Assessing the Security of Android Dating Apps Värdering Av
Total Page:16
File Type:pdf, Size:1020Kb
DEGREE PROJECT IN COMPUTER ENGINEERING, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Assessing the Security of Android Dating Apps Värdering av säkerheten i dating- appar för Android HAMPUS HAUFFMAN ADAM MEYER KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ENGINEERING SCIENCES IN CHEMISTRY, BIOTECHNOLOGY AND HEALTH Assessing the Security of Android Dating Apps HAMPUS HAUFFMAN, ADAM MEYER Degree Programme in Computer Engineering Date: June 7, 2020 Supervisor: Shahid Raza Examiner: Ibrahim Orhan School of Engineering Sciences in Chemistry, Biotechnology and Health Swedish title: Värdering av säkerheten i dating-appar för Android iii Abstract Dating apps are continuously becoming a larger part of the social media mar- ket. Like any social media app, dating apps utilize a large amount of personal data. This thesis analyzes two dating apps and how they handle personal infor- mation from a security and privacy standpoint. This was done by conceptual- izing a threat model and then validating the threat through penetration testing on both of the apps in an attempt to find security vulnerabilities. This analysis proves that there is a substantial difference in whether or not app developers take security seriously or not. It was found that in one of the two apps analyzed, gaining access to personal data was particularly more trivial than expected, as TLS or other encryption were not implemented and server-side authorization was lacking in important app features like the one-to-one user chat. Keywords – Penetration testing, ethical hacking, dating apps, Android, reverse engineering, threat modeling, risk rating iv Sammanfattning Dating-appar blir kontinuerligt en större del av moderna sociala medier. Likt andra sociala medier utnyttjar dating-appar en stor mängd personlig informa- tion för att skapa relevanta matchningar med andra användare. Detta arbete analyserar två dating-appar och hur de hanterar känsliga personuppgifter med hänsyn till informationssäkerhet. Detta uppnåddes genom skapandet av en hot- modell (Threat Model) som senare validerades genom penetrationstestning av respektive app i ett försök att finna säkerhetssårbarheter. Sammanfattningsvis visar arbetet att det finns en tydlig skillnad mellan att utvecklare tar säker- het på allvar och att det underprioriteras. I en av de två apparna var tillgång till personliga data mycket enklare än vad som förväntades då appen saknade kryptering av trafik och var bristfällig i auktorisering av användare, speciellt i funktioner som en-till-en chatten. Contents 1 Introduction 1 1.1 Problem Definition . .2 1.2 Objective . .2 1.3 Limitations . .2 1.3.1 Attack Surfaces . .3 2 Background and Related Works 4 2.1 Security Threats and Risk . .4 2.2 Threat Modeling . .5 2.2.1 The STRIDE Method . .5 2.2.2 Risk Assessment . .6 2.3 The Android Platform . .7 2.3.1 Android Security Mechanisms . .7 2.3.2 The Google Play Store . .8 2.4 Online Dating Apps . .9 2.4.1 Dating App #1 . .9 2.4.2 Dating App #2 . .9 2.5 Publishing Security Concerns . .9 2.6 Related Works . 10 3 Method 13 3.1 Threat Model . 13 3.1.1 Identifying Assets . 14 3.1.2 Finding Threats . 15 3.1.3 Risk Rating . 18 4 Results 22 4.1 Reverse Engineering the Apps . 22 4.1.1 Reverse Engineering App #2 . 24 v vi CONTENTS 4.1.2 Reverse Engineering App #1 . 24 4.2 Tampering with API Requests . 25 4.2.1 Tampering with API Requests in App #2 . 25 4.2.2 Tampering with API Requests in App #1 . 26 4.3 Disclosure of Chat Messages . 27 4.3.1 Disclosure of Chat Messages in App #2 . 27 4.3.2 Disclosure of Chat Messages in App #1 . 28 4.4 Spoofing User Identity . 28 4.4.1 Spoofing User Identity in App #2 . 28 4.4.2 Spoofing User Identity in App #1 . 29 5 Discussion 30 5.1 Interpretations . 31 5.2 Implications . 31 5.3 Limitations . 31 5.4 Recommendations . 32 6 Conclusions 34 Bibliography 36 A HTTP Communication 38 A.1 HTTP Response When Fetching Chat Messages in App #2 . 38 A.2 Proof-of-Concept Script for Fetching Chat Messages in App #2 39 Chapter 1 Introduction As an increasing number of people are using online dating applications (apps), more and more personal data is being transmitted and stored by the companies developing the apps. To compete on a saturated market of these apps, devel- opers are focusing on extra functionality and ease of use such as user cloud storage or in-app messaging. This, however, raises the important question of how security and privacy are handled for user data. Apps in the dating app market are differentiated not only by their features but also by their number of downloads and active users. By examining two dating apps with different levels of popularity and production a light can be shed on how security and privacy is handled in Android dating apps regarding different scenarios and attack surfaces. The main objective of this report will be to assess the security of two Android dating apps by performing an initial threat modeling phase on each targeted app followed by penetration testing of the most crucial attack surfaces for the apps, respectively. By doing this on more than one dating app it will further highlight how security and privacy is handled in different scenarios, finan- cially and socially. The first app in question is one of a higher standard and downloaded by millions of users. The second app has a significantly smaller user base with a smaller budget, especially in regards to security. Both the apps are from the Google Play Store, written in either Java or Kotlin and are used on Android devices. 1 2 CHAPTER 1. INTRODUCTION 1.1 Problem Definition Mobile applications can be permitted to collect a large amount of personal in- formation such as physical location or other personal data that is required in dating apps, for example, users current location, sexual orientation and sexual preferences. One might therefore expect mobile apps to have more robust secu- rity measures than web-based implementations. However Qin, et al. [1] have shown in their work assessing the security of specifically online dating apps, that many popular dating apps have had the recurring vulnerability of fully disclosing victims’ location. This information could, in worst-case scenarios, easily be taken advantage of by cyber-stalkers but is already a major violation of user privacy. A paper by Patsakis, et al. [2], similar to the work by Qin, also shows recurring threats to private user data in dating apps. Patsakis’ work shows that many popular apps unintentionally disclose sensitive information such as sexual orientation, preferences, emails, the degree of interaction be- tween users and more. In accordance with the conclusions of Patsakis’ work, it is important to disclose security vulnerabilities to inform and engage the public in cyber security and privacy matters but also in order to question pro- gramming practices in place for dating apps. Is it possible to comprehensively assess the security of Android dating apps through penetration testing? 1.2 Objective The main objective of the project is to assess some general aspects of the secu- rity of Android dating apps and to convincingly demonstrate whether the sys- tem is secure or not through threat modeling, followed by a series of penetra- tion tests on chosen attack surfaces to validate the threat model. The category in question is online dating apps and the project will focus on the Android plat- form. Through threat modeling, a systematic process for identifying threats and potential attacks is set in place. A threat model identifies relevant attack surfaces to then be validated by attempting to find vulnerabilities through pen- etration testing. Not finding vulnerabilities after these steps can also attest to a sufficient implementation of security in the targeted system. 1.3 Limitations This project will only focus on the Android platform and the Google Play Store given that it is one of the largest mobile application markets and its largest CHAPTER 1. INTRODUCTION 3 competitor, Apple, has a more closed off platform and a more restricted mar- ketplace for app developers security-wise. Another delimiter for this project is the chosen scope in which to search for possible vulnerabilities as a fully qualified security audit would be too large of a project withing the given time frame. For identifying and validating threats on a more technical level, the project depends heavily on the decompiled source code for each of the dating apps. The source code can be statically analyzed in an attempt to find errors made by the developers. This also aims to show some contrast between a good and a bad app (security-wise) by showing their different implementations of core security principles. A completely comprehensive analysis of even one app would however be impossible for a team of two people within the timespan of a bachelor thesis. Time being a limiting factor, finding entry points and utilizing the threat model for efficient analysis is crucial. 1.3.1 Attack Surfaces The attack surfaces to be subjected to penetration testing will be chosen through threat modeling and risk rating. For a fair assessment of chosen dating apps, the threat modeling scope and methods must be comprehensive. Therefore, risk analysis for each threat will be used to also factor in likelihood and con- sequence. Only those threats that are most likely to occur and have the most critical consequences can then be chosen for validation through penetration testing, making for a more qualitative assessment. Denial of Service attacks will be viewed as out of scope for the penetration testing section of this project as there is usually no way to legally validate threats for this in a production environment not owned by the testers.