(IN-) PRIVACY IN MOBILE APPS. CUSTOMER OPPORTUNITIES (in Engl.)
Read the full article ';
For citation: Chemerkin Yu.S., Kuzmenko T.I. (In-)privacy in mobile apps. Customer opportunities. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2016, vol. 16, no. 1, pp. 90–95.
Subject of Study. The paper presents the results of an investigation of cross-platform mobile applications. This paper focuses on a cross-platform app data investigation in purpose of creating a database that helps to make decisions from data privacy viewpoint. These decisions refer to knowledge about mobile apps that are available to the public, especially on how consumer data is protected while it is stored locally or transferred via network as well as what type of data may leak. Methods. This paper proposes a forensics methodology as a cornerstone of an app data investigation process. The object of research is an application data protection under different security control types among modern mobile OS. The subject of research is a modification of forensics approach and behavioral analysis to examine application data privacy in order to find data that are not properly handled by applications which lead to data leakages, defining protection control type without forensics limits. In addition, this paper relies on using the simplest tools, proposing a limit to examine locally stored data and transmitted over the network to cover all data, excluding memory and code analysis unless it is valuable (behavioral analysis). The research methods of the tasks set in the paper include digital forensics approach methods depending on data conception (at-rest, in-use/memory, in-transit) with behavioral analysis of application, and static and dynamic application code analysis. Main Results. The research was carried out for the scope of that thesis, and the following scientific results were obtained. First, the methods used to investigate the privacy of application data allow considering application features and protection code design and flaws in the context of incomplete user awareness about the privacy state due to external activity of the developer. Second, the knowledge set about facts of application data protection that allows making a knowledge database to implement the missing privacy and security protection control and provide the privacy requirements (keeping the users informed about possibility to avoid untrusted usage cases). Practical Relevance. Practical relevance of the received results is the following: first, the set of knowledge facts about each examined application to privacy score per application, per application category (IM, travel, etc.), per OS, etc; second, the developed method under the forensics approach can be used to carry out analysis of the application data privacy in relation to the specified requirements including audit, reconfiguring EMM application policiesand reasons for theircommissioning.
Acknowledgements. The paper is recommended by the Organizing committee of the International conference “Information Security and Protection of Information Technology 2015” (http://ispit.ifmo.ru/)
Reventlov C. Instagram 3.1.2 For iOS, Plaintext Media Information Disclosure Security Issue. Available at: http://reventlov.com/advisories/instagram-plaintext-media-disclosure-issue, (accessed 07.09.15).
3. Wood D. [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application. Available at: http://seclists.org/fulldisclosure/2014/Jan/64 (accessed 07.09.15).
4. Fingas R. 1Password to change file formats after key file found to contain unencrypted data. Available at: http://appleinsider.com/articles/15/10/20/1password-to-change-file-formats-after-key-file-found-to-contain-unencrypted-data (accessed 23.09.15).
5. Beekhuis W. Misleading Headline Popularity Rises 200%. Available at: http://timedoctor.org/2015/10/misleading-headlines-popularity-rises-200 (accessed 23.09.15).
6. Ahmad I. Why Do People Uninstall Mobile Apps? Available at: http://www.digitalinformationworld.com/2015/09/infographic-why-mobile-apps-are-being-uninstalled.html (accessed 23.09.15).
7. Unuchek R. Stealing to the Sound of Music. Available at: https://securelist.com/blog/incidents/72458/stealing-to-the-sound-of-music (accessed 07.09.15).
8. Clover J. Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds. Available at: http://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app (accessed 07.09.15).
9. Grachev E. Viber Moved their Servers to Russia. Available at: http://appleapple.top/viber-moved-their-servers-to-russia (accessed 07.09.15).
10. Egele M., Kruegel C., Kirda E., Vigna G. Pios: detecting privacy leaks in ios applications. Proc. 18th Annual Network Distributed System Security Symposium, NDSS’11. San Diego, USA, 2011.
11. Schrittwieser S., Fruehwirt P., Kieseberg P., Leithner M., Mulazzani M., Huber M., Weippl E. Guess who’s texting you? Evaluating the security of smartphone messaging applications. Proc. 19th Annual Network Distributed System Security Symposium, NDSS’12. San Diego, USA, 2012.
12. OWASP Mobile Security Project, OWASP. Available at: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=M-Security_Testing (accessed 07.09.15).
13. Hoog A., Strzempka K. iPhone and iOS Forensics Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices. Waltham, Syngress, 2011, 336 p.
14. Hoog A. Android Forensics: Investigation, Analysis and Mobile Security for Google Android. Waltham, Syngress, 2011, 432 p.
15. Palmer G. A Road Map for Digital Forensic Research (DFRWS). Technical Report DTR-T001-01 Final, Air Force Research Laboratory. Rome, New York, 2001.
16. Chemerkin Y. Mobile Hacking. EMM Limits & Solutions. 2014. Available at: http://www.slideshare.net/EC-Council/hh-yury-chemerkin (accessed 23.09.15).
17. Shankland S. Researchers find data leaks in Instagram, Grindr, OoVoo and more. Available at: http://www.cnet.com/news/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more (accessed 07.09.15).
18. Muntaha M., Su J., Ahmad F. Another Popular Android Application, Another Leak. Available at: https://www.fireeye.com/blog/threat-research/2015/08/another_popular_andr.html (accessed 07.09.15).
19. Xiao C. iOS and Android Tools for Dynamic Analysis. Available at: http://wiki.secmobi.com/tools:android_dynamic_analysis (accessed 05.09.15).
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License