Paper “Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications”
We will present a paper on smartphone message application security at NDSS 2012.
You can find a preprint of the paper here: Guess Who’s Texting You? Evaluating the Security of Smartphone Messaging Applications.
From the abstract: In recent months a new generation of mobile messaging and VoIP applications for smartphones was introduced. These services offer free calls and text messages to other subscribers, providing an Internet-based alternative to the traditional communication methods managed by cellular network carriers such as SMS, MMS and voice calls. While user numbers are estimated in the millions, very little attention has so far been paid to the security measures (or lack thereof) implemented by these providers.
In this paper we analyze nine popular mobile messaging and VoIP applications and evaluate their security models with a focus on authentication mechanisms. We ﬁnd that a majority of the examined applications use the user’s phone number as a unique token to identify accounts, which further encumbers the implementation of security barriers. Finally, experimental results show that major security ﬂaws exist in most of the tested applications, allowing attackers to hijack accounts, spoof sender-IDs or enumerate subscribers.