Contributions to Proceedings:
S. Schrittwieser, P. Frühwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, E. Weippl:
"Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications";
in: "Proceedings of the Network and Distributed System Security Symposium, NDSS 2012",
issued by: The Internet Society;
The Internet Society,
In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little atten- tion has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We find that a majority of the examined applications use the userīs phone number as a unique token to identify accounts, which fur- ther encumbers the implementation of security barriers. Finally, experimental results show that major security flaws exist in most of the tested applications, allowing attack- ers to hijack accounts, spoof sender-IDs or enumerate subscribers.
mobile security, smartphones, messenger, SSL interception
Electronic version of the publication:
Created from the Publication Database of the Vienna University of Technology.