What started as a class project in the University of New Haven’s digital device forensics course has since become world renowned after students discoverd security flaws, breaches of privacy and additional vulnerabilities in chat, dating and social media apps used by nearly one billion subscribers on the Android platform.
“Anyone who has used or continues to use the tested applications are at risk of confidential breeches involving a variety of data, including their passwords in some instances,” said Ibrahim Baggili, assistant professor of computer science at UNH’s Tagliatela College of Engineering, and head of the cFREG.
The tested applications include Instagram, Okcupid, ooVoo, Tango, Kik, Nimbuzz, MeetMe, MessageMe, TextMe, Grindr, HeyWire, Hike, textPlus, MyChat, WeChat, GroupMe, Whisper, LINE, Vine, Voxer, Words With Friends, Tinder, Wickr, BBM, Plenty of Fish, Snapchat, Kakao Talk, and Telegram.
“We did not find issues in all of these applications, but the majority of them had anywhere from minor to severe issues that affect user security and/or privacy,” said senior information technology major Daniel Walnycky.
“The application issues can be broken down into two categories: data security issues and data privacy issues,” said Walnycky. “Data security issues relate to unencrypted network transmissions from one user to another. Data privacy issues relate to unencrypted data being stored on user devices and/or app servers.”
UNHcFREG made five videos outlining the problems that include passwords available in plain text and private information stored on company servers. The videos identifying the apps were posted starting Monday, Sept.8 and will continue through Friday, Sept. 12. The videos can be found at http://www.youtube.com/unhcfreg.
“Each of the five videos discusses three or four applications with their specific issues. We explain the severity of the issues, how we found them, and a list of devices/tools used so that others can easily recreate our findings,” said Walnycky.
“Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue.” Baggili said this is especially true when there is a “man-in-the-middle attack.”
A man-in-the-middle attack is when an attacker finds a way to intercept traffic going between two victims. The victims believe they are talking directly to each other, but in actuality, the messages are going through the attacker before they reach the designated recipient.
Many people feel they have nothing to hide. Yet, strangers can easily tap into a variety of “private” data without informing the app user, said Baggili.
“The underlying problem that allows private conversations to be observed is a lack of encryption. A large percentage of applications still haven’t switched from HTTP (unencrypted) to HTTPS (encrypted),” said Walnycky. “In order for developers to use HTTPS, certifications are required. Certifications cost money and can take time to implement. A lot of developers don’t want to spend the money or time going through the process. This creates a lot of potential security and privacy holes.”
“It’s wrong for a stranger to be able to look at your private information without you even knowing they are doing it,” Baggili said. “Depending on the app, user locations, passwords, chat logs, images, video, audio and sketches can be viewed by people invading the user’s privacy.”
Strangers who tap into private conversations have the potential of observing user GPS locations, chat logs, images, videos, audio files, sketches, and even passwords. What they do with this information depends on the goal of the hacker. It could lead to black mail, extortion, account hijacking, etc.
The security issues were discovered by the cFREG team, which ran a network forensics experiment. The team was made up of UNH students including Walnycky, Armindo Rodrigues and Jason Moore. Details of how this was done is included in the videos. The team was also joined by new faculty member, Frank Breitinger from Germany, and a PhD research student from China.
Walnycky described that in order to find data security and privacy issues he and his team conducted three tests: network transmission analysis, server storage analysis, and device storage analysis.
“For the network transmission analysis the students conducted a man-in-the-middle attack through the use of a rogue Wi-Fi access point. A device was connected to this Wi-Fi access point and another device was connected outside the network. This setup forced all traffic to go through the rogue access point and be monitored by network traffic analysis software. They then proceeded to conduct conversations within applications and viewed the traffic logs for unencrypted traffic to determine what being sent/received was intercepted,” said Walnycky. “For the server storage analysis they looked deeper into these traffic logs to find direct HTTP links to files that were sent/received by users and stored on app servers without encryption or authentication. For the device storage analysis they searched through database files that applications use to store information. They found that many apps have unencrypted databases that contain highly sensitive user information.”
There is no way for users to directly fix this problem themselves. However, what they can do is be aware of what they’re sharing and understand the possibility of conversations being listened in on.
Individuals who use apps with security issues should be aware that their information is at risk and should run updates daily. They also should learn to run security tests on their own.
“They should also try conducting the tests that were done in the UNHcFREG videos on other apps. There’s no real way of knowing what these applications are doing/how they are doing it unless you see for yourself,” said Walnycky. “This problem can be solved by developers using encryption in network transmissions, server storage, and device storage.”
Each of the companies that own the apps has been notified of the issues by the cFREG team.
“Most companies simply have web contact forms for support – and no way for us to contact their developers or security teams. We had no choice but to use the support contact forms available on their websites, and most companies did not even respond. This exacerbates the problem – and it shows that mobile developers are still not taking security seriously,” said Baggili.
In regards to businesses improving their user’s privacy, Walnycky said privacy in general has been in decline over the years.
“It doesn’t seem like it’s in the best interest of the developers to give their users privacy. It takes away potential monetary profit from them either selling off user information or trying to sell users something through advertisements. However, many apps now let you “buy back your privacy” by using a non-free version that doesn’t have advertisements,” said Walnycky.
UNHcFREG was established in fall 2013 as part of UNH’s Department of Electrical and Computer Engineering and Computer Science to research digital forensics, security and privacy awareness and help reduce cybercrime. Last spring, UNHcFREG discovered vulnerabilities in WhatsApp, which has 500 million users and Viber, which has 300 million users.
“The goal of this research was to discover security and privacy issues within the social media, chatting, and dating app market on android and iOS, and we’ve been working on it since late May,” said Walnycky. “Our goal as an organization is to spread security and privacy awareness throughout campus and the world at large. We hope this project will push companies into taking stronger actions to combat these issues and boost awareness to the users.”
“This work is inspired by me, but executed by UNH students. Without the students, this work would not be possible. Their success, is our success,” said Baggili. “The students are excited to be part of a project that helps them protect their privacy – as well as other peoples’ privacy. Dan Walnycky produced the videos, he is our most creative IT student, in my honest opinion.”
“It feels unreal. It was crazy to see firsthand application after application failing to pass our security and privacy tests,” said Walnycky. “It’s easy to assume your information is safe, but this research proved otherwise. Now is as good of a time as ever for people to be aware of how the technology they are using works, how they are using the technology, and how complete strangers could be using both these things against them.”
UNHcFREG has gained world recognition for their research and are on their way towards becoming the strongest research group in digital forensics in the U.S. and worldwide. For more information, visit http://www.unhcfreg.com.