MobiLeak : Security and Privacy of Personal Data in Mobile Applications

Abstract: Smartphones and mobile applications have become an essential part of our daily lives. People always carry their smartphones with them and rely on mobile applications for most of their tasks: from checking emails for personal or business purposes, to engaging in social interactions via social networks, from trading online or checking their bank accounts to communicating with families and friends through instant messaging applications. It is therefore clear to anyone that these devices and these applications handle, store and process a huge amount of people’s personal data, and therefore confidential and sensitive. Whether the person is famous or not, whether he/she is an important public personality or not, whether he or she manages and possess a big amount of money or not, the protection of his/her personal data should be of great importance, since threats can target anyone, with consequences ranging from defamation of person to economic losses due to a compromised bank account, to identity theft, location tracking, and many more. In this scenario it becomes very important that mobile applications are a) secure from a program code point of view, written following secure coding and Secure Software Development Life Cycle (S- SDLC) guidelines and best practices, and b) capable of handling, storing and processing user data in a proper and stringently secure manner to maintain user’s privacy.Secure Coding and S-SDLC concepts are well known and have been inherited from the classical software engineering development domain, although not too much widespread and applied in the mobile world. However, even the most secure application, from a code point of view, can pose threat to the security and privacy of users if the data are not handled properly. An application very well written from a code point of view (i.e. without presence of evident bug which may lead to its exploitability) may, for example, store user credentials or other personal data in plaintext inside the device. In case that a device is lost, stolen or compromised via other channels (i.e. other vulnerable applications or through the mobile OS itself), those data are completely exposed. A simple, standard vulnerability or penetration test against the application may not reveal such vulnerability.Thus, this thesis addressed and solved the problems related to the following three research questions for mobile environment and applications:What are data and where can such data exist?How is personal data handled?How can one properly assess the security and privacy of mobile applications?The research work started with studying and identifying every possible state at which data can exist, which is a fundamental prerequisite in order to be able to properly treat them. The lack of understanding of this aspect is where most of the existing approaches failed by focusing mainly on finding bugs in the code instead of looking at sources and transfers of data too. After this step, we analysed how real life mobile applications and operating systems handle users’ personal data for each of the states previously identified. Based on the results of these two steps, we developed a novel methodology for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. The methodology, which we named MobiLeak, also combined concepts and principles from the digital forensics discipline.Some of the solutions presented in this dissertation may sound a bit more obvious compared to when they have been developed within the MobiLeak Methodology. However, this research work started in January 2011 and back in 2010, when the research proposal that led to this Ph.D. was presented, the mobile application security landscape was quite different, at a very early rudimentary stage. At that time iPhone 4 and iOS4 had just been released; now we have reached iPhone 6 and iOS8. In December 2010 the first Near Field Communication (NFC) enabled smartphone was released, the Samsung Google Nexus S. Until that moment the only mobile phone (not smartphone) with NFC capabilities was a particular version of the Nokia 6131 released in 2006. Incredibly enough, at that time there were not yet publicly known Android malware. In fact, the first Android Trojans, FakePlayer and DroidSMS, were discovered in August 2010 and now, according to a recent report released by the security firm Kaspersky1 in February 2015, the number of financial malware attacks against Android counts up to 2,317,194 in 2014.Part of the significant contribution from the research work reported in this dissertation, was in the initial development of the Mobile Security Testing Guidelines developed by Open Web Application Security Project (OWASP) for the Mobile Security Project, pushing the need of mobile digital forensics methodology to be a mandatory part of a mobile application security assessment methodology. It also contributed to the works of the European Telecommunications Standards Institute (ETSI) and the International Organization for Standardization (ISO/IEC SC 27) committees related to digital forensics and, last but not least, it resulted in eleven peer-reviewed publications, one book chapter and one book co-authored.