Viber Communication Security - Bad Request

More documents

Recommendations

Info

Preliminary Research Chapter 2 3. End-to-end user authentication should be provided at terminal devices; and 4. Both clients and servers should be protected against Denial of Service type of attacks. The list could be continued with many other detailed requirements but the above list provides sufficient requirements for the analysis of security constraints in the next section. 2.1.3 Whatsapp Whatsapp is one of the most used communication application for mobile messaging. Whatsapp had some pretty bad security issues. A review from around May 2011 announced the following.[9] Messages where send unencrypted over the network and everyone who wanted could read them. If you think this is all your wrong, besides this you were able to hijack other users their account and receive their messages or send messages as them. With the latest Whatsapp version when sending messages you’re still able to see the following: “(1) the number the message is going to, and (2) the contact name is still send in plaintext”.[10] It should also still be able to steal other people their accounts through SMS-spoofing, a detailed explanation by Ricky Gevers.[11] How exactly the messages are encrypted is unclear in their policy: Whatsapp uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information. We cannot, however, ensure or warrant the security of any information you transmit to Whatsapp and you do so at your own risk.[12] If you read their policy you can notice their a little scared about reverse-engineering. Here is a short sentence in their policy: We do disallow any efforts to reverse-engineer our system, our protocols, or explore outside the boundaries of the normal requests made by WhatsApp clients.[12] This last sentence does sound a bit inviting to hackers and sort. Even after some security breaches it’s still possible to see who calls or sends messages to whom in plaintext. The content however is ‘secure’. But you are still able to count the amount of data flowing between mobile numbers/persons. What is the reason about not encrypting everything? 2.1.4 eBuddy XMS eBuddy is a well know communication service that integrates different Instant Message (im) services in a web browser. For mobile phones they launched their own service called eBuddy XMS. eBuddy XMS is relative new application on the market for mobile messaging. It has a build-in function to enable and disable encryption. This because encrypting takes more time to deliver and receive 6
Preliminary Research Chapter 2 messages. Encrypting and decrypting of messages takes more time and end-users in general only care attention to the speed messages are send/received. Since eBuddy XMS is relative new there are not many to none security flaws/reviews. eBuddy says to be secure, they say the following about their encryption: To be exact, the method to secure it is Transport Layer <strong>Security</strong> (tls) 1.0, using a 2048 bit encryption key. This is considered to be highly secure.[13] They also say the following about their build-in security function: Not using the secure connection does not necessarily mean that all data is unsecured. Authentication and uploading your address book is always secured even when you are not using the secure connection. So, no one can hijack your account or your address book. Not using the secure connection only affects sending and receiving messages.[13] In their own policy they say the following about users their data security: eBuddy will take reasonable technical and organizational measures to protect the information we collect against loss, misuse or any form of unlawful processing. Information on eBuddy servers is stored in a secured manner and access is limited to authorized employees only. However, it is important to note that we cannot eliminate all security risks associated with data transmission and storage.[14] eBuddy claims to be ‘highly secure’ with their encryption. However no review or media articles can been found about this. They also claim not storing your data and even encrypting important information if the security option is off. 2.1.5 Skype Skype always has been the big player for voip calling this isn’t any different for mobile devices. Because it’s one of the most used ones you can expect it’s reviewed a lot. That’s why Skype already was in the media quitted a lot for some security flaws. Some which are even recent. It was possible to see from where a Skype connection came from.[15][16] On iOS it was possible to steal people their information, like your address book.[17] Skype hired a security expert who made a review in 2005 about Skype their security. In this review is written that Skype is quitted secure, but unclear if this also reflexes to their mobile platform. The review says the following: Skype claims that its system uses the Ron Rivest, Adi Shamir and Leonard Adleman (rsa) encryption algorithm for key exchange and 256-bit Advanced Encryption Standard (aes) as its bulk encryption algorithm. However, Skype does not publish its 7
Page 1 and 2: Viber Communication Security Michie
Page 3 and 4: Introduction Chapter 1 1 Introducti
Page 5 and 6: Introduction Chapter 1 • How does
Page 7: Preliminary Research Chapter 2 2.1.
Page 11 and 12: Preliminary Research Chapter 2 2.1.
Page 13 and 14: Preliminary Research Chapter 2 2.2.
Page 15 and 16: Experiments Chapter 3 Android On An
Page 17 and 18: Experiments Chapter 3 (a) Android D
Page 19 and 20: Experiments Chapter 3 3.2 Reverse E
Page 21 and 22: Experiments Chapter 3 mappelman@ath
Page 23 and 24: Experiments Chapter 3 Signaling Mes
Page 25 and 26: Experiments Chapter 3 Time Source i
Page 27 and 28: Experiments Chapter 3 3.3 Applicati
Page 29 and 30: Experiments Chapter 3 1 public Stri
Page 31 and 32: Experiments Chapter 3 It does nothi
Page 33 and 34: Experiments Chapter 3 1 private Con
Page 35 and 36: Experiments Chapter 3 3.4 Other Wea
Page 37 and 38: Conclusion Chapter 4 4 Conclusion 4
Page 39 and 40: Acronyms Appendix A A Acronyms aes
Page 41 and 42: Appendix B [16] A. Greene, “Skype

Viber Communication Security - Bad Request

Create successful ePaper yourself

Delete template?

Save as template?