Security 16

  17. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen WeChat ◮ Developed by Tenecent. ◮ One of the largest messaging apps by monthly active users (over 650 million) ◮ Feature rich app offering lots of additions. ◮ Closed source, but has public API for messaging through the service. ◮ Roberto Paleari [18] performed network traffic analysis. ◮ It uses a custom protocol similar to HTTPS E. Hazboun – Investigating Mobile Messaging Security 17

  18. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen Analysis and Results ◮ Even DNS queries are peformed over HTTP [3]. ◮ Uses AES for symmetric encryption. ◮ No indication for the existence of end-to-end encryption or PFS. ◮ Key derivation is suspected to be done using RSA [18]. ◮ Could not verify ourselves. ◮ Out of the 4 apps. WeChat is the more obscure and more secretive in terms of security mechanisms and protocols. E. Hazboun – Investigating Mobile Messaging Security 18

  19. Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen WhatsApp ◮ Developed by WhatsApp Inc. (bought by Facebook) ◮ Second most popular messaging app in the world (1 billion users) ◮ Closed source. ◮ Past research found lots of deficiencies [6] [19]. ◮ Started as plaintext. Upgraded to weak encryption [20] [21]. ◮ non-secure user registration process. ◮ Funcional clone projects exist [22] [23]. Almost complete replicas. E. Hazboun – Investigating Mobile Messaging Security 19

Recommend

Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil

Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil

Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil Software Engineer at Red Hat Core developer on WildFly Application Server, lead for its messaging component Developed messaging brokers (HornetQ,

965 views • 82 slides
A look into the Mobile Messaging Black Box Roland Schilling Frieder Steinmetz December 27, 2016

A look into the Mobile Messaging Black Box Roland Schilling Frieder Steinmetz December 27, 2016

A look into the Mobile Messaging Black Box Roland Schilling Frieder Steinmetz December 27, 2016 Hamburg University of Technology Security in Distributed Applications 33 rd Chaos Commmunication Congress #33c3 @NerdingByDoing @twillnix

1.45k views • 91 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS

Compliance Cautions INVESTIGATING SECURITY ISSUES ASSOCIATED WITH U.S. DIGITAL-SECURITY STANDARDS ROCK CK S STEVENS, KEVIN HALLIDAY, MICHELLE MAZUREK // UNIV IVERSIT ITY O OF M MARYLAND JOSIAH DYKSTRA, JAMES CHAPMAN, ALEX FARMER //

290 views • 27 slides
Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards

LASER Workshop 2020 Compliance Cautions Investigating Security Issues Associated with U.S. Digital-Security Standards Rock Stevens , Kevin Halliday, Michelle Mazurek / / University of Maryland Josiah Dykstra, James Chapman, Alexander F armer

345 views • 22 slides
Mobile Health in Two Populations: Addressing Chronic Disease Management Through Text Messaging

Mobile Health in Two Populations: Addressing Chronic Disease Management Through Text Messaging

Mobile Health in Two Populations: Addressing Chronic Disease Management Through Text Messaging Keith McInnes, ScD, MS BUSPH HLPM & VA Center for Health Outcomes and Implementation Research (CHOIR) 1 Value of text messaging in

480 views • 33 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols

Mathy Vanhoef Public PhD Defense A Security Analysis of the WPA- TKIP and TLS Security Protocols Data handled by computers: Banking details Emails Messaging Adult websites Private files Mobile devices 2 Goal of dissertation Is the

758 views • 51 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security & Privacy

1.03k views • 57 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
Mobile messaging service framework for location-based communities T-106.5820 Seminar on

Mobile messaging service framework for location-based communities T-106.5820 Seminar on

Mobile messaging service framework for location-based communities T-106.5820 Seminar on Distributed Systems, Autumn 2008 Harri Hlikk Synopsis of the study Goals are to describe the concept and basic characteristics of the service on

481 views • 7 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 9a: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Announcement Course Evaluations Now online Will be available from Friday, Dec 7 Will also allow students to do

864 views • 50 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Communications Mobile Communications Confidentiality Security No access to information

Mobile Communications Mobile Communications Confidentiality Security No access to information

Security Requirements Authorization Which objects are accessible by whom? Authentication Reliable identification of users identity . Mobile Communications Mobile Communications Confidentiality Security No access to information for

577 views • 11 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
Investigating Country Differences in Mobile App User Behaviour and Challenges for Software

Investigating Country Differences in Mobile App User Behaviour and Challenges for Software

Investigating Country Differences in Mobile App User Behaviour and Challenges for Software Engineering Soo Ling Lim Analysis of app store data reveals what users do in the app store. We want to know why users do what they do. We want

626 views • 48 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g.

506 views • 34 slides
CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 9b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

827 views • 54 slides
CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements

CS 528 Mobile and Ubiquitous Computing Lecture 10b: Mobile Security and Mobile Measurements Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords (e.g. 1234) or do

780 views • 54 slides
Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software

Mobile and Ubiquitous Computing on Smartphones Lecture 10b: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Authentication using Biometrics Biometrics Passwords tough to remember, manage Many users have simple passwords

520 views • 38 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami

Steroids For Your App Security Assessment Marco Grassi Mobile Security Researcher ~ whoami R&D Team Member @ viaForensics I work mainly on Android/iOS The Problem We want to trace the code in mobile applications that we

632 views • 48 slides

More recommend