Sensitive data in smartphone applications: Where does it go? Can it be intercepted?

Abstract

We explore the ecosystem of smartphone applications with respect to their privacy practices towards sensitive user data. In particular, we examine 96 free mobile applications across 10 categories, in both the Apple App Store and Google Play Store, to investigate how securely they transmit and handle user data. For each application, we perform wireless packet sniffing and a series of man-in-the-middle (MITM) attacks to capture personal identifying information, such as usernames, passwords, etc. During the wireless packet sniffing, we monitor the traffic from the device when a specific application is in use to examine if any sensitive data is transmitted unencrypted. At the same time, we reveal and assess the list of ciphers that each application uses to establish a secure connection. During the MITM attacks, we use a variety of methods to try to decrypt the transmitted information. The results show that although all tested applications establish a secure TLS connection with the server, 85% of them support weak ciphers. Additionally, 60% of iOS and 25% of Android applications transmit unencrypted user data over the Wi-Fi network. By performing a MITM attack we capture the username, password, and email in various apps, e.g. Instagram, Blackboard, Ebay, and Spotify. We manage to bypass certificate pinning in 75% of the iOS applications, including Facebook. Finally, we observe that data is being forwarded to third party domains (mostly to domains that belong to Google and Apple).