Following the Wi-Fi breadcrumbs

Network based mobile application privacy threats

Michael Kennedy, Rossilawati Sulaiman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Users are concerned about the protection of personal information they share with mobile applications. Researchers have previously explored security threats to mobile applications through wireless network access, including the disclosure of personal information through unencrypted traffic, excessive information disclosure to service providers, and flaws in TLS security. This study replicates these security threats and performs an assessment of the potential privacy impact for a sample of 30 Android applications. The results show that disclosure of personal information through unencrypted traffic is a significant risk. Individual applications were found which disclosed a user's identity and application usage, and persistent device identifiers were leaked allowing user information to be linked across applications and wireless sessions. A small number of applications disclosed inappropriate amounts of personal information to service providers which could allow user tracking. TLS issues continue to pose a risk, with one application exhibiting a previously identified TLS certificate validation issue, and a potentially new encryption protocol downgrade flaw was identified triggered by an invalid certificate. Insecure authentication techniques were used by 30% of applications tested and pose a privacy risk even when applications use TLS.

Original languageEnglish
Title of host publicationProceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages265-270
Number of pages6
ISBN (Print)9781467373197
DOIs
Publication statusPublished - 10 Dec 2015
Event5th International Conference on Electrical Engineering and Informatics, ICEEI 2015 - Legian-Bali, Indonesia
Duration: 10 Aug 201511 Aug 2015

Other

Other5th International Conference on Electrical Engineering and Informatics, ICEEI 2015
CountryIndonesia
CityLegian-Bali
Period10/8/1511/8/15

Fingerprint

Wi-Fi
Defects
Authentication
Cryptography
Wireless networks
Network protocols

Keywords

  • android
  • mobile applications
  • privacy
  • security
  • wireless networks

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Signal Processing
  • Electrical and Electronic Engineering

Cite this

Kennedy, M., & Sulaiman, R. (2015). Following the Wi-Fi breadcrumbs: Network based mobile application privacy threats. In Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015 (pp. 265-270). [7352508] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICEEI.2015.7352508

Following the Wi-Fi breadcrumbs : Network based mobile application privacy threats. / Kennedy, Michael; Sulaiman, Rossilawati.

Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 265-270 7352508.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kennedy, M & Sulaiman, R 2015, Following the Wi-Fi breadcrumbs: Network based mobile application privacy threats. in Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015., 7352508, Institute of Electrical and Electronics Engineers Inc., pp. 265-270, 5th International Conference on Electrical Engineering and Informatics, ICEEI 2015, Legian-Bali, Indonesia, 10/8/15. https://doi.org/10.1109/ICEEI.2015.7352508
Kennedy M, Sulaiman R. Following the Wi-Fi breadcrumbs: Network based mobile application privacy threats. In Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 265-270. 7352508 https://doi.org/10.1109/ICEEI.2015.7352508
Kennedy, Michael ; Sulaiman, Rossilawati. / Following the Wi-Fi breadcrumbs : Network based mobile application privacy threats. Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 265-270
@inproceedings{f29a733c0a0346949739d84e0b747061,
title = "Following the Wi-Fi breadcrumbs: Network based mobile application privacy threats",
abstract = "Users are concerned about the protection of personal information they share with mobile applications. Researchers have previously explored security threats to mobile applications through wireless network access, including the disclosure of personal information through unencrypted traffic, excessive information disclosure to service providers, and flaws in TLS security. This study replicates these security threats and performs an assessment of the potential privacy impact for a sample of 30 Android applications. The results show that disclosure of personal information through unencrypted traffic is a significant risk. Individual applications were found which disclosed a user's identity and application usage, and persistent device identifiers were leaked allowing user information to be linked across applications and wireless sessions. A small number of applications disclosed inappropriate amounts of personal information to service providers which could allow user tracking. TLS issues continue to pose a risk, with one application exhibiting a previously identified TLS certificate validation issue, and a potentially new encryption protocol downgrade flaw was identified triggered by an invalid certificate. Insecure authentication techniques were used by 30{\%} of applications tested and pose a privacy risk even when applications use TLS.",
keywords = "android, mobile applications, privacy, security, wireless networks",
author = "Michael Kennedy and Rossilawati Sulaiman",
year = "2015",
month = "12",
day = "10",
doi = "10.1109/ICEEI.2015.7352508",
language = "English",
isbn = "9781467373197",
pages = "265--270",
booktitle = "Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Following the Wi-Fi breadcrumbs

T2 - Network based mobile application privacy threats

AU - Kennedy, Michael

AU - Sulaiman, Rossilawati

PY - 2015/12/10

Y1 - 2015/12/10

N2 - Users are concerned about the protection of personal information they share with mobile applications. Researchers have previously explored security threats to mobile applications through wireless network access, including the disclosure of personal information through unencrypted traffic, excessive information disclosure to service providers, and flaws in TLS security. This study replicates these security threats and performs an assessment of the potential privacy impact for a sample of 30 Android applications. The results show that disclosure of personal information through unencrypted traffic is a significant risk. Individual applications were found which disclosed a user's identity and application usage, and persistent device identifiers were leaked allowing user information to be linked across applications and wireless sessions. A small number of applications disclosed inappropriate amounts of personal information to service providers which could allow user tracking. TLS issues continue to pose a risk, with one application exhibiting a previously identified TLS certificate validation issue, and a potentially new encryption protocol downgrade flaw was identified triggered by an invalid certificate. Insecure authentication techniques were used by 30% of applications tested and pose a privacy risk even when applications use TLS.

AB - Users are concerned about the protection of personal information they share with mobile applications. Researchers have previously explored security threats to mobile applications through wireless network access, including the disclosure of personal information through unencrypted traffic, excessive information disclosure to service providers, and flaws in TLS security. This study replicates these security threats and performs an assessment of the potential privacy impact for a sample of 30 Android applications. The results show that disclosure of personal information through unencrypted traffic is a significant risk. Individual applications were found which disclosed a user's identity and application usage, and persistent device identifiers were leaked allowing user information to be linked across applications and wireless sessions. A small number of applications disclosed inappropriate amounts of personal information to service providers which could allow user tracking. TLS issues continue to pose a risk, with one application exhibiting a previously identified TLS certificate validation issue, and a potentially new encryption protocol downgrade flaw was identified triggered by an invalid certificate. Insecure authentication techniques were used by 30% of applications tested and pose a privacy risk even when applications use TLS.

KW - android

KW - mobile applications

KW - privacy

KW - security

KW - wireless networks

UR - http://www.scopus.com/inward/record.url?scp=84961724210&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84961724210&partnerID=8YFLogxK

U2 - 10.1109/ICEEI.2015.7352508

DO - 10.1109/ICEEI.2015.7352508

M3 - Conference contribution

SN - 9781467373197

SP - 265

EP - 270

BT - Proceedings - 5th International Conference on Electrical Engineering and Informatics: Bridging the Knowledge between Academic, Industry, and Community, ICEEI 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -