Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Dangerous Wi-Fi access point: attacks to benign smartphone applications

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Personalization by means of third party application is one of the greatest advantages of smartphones. For example, when a user looks for a path to destination, he can download and install a navigation application with ease from official online market such as Google Play and Appstore. Such applications require an access to the Internet, and most users prefer Wi-Fi networks which are free to use, to mobile networks which cost a fee. For this reason, when they have no access to free Wi-Fi networks, most smartphone users choose to try to use unknown Wi-Fi access points (AP). However, this can be highly dangerous, because such unknown APs are sometimes installed by an adversary with malicious intentions such as stealing information or session hijacking. Today, smartphones contains all kinds of personal information of the users including e-mail address, passwords, schedules, business document, personal photographs, etc., making them an easy target for malicious users. If an adversary takes smartphone, he will get all of information of the users. For this reason, smartphone security has become very important today. In wireless environments, malicious users can easily eavesdrop on and intervene in communication between an end-user and the internet service providers, meaning more vulnerability to man-in-the-middle attacks. In this paper, we try to reveal the risk of using unknown APs by presenting demonstration results. The testbed is composed of two smartphones, two APs, and one server. The compromised AP forwards messages of victim smartphone to the fake server by using domain name system spoofing. Thus, the application that is running on the victim smartphone transfers HTTP request to the fake server. As a result, this application displays the abnormal pop-up advertisement, which contains malicious codes and links. Our demonstration shows that merely connecting to compromise APs can make a malicious behavior even the applications are benign.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Weiser M (1991) The computer for the 21st century. Sci Am 265(3):94–104

    Article  Google Scholar 

  2. Mattern F (2001) The vision and technical foundations of ubiquitous computing. Upgrade 2(5):3–6

    Google Scholar 

  3. Rogers Y (2005) Moving on from Weiser’s vision of calm computing: engaging UbiComp experiences. In: proceedings of UbiComp 2005. Springer, NY, pp 404–421

  4. Leem CS, Jeon NJ, Choi JH, Shin HG (2005) A business model (BM) development methodology in ubiquitous computing environments. In: proceeding of ICCSA 2005. LNCS 3483:86–95

    Google Scholar 

  5. Kang BH (2007) Ubiquitous computing environment threats and defensive measures. IJMUE 2(1):47–60

    Google Scholar 

  6. Poslad S (2009) Ubiquitous computing: smart devices, environments and interactions. Wiley, New York, pp 3–73

    Google Scholar 

  7. Baldauf M, Dustdar S, Rosenberg F (2007) A survey on context-aware system. Int J Ad Hoc Ubiquit Comput 2(4):263–277

    Article  Google Scholar 

  8. Android Official Blog. Google play hits 25 billion downloads. http://officialandroid.blogspot.kr/2012/09/google-play-hits-25-billion-downloads.html

  9. Barkuus L, Polichar VE (2011) Empowerment through seamfulness: smart phones in everyday life. Pers Ubiquit Comput 15(6):629–639

    Article  Google Scholar 

  10. Bell G, Dourish P (2007) Yesterday’s tomorrows: notes on ubiquitous computing’s dominant vision. Pers Ubiquit Comput 11(2):133–143

    Article  Google Scholar 

  11. Campbell A, Choudhury T (2012) From smart to cognitive phones. IEEE Pervasive Comput 11(3):7–11

    Article  Google Scholar 

  12. Grønli T, Chinea G, Younas M (2013) Context-aware and automatic configuration of mobile devices in cloud-enabled ubiquitous computing. Pers Ubiquit Comput

  13. Ballagas R, Borchers J, Rohs M, Sheridan JG (2006) The smart phone: a ubiquitous input device. IEEE Pervasive Comput 5(1):70–77

    Article  Google Scholar 

  14. Roussos G, Marsh AJ, Maglavera S (2005) Enabling pervasive computing with smart phones. IEEE Pervasive Comput 4(2):20–27

    Google Scholar 

  15. Orthacker C, Teufl P, Kraxberger S, Lackner G, Gissing M, Marsalek A, Leibetseder J, Prevenhueber O (2012) Android security permissions—can we trust them? In: proceeding of MOBISEC 2011. LNICST 94:40–51

    Google Scholar 

  16. Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: proceeding of CCS’11, pp 627–638

  17. Felt AP, Ha E, Egelman S, Haney A, Chin E, Wagner D (2012) Android permissions: user attention, comprehension, and behavior. In: proceeding of SOUPS 2012

  18. Nauman M, Khan S, Zhang X (2010) Apex: extending android permission model and enforcement with user-defined runtime constraints. In: proceeding of ASIACCS’10, pp 328–332

  19. Barrera D, Kayacik H (2010) A methodology for empirical analysis of permission-based security models and its application to android. In: proceeding of CCS’10, pp 73–84

  20. Zhongyang Y, Xin Z, Mao B, Xie L (2013) DroidAlarm: an all-sided static analysis tool for android privilege-escalation malware. In: proceeding of ASIACCS’13, pp 353–358

  21. Bugiel S, Davi L, Dmitrienko A, Fischer T, Sadeghi A, Shastry B (2012) Towards taming privilege-escalation attacks on android. In: proceeding of NDSS 2012

  22. Chin E, Felt AP, Greenwood K, Wanger D (2011) Analyzing inter-application communication in android. In: proceeding of MobiSys’11, pp 239–252

  23. Wireless Geographic Logging Engine. http://wigle.net/gpsopen/gps/GPSDB/, Sep 2013

  24. Gruteser M, Grunwald D (2004) A methodological assessment of location privacy risks in wireless hotspot network. In: proceeding of SPC 2003. LNCS 2802:10–24

    Google Scholar 

  25. Callegati F, Cerroni W, Ramilli M (2009) Man-in-the-middle attack to the HTTPS protocol. IEEE Secur Priv 7(1):78–81

    Google Scholar 

  26. Ariyapperuma S, Mitchell CJ (2007) Security vulnerabilities in DNS and DNSSEC. In: proceeding of ARES’07

  27. Zafft A, Agu E (2012) Malicious WiFi networks: a first look. In: proceeding of SICK 2012 pp 1038–1043

  28. Aime MD, Calandriello G, Lioy A, Torino PD (2012) Dependability in wireless networks: can we rely on WiFi? IEEE Secur Priv 5(1):23–29

    Google Scholar 

  29. Godber A, Dasgupta P (2003) Countering rogues in wireless networks. In: proceeding of ICPPW’03

  30. Nikbakhsh S, Manaf ABA, Zamani M, Jangeglou M (2012) A nobel approach for rogue access point detection on the client-side. In: proceeding of WAINA’12, pp 684–687

  31. Hwang H, Jung G, Sohn K, Park S (2008) A study on MITM (Man in the Middle) vulnerability in wireless network using 802.1X and EAP. In: proceeding of ICISS’08, pp 164–170

  32. Georgiev M, Lyengar S, Jana S (2012) The most dangerous code in the world: validating SSL certificates in non-browser software. In: proceeding of CCS’12

  33. Lee DH, Kim JG (2013) IKEv2 authentication exchange model and performance analysis in mobile IPv6 networks. Pers Ubiquit Comput

  34. Wang J, Herath T, Chen R, Vishwanath A, Rao HR (2012) Phishing susceptibility: an investigation into the processing of a targeted spear phishing Email. IEEE Tran Prof Commun 55(4):345–362

    Google Scholar 

  35. Test application 1, https://play.google.com/store/apps/details?id=com.andromedagames.schoolrun

  36. Test application 2. https://play.google.com/store/apps/details?id=air.com.cjenm.mpang.gp

  37. Test application 3. https://play.google.com/store/apps/details?id=com.marvel.runjumpsmashforkakaotalk_goo

  38. Test application 4. https://play.google.com/store/apps/details?id=com.pnixgames.sports

  39. Test application 5. https://play.google.com/store/apps/details?id=com.cjenm.monster

  40. WebView. http://developer.android.com/reference/android/webkit/WebView.html

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Sungkyunkwan University, 300 Cheoncheon-dong, Jangan-gu, Suwon-si, Gyeonggi-do, Korea

    Min-Woo Park & Young-Hyun Choi

  2. Military Studies, Taejeon University, 62 Daehakro, Dong-Gu, Daejeon, Korea

    Jung-Ho Eom

  3. Department of Software, Sungkyunkwan University, 300 Cheoncheon-dong, Jangan-gu, Suwon-si, Gyeonggi-do, Korea

    Tai-Myoung Chung

Authors
  1. Min-Woo Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Young-Hyun Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jung-Ho Eom
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tai-Myoung Chung
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tai-Myoung Chung.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Park, MW., Choi, YH., Eom, JH. et al. Dangerous Wi-Fi access point: attacks to benign smartphone applications. Pers Ubiquit Comput 18, 1373–1386 (2014). https://doi.org/10.1007/s00779-013-0739-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-013-0739-y

Keywords

Search

Navigation