This paper is to appear at the 22nd ACM Conference on Computer and Communications Security 2015 (CCS), authored by Yangyi Chen, Tongxin Li, XiaoFeng Wang, Kai Chen and Xinhui Han.
In this paper, we report the first large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push-messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new technique, called Seminal. Seminal is designed to extract semantic information from a service’s sample code, and leverage the information to evaluate the security qualities of the service’s SDKs and its integrations within different apps. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victim’s apps in the name of trusted parties and intercept her private messages. The study highlights the serious challenges in securing push-messaging services and an urgent need for improving their security qualities.
Service confusion: Inject messages to Facebook
Service confusion: Steal messages from Skype
Demo here for “Service confusion: Inject messages to Skype”
Demo here for “User confusion: Inject messages to Pinterest”
Demo here for “User confusion: Inject messages to Yelp”