Viber Communication Security - Bad Request

More documents

Recommendations

Info

Experiments Chapter 3 3.2.5 Cryptanalysis Value Description 4b198067 Known Header 3ca5 Sequence Number 3d351c86 Time eb6e70fb Constant e6 Network Quality? Table 6: Analysis of header data in voice messages. Hex Frequency 0 6.23839 1 6.13784 2 6.07624 3 6.13482 4 6.1007 5 6.69676 6 5.99381 7 6.73028 8 6.05782 9 6.04726 a 6.10765 b 6.0853 c 6.03457 d 6.73873 e 6.05994 f 6.75987 Table 7: Frequency analysis of data in voice packets. After getting to the voice data in the messages there was not enough time left to get to the bottom of the cryptography used in the protocol. In paragraph 3.2.3 a frequency analysis has been done but this of course isn’t particularly useful against data that by nature is already very random. We can say that because the length of the payload of each packet differs significantly and the smallest deviation is only one byte, a block cipher seems out of the question and if encryption would be used it will be a stream cipher. Of course the question still remains: is it scrambled or encrypted? 24
Experiments Chapter 3 3.3 Application Code Analysis 3.3.1 Introduction In the previous sections, a representation was given of Viber’s security seen from the outside of the application (its externals). In the following section, some interesting details of the internals of Viber are unveiled. The information in this section by no means covers the welt of information about the to be presented techniques, but tries to give a fair insight. Before we continue, let’s first think of how an iOS/Android application is developed. Generally, a team of developers start programming an application once an idea has been established and completely worked out. The result of their hard work will be the application’s source code. During several phases of development, the source code is compiled to form an application that can be executed (and thus debugged) on the iOS/Android platform. Finally, the result of one or more prototypes is a finished application that is ready to be distributed. Now, let’s assume this application was accepted by both Apple and Google, and put available for download in the App Store and Android Market, respectively. Users will be able to download, install and use the application. Most users however will not even wonder or think about the level (or lack of) communication security provided by the application, as described before. The users that do either depend on the information provided by the author, the information from other users that also use the application, or on the information gained by studying the externals of the application themselves (like we have done in the previous sections). Ideally, this last group of users could go one step further and actually also explore some of the application’s internals. In other words, one could go back to the development phase of the application and have a look at the application code, be it not always code that is easy to read and understand. The term that is generally used for this is reverse engineering. Note that the word source, as in application source code, was intentionally left out. We will get back as to why this is. Having all this said, we for a moment continue with the general notion of an Android application and will later switch back to Viber for Android in specific. Moreover, only after this description will we be able to tell as to why iOS applications were left unspoken of. Applications for Android are generally developed entirely in the Java programming language.[30] We will focus on this type of applications. However, it is useful to know there are also applications that differ due to the fact they are not entirely written in Java, but also contain portions written in the C/C++ programming language (also called native code). Google does recommend the use of Java, however portions that are either performance-critical or part of a large base of previously developed source code in C/C++, are seen as valid reasons to make use of native code.[31] Applications are stored in an (Application Package File (apk)). Without getting into too much of the details, since this is not import to understand what follows, consider the package file as nothing more than an compressed archive with important files in it. These files consist of the compiled Java application code and the data files that the application and its installation procedure depend on. What we are interested in is actually a single file named classes.dex. This file is the result of first compiling one or more Java source code files into multiple class files, followed by another compiler named dx to convert and optimize these class files into a single dex file. This process is illustrated in figure 2. 25
Page 1 and 2: Viber Communication Security Michie
Page 3 and 4: Introduction Chapter 1 1 Introducti
Page 5 and 6: Introduction Chapter 1 • How does
Page 7 and 8: Preliminary Research Chapter 2 2.1.
Page 9 and 10: Preliminary Research Chapter 2 mess
Page 15 and 16: Experiments Chapter 3 Android On An
Page 17 and 18: Experiments Chapter 3 (a) Android D
Page 19 and 20: Experiments Chapter 3 3.2 Reverse E
Page 21 and 22: Experiments Chapter 3 mappelman@ath
Page 23 and 24: Experiments Chapter 3 Signaling Mes
Page 25: Experiments Chapter 3 Time Source i
Page 29 and 30: Experiments Chapter 3 1 public Stri
Page 31 and 32: Experiments Chapter 3 It does nothi
Page 33 and 34: Experiments Chapter 3 1 private Con
Page 35 and 36: Experiments Chapter 3 3.4 Other Wea
Page 37 and 38: Conclusion Chapter 4 4 Conclusion 4
Page 39 and 40: Acronyms Appendix A A Acronyms aes
Page 41 and 42: Appendix B [16] A. Greene, “Skype

Viber Communication Security - Bad Request

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?