Android apps and privacy risks : what attackers can learn by sniffing mobile device traffic

Working paper

Recent years have witnessed significant growth in the mobile device landscape as smartphones and tablet computers have become more affordable and more feature-rich. Users commonly extend the functionality built into these mobile devices by installing add-on applications, called apps. Many popular apps adopt a client-server architecture and communicate with Internet-based services to provide users with a rich and dynamic experience. Worryingly, some of these apps need to access sensitive data such as phonebook entries, appointments, messages, or a user's geographic location, but precisely how apps use and transmit sensitive data over wireless networks has not been widely studied. We examine the traffic sent from 35 popular Android apps spread over 6 categories to explore what an attacker with a promiscuous wireless receiver could learn about a target. We discovered that the majority of the apps that were tested had a detrimental impact on privacy by sending sensitive data without encrypting it. We also discovered that in some cases, improper application design rendered SSL encryption useless at preventing privacy leaks. We discuss ways in which an attacker can use both active and passive attacks to identify and track a user or invade their privacy. Finally, we suggest and discuss several possible solutions to mitigate the privacy risks that were identified.

Authors: Taylor, V; Nurse, J; Hodges, D

• Publication status: Not published
• Peer review status: Not peer reviewed
• Publisher: Centre for Doctoral Training in Cyber Security
• Publication date: 2014-01-01
• Edition: Author's Original
• Language: English
• Subjects: Cyber Security; Computing