Guess Who’s Texting You?
Evaluating the Security of Smartphone Messaging Applications Sebastian Schrittwieser, Peter Fr¨ hwirt, Peter Kieseberg, Manuel Leithner, u
Martin Mulazzani, Markus Huber, Edgar Weippl
SBA Research gGmbH
In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other
subscribers, providing an Internet-based alternative to the
traditional communication methods managed by cellular
network carriers such as SMS, MMS and voice calls. While
user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging
and VoIP applications and evaluate their security models
with a focus on authentication mechanisms. We ﬁnd that a
majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security ﬂaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.
been the subject of an ample amount of past research.
The common advantages of the tools we examined lie in
very simple and fast setup routines combined with the possibility to incorporate existing on-device address books. Additionally these services offer communication free of charge and thus pose a low entry barrier to potential customers.
However, we ﬁnd that the very design of most of these messaging systems thwarts their security measures, leading to issues such as the possibility for communication without
proper sender authentication.
The main contribution of our paper is an evaluation of the
security of mobile messaging applications with the aforementioned properties and the possibilities of abuse in realworld scenarios. Additionally, we draw attention to a number of suitable security mechanisms to prevent the misuse of these systems. The rest of the paper is organized as follows: Section 2 gives an overview of related work. Section 3 outlines the basic functionalities of the examined communications services, while Section 4 introduces our threat assessment for these applications. Section 5 documents our ﬁndings and explains how the ﬂaws we identiﬁed might pose threats to users. We conclude in Section 6 and give a brief
overview of approaches for future research.
In the past few months, several new smartphone messaging and VoIP services with a novel user authentication concept were introduced. These new-generation communication applications aim at replacing traditional text messaging (SMS) and only require the user’s phone number for registration. Contrary to well-known instant messaging services, no additional authentication mechanisms other than the phone number are used by these applications. In this
paper we focus on the security of applications that are using this novel authentication concept. Due to this limitation,
services such as Skype, Facebook Chat and Google Chat
were regarded as out of scope. Note that these services have
In this paper we document our ﬁndings on weak user
authentication in messaging applications on smartphones.
User authentication is a popular ﬁeld of research in information security [16, 2], especially applied to distributed systems  or for web services [11, 18]. A vast number of protocols has been designed to provide secure user authentication, for example based on Kerberos  or public key cryptography and the usage of a PKI .
Due to the steadily increasing pervasiveness of smartphones these platforms have sparked the interest of the security community. The security features and properties of...
References: user proﬁling. In Recent Advances in Intrusion Detection:
13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010, Proceedings, volume 6307, page 422
 M. Bishop. Computer Security: Art and Science. AddisonWesley, 2002.
 L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege escalation attacks on android. Information Security,
pages 346–360, 2011.
Information Theory, IEEE Transactions on, 22(6):644–654,
 M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In Network and
Distributed System Security Symposium (NDSS), 2011.
USENIX Security Symposium, 2011.
 W. Enck, M. Ongtang, and P. McDaniel. Understanding Android Security. Security & Privacy, IEEE, 7(1):50–57, 2009.
Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems (TOCS),
 M. Marlinspike. Website of sslsniff tool, 2011. [Online; retrieved Jun 21st, 2011], Online at http://www.
 Whisper Systems. Whisper systems, 2011. [Online; retrieved Aug 21st, 2011], http://www.whispersys.
 A. Whitten and J. Tygar. Why Johnny can’t encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th
USENIX Security Symposium, pages 169–184, 1999.
 XMPP Foundation. XMPP Standard, 2011. [Online; retrieved Jun 21st, 2011], http://xmpp.org/l.
Please join StudyMode to read the full document