sustainability

Article Efficient Protection of Android Applications through User Authentication Using Peripheral Devices

Jinseong Kim and Im Y. Jung *

School of Electronics Engineering, Kyungpook National University, Daegu 41566, Korea; [email protected] or [email protected] * Correspondence: [email protected]; Tel.: +82-53-950-7237



Received: 22 March 2018; Accepted: 20 April 2018; Published: 22 April 2018


Abstract: Android applications store large amounts of sensitive information that may be exposed and exploited. To prevent this security risk, some applications such as Syrup and KakaoTalk use physical device values to authenticate or encrypt application data. However, by manipulating these physical device values, an attacker can circumvent the authentication by executing a Same Identifier Attack and obtain the same application privileges as the user. In our work, WhatsApp, KakaoTalk, Facebook, Amazon, and Syrup were subjected to the Same Identifier Attack, and it was found that an attacker could gain the same privileges as the user, in all five applications. To solve such a problem, we propose a technical scheme—User Authentication using Peripheral Devices. We applied the proposed scheme to a Nexus 5X smartphone running Android version 7.1 and confirmed that the average execution time was 0.005 s, which does not affect the other applications’ execution significantly. We also describe the security aspects of the proposed scheme and its compatibility with the Android platform and other applications. The proposed scheme is practical and efficient in terms of resource usage; therefore, it will be useful for Android users to improve Android application security.

Keywords: Android vulnerability; Android protection; Same Identifier Attack; User Authentication using Peripheral Devices; Android security

1. Introduction The number of Android application downloads is increasing every year [1]. Android applications, which are often called Android apps, offer various conveniences to users. However, they contain a number of security threats [2–9]. By inserting malicious code into an application and distributing it, it is possible to steal user information or recover messages, photographs, etc., sent and received by a user’s social network service (SNS). Moreover, if an attacker gains access to an account or account token, he/she can use the user’s account. In addition to the security threats listed in Table1, information can be acquired from backup files on the Android system. The original purpose of the backup files is to help restore the user’s information. However, if an attacker misuses them, he/she can analyze the application data in the backup files to obtain personal information for applications such as WhatsApp or Facebook [10,11]. Another form of attack hacks a user’s Android application using backup technology. This method uses the Android Debug Bridge (ADB) to acquire backup data from an unrooted terminal, and then modifies the XML values of the application and restores the backup file [12]. Another method inserts a malicious application into the backup file and restores it [13]. Several methods have been studied to protect application data by enhancing the security of databases [9,14–16]; however, most of these techniques use the International Mobile Equipment Identity (IMEI) value to generate a key to the database file, which can be decrypted by an attacker [17].

Sustainability 2018, 10, 1290; doi:10.3390/su10041290 www.mdpi.com/journal/sustainability SustainabilitySustainability2018 201,810, 8,, 1290x FOR PEER REVIEW 22 of of 20 18

Table 1. Android vulnerabilities published in Common Vulnerabilities and Exposures (CVE) [18]. Table 1. Android vulnerabilities published in Common Vulnerabilities and Exposures (CVE) [18]. Code Memory SQL Gain Gain Year DoS Overflow Bypass ExecutionCode CorruptionMemory InjectionSQL InformationGain PrivilegesGain Year DoS Overflow Bypass Execution Corruption Injection Information Privileges 2014 2 4 1 1 1 2 2 2014 2 4 1 1 1 2 2 2015 56 70 63 46 20 19 17 2015 56 70 63 46 20 19 17 20162016 104 10473 7392 9238 38 48 48 99 99 250 250

20172017 44 44139 13959 5926 26 28 28 52 52 34 34 Total 217 294 219 113 1 102 176 309 Total 217 294 219 113 1 102 176 309 %All 20.9 28.3 21.1 10.9 0.1 9.8 17 29.8 %All 20.9 28.3 21.1 10.9 0.1 9.8 17 29.8

InIn addition addition to to such such attacks,attacks, therethere isis aa newnew attackattack calledcalled the Same Identifier Identifier Attack Attack (SIA) (SIA) [1 [199,20,20]] thatthat can can create create a a copy copy of of an an application application withwith thethe samesame privileges,privileges, usingusing the user’s backup file. file. InIn this this paper, paper, we we introduce introduce the the SIA SIA concept concept and and its its method method of attack,of attack and, and show show the the results results for fivefor applicationsfive applications subjected subjected to SIA: to WhatsApp SIA: WhatsApp [21], which [21], is which used is worldwide; used worldwide; KakaoTalk KakaoTalk [22,23], which [22,23], is widelywhich usedis widely in Korea; used in Facebook Korea; Facebook [22], a representative [22], a representative SNS application; SNS application; Amazon, Amaz a typicalon, a typical global onlineglobal shopping online shopping application; application; and Syrup and [24 Syrup], Korea’s [24], integrated Korea’s integrated membership membership management management application. Inapplication. addition, we In discuss addition, what we an attackerdiscuss can what do, suchan attacker as initiating can real-time do, such conversations, as initiating sending real-time and receivingconversations, files, gainingsending activity and receiving logs, logging files, gaining into other activity linked logs, accounts, logging conductinginto other linked order account inquiries,s, andconducting obtaining order details inquiries, regarding and debit/credit obtaining details card information.regarding debit/credit To prevent card these, information. we propose To a prevent scheme, Userthese, Authentication we propose usinga scheme Peripheral, User Devices Authentication (UAPD), using which Peripheral authenticates Devices the smartphone (UAPD), which from a user’sauthenticates other devices the smartphone such as those from paired a user’s by Bluetooth other devices or configured such as throughthose paired WiFi, toby defend Bluetooth against or SIA.configured This is outlinedthrough WiF in Figurei, to defend1. We against use nonrooted SIA. This smartphones is outlined in as Figure the target 1. We of attackuse non androoted for implementingsmartphones UAPD.as the targetUAPD of is part attack of theand Android for implementing Framework UAPD. and is compatibleUAPD is part with of all the applications. Android InFramework addition, UAPD and is authenticatescompatible with the all user applications. from preconfigured In addition, peripheral UAPD authenticates devices; therefore, the user the from time ofpreconfigured execution required peripheral for userdevices; authentication therefore, the is muchtime of less. execution Through required testing, for weuser confirmed authentication that theis averagemuch less. execution Through time testing, is 0.005 we s. confirmed that the average execution time is 0.005 s.

FigureFigure 1. 1.User User Authentication Authentication using using PeripheralPeripheral Devices ( (UAPD)UAPD) protecting protecting Android Android applications applications against Same Identifier Attack (SIA).against Same Identifier Attack (SIA).

The contributions of this paper are as follows. The contributions of this paper are as follows.  Introduce an application duplication attack that can use the same user privileges • Introduce an application duplication attack that can use the same user privileges The creation of a same-user application without the user’s knowledge can be exploited in a The creation of a same-user application without the user’s knowledge can be exploited in a variety variety of ways. In particular, the attack target is an unrooted device. We also present the risk to of ways. In particular, the attack target is an unrooted device. We also present the risk to Android, Android, at present, because it is possible to create a copy of an application with the same user at present, because it is possible to create a copy of an application with the same user privileges privileges by modifying the physical device values to duplicate the user’s application. by modifying the physical device values to duplicate the user’s application. Sustainability 2018, 10, 1290 3 of 18

• Propose an improved defense of Android applications, which does not depend on the smartphone manufacturer In this paper, a new scheme, UAPD, is proposed to defend Android applications, which does not depend on the smartphone manufacturer. UAPD authenticates the smartphone from a user’s other devices such as paired Bluetooth or configured WiFi devices.

• Avoid exposure to data replication attacks Our proposed framework ensures that UAPD protects the user’s application even if the attacker modifies the physical device values, because it does not use the IMEI, International Mobile Subscriber Identity (IMSI), or phone numbers, which can be modified.

• Optimize performance for real applications UAPD authenticates the user from a device that is preconnected to the smartphone. Therefore, it does not spend much time scanning for peripheral devices; the user authentication time is 0.005 s, on average.

• Compatible with all Android applications All Android applications go through the same processes for execution. We have developed UAPD to be compatible with all Android applications, by adding a user authentication process during its runtime setup.

The remainder of this paper is organized as follows. First, in the Related Works Section, we describe the SIA and other similar types of attacks. We also describe the studies that have been conducted to protect the information of users, for comparison with the method proposed in this paper. The SIA Section presents some background information to understand SIA and its attack methods. It also presents experimental results demonstrating the privileges acquired by executing SIA on WhatsApp, KakaoTalk, Facebook, Amazon, and Syrup, and discusses the risks of this attack. The next section describes the UAPD that can prevent SIA, the structure of UAPD, and its execution steps. The Evaluation Section presents the performance and overhead of UAPD application. We also present a scenario for UAPD, demonstrate that it can defend Android applications against SIA in this situation, and discuss its security stability. Finally, the Conclusion summarizes the previous sections and provides a description of the future work.

2. Related Works Android stores the information used by applications. Application data are mainly stored in an SQLite database. In communication applications, information such as the conversation history and user’s ID are stored. In addition, the information necessary for games, such as the account and cache, are also saved. Therefore, if the application data can be analyzed, the information about its user can be obtained. Dai et al. [17] explained the string decryption algorithm used in WeChat and WhatsApp and the decryption key formula for the encrypted database file structure, and showed that the key generated could be decrypted because it used only the IMEI value. Jain et al. [25] used the SQLite database vulnerability of Android to classify the risks of applications such as WeChat and WhatsApp, and showed that it was possible to modify the database values. While these attacks require rooting an Android device, attacks that can manipulate an application without rooting have also been developed. Hacking Android applications using backup techniques [12] is a method for restoring the XML values of a specific application and analyzing the backup data using Android’s ADB without acquiring root privileges after acquisition. It has been shown that an attacker can change features in an application by using the modified XML. In addition, there exists an Android ADB backup Android Package (APK) injection vulnerability [13], wherein the data stream is not filtered when using the Android backup manager. If a malicious APK is injected into the backup file and the user restores the data from the backup file, the malicious APK will be installed. The passive content leaks and pollution in Android applications [26] can be used to gain access to information in applications, by using the default setting Sustainability 2018, 10, 1290 4 of 18 of Android: exported = “true”. In [27], it was shown that the vulnerabilities of the database could lead to communication between malicious and normal applications. These attacks are possible without rooting only if some application information can be obtained or modified. SIA can be considered to be more critical than the existing attacks because an attacker can use the behavior of all applications available, similar to the original user. Therefore, if an attacker attacks a user using SIA, he/she can obtain application information and impersonate the original user through the application. This attack utilizes the user’s backup file; even if the user’s phone is not rooted, it is possible to copy the target application completely. Therefore, the amount of information or authority ultimately obtained by the attacker is much higher than that of the other existing attacks. The existing methods used for the protection of application data mainly encrypt the SQLite database. Mutti et al. [14] proposed SeSQLite, which integrated SELinux access control functions with SQLite, to manage the granular access policy for database objects. As a result, the database security of Android was enhanced. In a similar fashion, Paraboaschi et al. [15] added AppPolicyModules to SeSQLite, allowing application developers to specify system-level protection for the resources from specific applications. They also suggested interprocess communication with SELinux to prevent other applications from accessing specific applications’ databases and viewing information. However, this method is vulnerable to SIA because it is limited to protecting application data from unauthorized or suspicious applications. If the attacker changes to the same physical value as the user’s smartphone, as in SIA, and runs the application, the device will be recognized as authorized and this method will be disabled. Ardiansa [16] suggested a method for encryption and decryption when writing or reading an Android database. This method has been added to the Android Software Development Kit (SDK), so that developers can easily protect the applications’ data. In addition, because of the encryption/decryption, if the key is not exposed, it will be strong enough to protect the data. However, we uncovered three problems with this method. First, not all developers use this method, as it is costly and hassling to establish a separate setup, and there may be no need to worry about security for a particular application. Therefore, many applications are still vulnerable to the attacks using application data, such as SIA. The second issue is key management. Most of the methods including the Ardiansa proposal are developed for unrooted smartphones. Therefore, if you manage the keys for encryption/decryption in the system area or lower-level areas, the keys may be secure in unrooted smart phones; however, when you back up Android, the backup file will contain all the data needed to run the application. Therefore, if the attacker uses the backup file to perform SIA, the data encrypted by the SQLCipher will be decrypted automatically. This ultimately leads to the SQLCipher being disabled by SIA. The Same Identifier Attack Defensor (SIAD) was proposed to solve these problems comprehensively [19,20]. SIAD is an automated process for protecting against SIA. It identifies the user’s device before the application starts, and it encrypts and decrypts the application data before and after the application runs. It also prevents data exposure during backup. Instead of using the information on the device, new elements are added to each application and are used to validate and defend against SIA. It also encrypts the database for each application to improve the security of the application. However, this proposal will take a long time to run and exit the application if the database size of the application is large. In addition, as it is designed to be compatible with all applications, it results in unnecessary encryption/decryption. Therefore, we improved this approach to defend against the existing SIA and focused on reducing the time overhead that could occur when applying the proposal. We propose a solution, UAPD, to solve the aforementioned problems. The proposed scheme can protect Android applications against SIA even if an attacker sets up a physical value that is the same as that of the user’s smartphone or acquires the application backup data. In addition, unlike SIAD, UAPD does not encrypt/decrypt the application data. Therefore, it is much faster than SIAD and can prevent SIA effectively. Sustainability 2018, 10, 1290 5 of 18 Sustainability 2018, 8, x FOR PEER REVIEW 5 of 20

This section introduces the SIA. We describe the attack procedure of SIA briefly, and show the 3. Same Identifier Attack results for five representative applications subjected to SIA. ThisSIA occurs section because introduces of the the verification SIA. We describe process thees attackrequired procedure by applications of SIA briefly, and the and structure show the of resultsbackup for data. five representative applications subjected to SIA. SIAApplications occurs because using sensitive of the verification information processes on smartphone requireds should by applications be able to andverify the that structure the user ofs backupare correct data. in their execution. However, many applications do not carry out this verification process. SomeApplications applications using such sensitive as Syrup, information WeChat, and on smartphones KakaoTalk use should Short be Message able to verifyService that (SMS) the usersauthentication are correct or inthe their IMEI execution. or Universal However, Subscriber many Identity applications Module do (USIM not carry) information. out this verificationPerforming process.identity Someverification applications using SMS such each as Syrup, time is WeChat, burdensome, and KakaoTalk and it is ambiguous use Short Message to define Service certain (SMS) steps authenticationto be performed or only the IMEI in the or case Universal of suspicion. Subscriber In the Identity case of Module verification (USIM) procedures information. using Performing physical identitydevice values verification such as using the SMSIMEI each and timeUSIM is information, burdensome, these and it values is ambiguous may be toexposed define certainalong with steps the to bevalues performed of the only stored in the data, case as of many suspicion. applications In the case use of the verification right to procedures obtain them. using Alternatively, physical device this valuesverification such as process the IMEI is vulnerable and USIM information,to attack because these ident valuesifiers may can be exposed be changed along directly with the using values an ofAndroid the stored emulator. data, as many applications use the right to obtain them. Alternatively, this verification processThe is backup vulnerable method to attack in Android because can identifiers be changed can beaccording changed to directly the backup using method an Android supported emulator. by the manufacturer,The backup method the backup in Android method canbe using changed ADB, according and the to method the backup by method the backup supported application. by the manufacturer,Nowadays, there the backup is an option method to using protect ADB, the and backup the method file using by passwords.the backup application. However, this Nowadays, is not a therecompulsory is an option option. to protect If implemented, the backup file it will using be passwords. necessary However, to remember this is the not password. a compulsory Moreover, option. Ifdecryption implemented, is possible it will without be necessary knowing to rememberthe password the because password. the Moreover,file can be copied, decryption and isthere possible is no withoutlimit to knowingthe number the of password attempts because at decryption. the file canTherefore, be copied, if the and backup there is file no is limit notto safe the and number can be of attemptsacquired, at SIA decryption. is possible. Therefore, if the backup file is not safe and can be acquired, SIA is possible. InIn order to to understand understand an an SIA, SIA, the the Android Android application application data data structure structure is described is described below below.. The TheAndroid Android file filesystem system is d isivided divided into into six six partitions, partitions, as as shown shown in in Figure Figure 22.. Among Among them, thethe datadata areaarea locatedlocated inin ‘/data/data’,‘/data/data’, called called the the application application directory, directory, contains contains information information related to the AndroidAndroid applications.applications. Permission to access the data area is configuredconfigured by an Android policypolicy [[28].28]. Table2 2 lists lists thethe subdirectoriessubdirectories ofof thethe applicationapplication directory.directory. DependingDepending on thethe typetype ofof application,application, aa personperson cancan obtainobtain informationinformation suchsuch asas thethe applicationapplication usageusage signs,signs, loginlogin information,information, andand useruser tracestraces [[88].].

FigureFigure 2.2. AndroidAndroid partitions.partitions.

TableTable 2.2. ApplicationApplication datadata subdirectoriessubdirectories [[2929].]. Sub Directory Description Sub Directory Description shared_prefs XML file of shared preferences shared_prefslib Custom library XML files file of required shared preferences by application lib Custom library files required by application filesfiles Developer Developer-saved-saved files files cachecache Files Files cached cached by byapplication application databasesdatabases SQLite SQLite and and journal journal files files

FigureFigure3 3 illustrates illustrates thethe attackattack procedure procedure of of SIA. SIA. As As a a precondition, precondition, the the attacker attacker mustmust obtainobtain thethe backupbackup data data that that are are not not encrypted encrypted by the by user. the user.It is quite It is easy quite to copy easy the to copybackup the file backup of any application file of any storedapplication on a smartphone.stored on a smartphone. There are three There ways are for three an attacker ways for to an retrieve attacker the to backup retrieve file the from backup a remote file location.from a remote The firstlocation. is to The retrieve first is the to backupretrieve filesthe backup (“ad”, “bak”,files (“ad”, “Tibkp”, “bak” etc.,), “Tibkp stored”, etc.,) in the stored cloud in (suchthe cloud as Google, (such as Baidu, Google, or OneDrive)Baidu, or OneDrive) or on an individual or on an individual server, through server, the through Internet. the InInternet. this case, In thethis attacker case, the does attacker not have does to not do anythinghave to do with anything the Android with phonethe Android because phone the process because involves the process just a simpleinvolves download. just a simple This download. means that This the means attacker that need the notattacker acquire need the not root acquire permissions the root for permissions the user’s smartphonefor the user’s for smartphone the attack. for The the second attack. is toThe install second a malicious is to install app a onmalicious the user’s app phone on the and user’s instruct phone it toand back instruct up. The it to backup back appup. The is built backup into theapp Android is built phone,into the and Android therefore, phone, rooted and permissions therefore, arerooted not required.permissions The are third not is arequired. physical Theapproach. third Theis a attacker physical installs approach. a malicious The attacker application installs that a can malicious search application that can search for the backup files and send them to him/her. Alternatively, the attacker Sustainability 2018, 10, 1290 6 of 18

Sustainability 2018, 8, x FOR PEER REVIEW 6 of 20 for the backup files and send them to him/her. Alternatively, the attacker can physically connect a user’scan physically smartphone connect to a PCa user’s to acquire smartphone the backup to a PC files. to acquire Of course, the backup the method files. involvingOf course, an the attacker’s method directinvolving access an to attacker the device’s direct is not access an effective to the device attack is method. not an ef However,fective attack since method. the consequences However, since of the attacksthe consequences can be critical, of the the attacks effort tocan attack be critical, is intensified. the effort to attack is intensified.

FigureFigure 3. Same 3. Same Identifier Identifier Attack Attack [19]. IMEI, [19]. InternationalIMEI, International Mobile Mobile Equipment Equipment Identity; Identity; IMSI, International IMSI, Mobile Subscriber Identity. International Mobile Subscriber Identity.

After acquiring these data, the attack progresses through six stages. In the analysis step, the After acquiring these data, the attack progresses through six stages. In the analysis attacker selects a target application and parses information such as the IMEI, IMSI, and phone step, the attacker selects a target application and parses information such as the IMEI, IMSI, number in the backup file. Then, the attacker accesses the target application location and phone number in the backup file. Then, the attacker accesses the target application location (‘/data/data/(App_package_name)’) and checks the UserID and Group ID. Next, the target (‘/data/data/(App_package_name)’) and checks the UserID and Group ID. Next, the target application application data in the backup file are copied to the installed target application directory, the data in the backup file are copied to the installed target application directory, the permissions of the permissions of the copied folders and files are changed, and the IMEI, IMSI, and phone number are copied folders and files are changed, and the IMEI, IMSI, and phone number are set as backup set as backup file information. Once this process is complete, the attacker can run an application with file information. Once this process is complete, the attacker can run an application with the same the same permissions as the user. In other words, the attacker has a replicated application with the permissions as the user. In other words, the attacker has a replicated application with the same same privileges as the user, with the user being unaware of this situation. privileges as the user, with the user being unaware of this situation. Table 3 shows the skills, tools, and background knowledge required by an attacker to perform Table3 shows the skills, tools, and background knowledge required by an attacker to perform the the SIA. It also shows the attack difficulty level. When an attacker attacks with the SIA, the affected SIA.target It alsodevice shows does the not attack need difficultyroot privilege level.s.When Once the an attackerattacker attackshas the with backup the files, SIA, thethe affectedattack can target be devicecarried does out noteasily need because root privileges. not many tools Once or the skills attacker are needed. has the backup files, the attack can be carried out easily because not many tools or skills are needed. Table 3. Same Identifier Attack requirements. Table 3. Same Identifier Attack requirements. Required Skill Required Tool Background Difficulty WebRequired searching Skill RequiredPC Tool Background Difficulty Acquiring Depends on Depends on MaliciousWeb searchingapplication USBPC cable Acquiringbackup backup files files Malicious application USB cable Dependsmethod on method Dependsmethod on method ADBADB ExtractExtract tool tool Analyzing AbilityAbility to to analyze analyze Backup file Analyzing backup files AnalyzeAnalyze tool tool Backup file structure EasyEasy backup files backupbackup files files structure Creating copied PC Creating Enter command — Easy application SmartphonePC copied Enter command — Easy Smartphone application Table4 lists the most popular applications in the Google Play Store across 103 countries. Table5 lists the applications targeted for our attack. Messenger, in the communication category, and Instagram, Table 4 lists the most popular applications in the Google Play Store across 103 countries. Table 5 in the social category, are targeted via WhatsApp and Facebook because they are linked with Facebook lists the applications targeted for our attack. Messenger, in the communication category, and Instagram, in the social category, are targeted via WhatsApp and Facebook because they are linked with Facebook accounts. Moreover, Korea’s KakaoTalk and Syrup applications are considered targets Sustainability 2018, 10, 1290 7 of 18

SustainabilitySustainabilitySustainabilitySustainabilitySustainability Sustainability201 accounts.201 2012018,, 8201888,,,, , ,x,8 88 ,8,FOR , ,,x , x x 8 FOR FOR ,FOR201 x PEERMoreover, FOR8 PEER ,PEERPEER 8, PEERREVIEWx FORREVIEW REVIEWREVIEW REVIEW PEER Korea’s REVIEW KakaoTalk and Syrup applications are considered targets7 of777 of 20 ofof7 because 20 2020of 20 7 of they 20 SustainabilitySustainabilitySustainabilitySustainabilitycan cause 201 201201 2018 more,8 8,8, , 8 ,8x ,8, xFOR,x x damage,FORFOR FOR PEER PEERPEER PEER REVIEW REVIEWifREVIEW REVIEW exploited, than the previously mentioned applications. KakaoTalk7 7of7 7 of of 20of is 2020 20 an becausebecause they they can can cause cause more more damage, damage, if if exploited, exploited, than than the the previously previously mentioned mentioned applications. applications. becausebecausebecausebecause they because they theyinstant they can can can cause can they messaging cause cause cause can more more more cause more (IM) damage, damage, damage, application,more damage, if damage, if exploited,if exploited, ifexploited, similarexploited, if exploited, than to than than WhatsApp, than the the the previously the than previously previously previously but the it previously supportsmentioned mentioned mentioned mentioned various mentioned applications. applications. applications. applications. other applications. functions such KakaoTalkKakaoTalkbecausebecause isis anan they theyinstantinstant can can messagingmessaging cause cause more more (IM)(IM) damage, damage, applicaapplica if tion, iftion,tion, exploited, exploited, similarsimilarsimilar than toto thanto WhatsApp,WhatsApp,WhatsApp, the the previously previously butbutbut itit it mentioned supportssupportssupports mentioned variousvarious various applications. applications. KakaoTalkKakaoTalkKakaoTalkKakaoTalkKakaoTalkbecause becauseisas isanis emoticons, anis aninstant an instant theyinstant they instantis anmessaging can can giftmessaging messaginginstant causemessaging cause cards, messaging more(IM) more account (IM)(IM) (IM) applica damage, damage, applicaapplica transfer, applica(IM)tion, tion,tion, ifapplica if tion, exploited,similar and exploited, similarsimilar shopping.similartion, to to toWhatsApp, similar than than WhatsApp,toWhatsApp, WhatsApp, Syrup the the to previouslyWhatsApp, previously isbut abutbut customized itbut itsupportsit supports supportsit mentioned mentionedbutsupports it applicationvarious supports variousvarious various applications. applications. various in Korea otherother functionsfunctionsKakaoTalkKakaoTalkKakaoTalk suchsuch is is isan as asan an emoticons,instantemoticons, instant instant messaging messaging messaging giftgift cards,cards, (IM) (IM) (IM) accountaccount applica applica applica transfer,transfer,tion,tion,tion, similar similar andsimilarand shopping.shopping. to to toWhatsApp, WhatsApp, WhatsApp, SyrupSyrup but isbutis but a ait customizeditcustomized supportsit supports supports various various various otherotherotherother functions functionsfunctions functionsotherKakaoTalkKakaoTalkthat such functions helps suchsuch suchas is youisas asemoticons, an an emoticons,as emoticons,such to instantemoticons,instant use as andemoticons, gift messagingmessaging giftgift manage cards, gift cards,cards, cards, accountgift (IM)your (IM)accountaccount cards, account applica memberships.applica transfer, transfer,accounttransfer, transfer,tion,tion, and transfer, similarandandsimilar Finally,shopping.and shopping.shopping. shopping. to toand Amazon, WhatsApp,WhatsApp, Syrupshopping. SyrupSyrup Syrup is which isais but but customizedSyrup aais customized customized itisait customized supportsthesupports is topa customized application variousvarious applicationapplicationotherother in infunctions functions KoreaKorea thatthat such such helpshelps as as emoticons, youemoticons,you toto useuse gift and giftand cards, cards,managemanage account account youryour transfer, memberships. memberships.transfer, and and shopping. shopping. Finally,Finally, Amazon, Amazon,Syrup Syrup is is a which which acustomized customized applicationapplicationapplicationapplicationapplicationother otherinin in inKorea the Koreafunctions inKoreafunctions shoppingKorea that in thatthat Korea helpsthat such such helpshelps category, helps youasthat as you youemoticons, emoticons, tohelpsyou to touse is usetouse targeted youand use and andgift gift to manageand manageusemanagecards, cards, for manage and representing youraccount account yourmanageyour yourmemberships. memberships.memberships. transfer, transfer, memberships.your applications memberships. and and Finally, Finally,shopping. Finally,shopping. Finally, in categoriesAmazon, Amazon,Amazon,Finally, Syrup Amazon,Syrup which thatAmazon, is whichiswhich a a which couldcustomizedcustomized which lead to isisis the thethe to totoapplicationpapplicationp applicationapplication application in in inKoreain in Korea Koreathe the shopping thatshopping that that helps helps helps category, category,you you you to to touse useis isuse targeted andtargeted and and manage manage manage for for representing representingyour your your memberships. memberships. memberships. applications applications Finally, Finally, Finally, in in categories categoriesAmazon, Amazon, Amazon, which which which is istheis thetheis to the ptoto applicationp ptoisapplication application application secondarypthe application top application in in damageininthe Korea theKoreainthe shopping the shoppingshopping that ifinshoppingthat abused. the helps helpscategory, shopping category,category, category,you you toisto category, istargeteduse isuse targetedtargetedis and targetedand ismanage formanage targeted forfor representing for representingrepresenting representingyour your for memberships.representingmemberships. applications applicationsapplications applications applications Finally, Finally,in inincategories categoriesincategories Amazon,categories Amazon, in categories which which thatthatthatthatthatthat couldthat could could couldcouldcould iscould isthat isleadtheis the lead thelead leadleadleadthe to couldleadto toto p to to to topsecondary totopapplicationp application secondary secondarytoapplication secondarysecondary secondaryapplicationlead secondary to secondarydamage in damage damage damagedamage indamagein inthe damage thethe the shopping if shoppingshopping shopping ifabused. damageif ififif abused. abused. abused.abused.ifabused. abused. category, category,ifcategory, category, abused. is is is targetedis targetedtargeted targeted for forfor for representing representingrepresenting representing applications applicationsapplications applications in inin incategories categoriescategories categories thatthatthatthat could couldcould could lead leadlead lead to toto tosecondary secondarysecondary secondary damage damagedamage damage if if if abused.ifTable abused.abused. abused. 4. Play Store Ranks [30]. TableTableTableTableTable 4. 4.Play 4.4. Play Play4.TablePlay StorePlay Store StoreStore 4. StoreR Playanks R RRanksanksanks R Store [3anks 0 [3 [3[3].0 0 0R][3]].].]. anks .. 0 ]. [30]. NameTableTableTableTable 4. 4. 4. Play4. Number PlayPlay Play Store StoreStore Store ofR RanksR CountriesRanksanksanks [3 [3[30 [3]00. ]0]..] . Category NameNameNameNameName Name NumberNumberNumberNumberNumber of Number of ofCof ountries Cof CCountriesountries ountriesCountries of C ountries CategoryCategory CategoryCategoryCategory Category 88 Communication MessengerMessengerMessengerMessengerMessengerNameMessenger NameNameName Number88NumberNumberNumber88 8888 88 of ofof 88ofC CountriesC CountriesountriesountriesCommunicationCommunicationCommunicationCommunication Communication CommunicationCategoryCategoryCategoryCategory 69 Communication WhatsAppWhatsAppWhatsAppWhatsAppWhatsAppMessengerMessengerWhatsAppMessenger Messenger 6969 6969 69 88886988 88 CommunicationCommunicationCommunicationCommunicationCommunicationCommunicationCommunicationCommunicationCommunication FacebookFacebookFacebookFacebookFacebookWhatsApp WhatsAppWhatsAppFacebookWhatsApp 5656 5656 56 5669695669 69 SocialSocialSocialSocialCommunicationSocialCommunicationCommunication Communication Social Social InstagramInstagramInstagramInstagramInstagramInstagramInstagramFacebook FacebookInstagramFacebookFacebook 4747 4747 47 4756564756 56 SocialSocialSocialSocialSocial SocialSocialSocial Social FidgetFidgetFidgetFidgetFidget Spinner Spinner SpinnerSpinnerFidget SpinnerInstagramSpinnerInstagramInstagramInstagram Spinner 4040 4040 40 4047474047 47 ArcadeArcadeArcadeArcadeArcade (game) (game) (game)(game)Arcade Arcade(game)SocialSocial SocialSocial (game) (game) ViberViberViberViberFidgetViber FidgetFidgetFidget Viber Spinner SpinnerSpinner Spinner 1717 1717 17 1740401740 40 CommunicationCommunicationCommunicationCommunicationCommunicationArcadeCommunicationArcadeArcade CommunicationArcade (game) (game) (game) (game) WishWishWishWishWish Viber ViberViberWishViber 1616 1616 16 1617171617 17 ShoppingShoppingShoppingShoppingShoppingCommunicationCommunicationCommunicationCommunication Shopping Shopping Pokémon:Pokémon:Pokémon:Pokémon:Pokémon: MagikarpPokémon:Pok Magikarp MagikarpMagikarpé mon:MagikarpWish Magikarp WishJumpMagikarpWishWish Jump JumpJump Jump Jump Jump 1414 1414 14 1416161416 16 SimulationSimulationSimulationSimulationSimulationSimulation (game) Simulation Shopping(game) (game)(game)ShoppingShopping Shopping(game) (game) (game) SnapchatPokémon:Pokémon:SnapchatPokémon:SnapchatPokémon:SnapchatSnapchat SnapchatMagikarp MagikarpMagikarp Magikarp Jump JumpJump Jump 8 888 8 14814148 14 SocialSocialSocialSimulationSocialSimulationSimulationSocialSimulation Social Social (game) (game)(game) (game) SnapchatSnapchatSnapchatSnapchat 8 888 SocialSocialSocialSocial Table 5. Applications targeted for SIA. TableTableTableTable 5. 5.Applications5. Applications Applications5.Table TableApplications 5. 5.Applications targetedApplications targetedtargeted targeted for forfor for fortargetedSIA targeted for SIASIA SIASIA. SIA... . for. for SIA SIA.. TableTableTableTable 5. 5. 5. Applications5. ApplicationsApplications Applications targeted targetedtargeted targeted for forfor for SIA SIASIA SIA. .. . NameNameNameNameName Name Install InstallInstallInstallInstall Range Range RangeRangeInstall Range Range Category CategoryCategoryCategoryCategory Category Influence InfluenceInfluenceInfluenceInfluence Influence Name Install Range Category Influence WhatsAppWhatsAppWhatsAppWhatsAppWhatsAppNameWhatsApp NameNameName 1 B111– B B5B1– –InstallB –5B5Install5 Install –B Install BB5 1B B Range – RangeRange 5Range BCommunication Communication CommunicationCommunication CommunicationCommunicationCategoryCategoryCategoryCategory High HighHighHighHigh Influence Influence InfluenceInfluence High FacebookFacebookFacebookFacebookFacebookWhatsApp WhatsAppWhatsAppFacebookWhatsApp 1 B 111– B B5B1– –B –5B55 –B BB51 11B1 B –B B15–– –5 B–55B5 B B B B SocialSocialSocialSocialCommunicationSocialCommunicationCommunication Communication Communication Social High HighHigh HighHigh High HighHighHigh High KakaoTalkKakaoTalkKakaoTalkKakaoTalkKakaoTalkFacebookKakaoTalk FacebookFacebookFacebook 100 100100100 M100 M – MM500– –M–500500500 100–M5001 M1 M1BM 1 M B– B M B 15–– –5 B–55005B 5 B B BCommunication B MCommunicationCommunicationCommunication CommunicationCommunicationSocialSocialSocial Social Social High HighHighHighHigh High HighHighHigh High AmazonAmazonAmazonAmazonAmazonKakaoTalk KakaoTalkKakaoTalkKakaoTalk Amazon 100100 100100 M 100 M – MM500– –M–100500500500100 100–M100500 M M 100M M M – M M 500–– M–500–500500 500 M MM M MShopping ShoppingShoppingShoppingShoppingCommunicationCommunicationCommunicationCommunication CommunicationShopping Middle MiddleMiddle Middle Middle HighMiddleHighHigh High High SyrupSyrupSyrupSyrupSyrup Amazon AmazonAmazonAmazonSyrup 10 10 10 10M 10M – MM50– –M–10050 5050M100100–100 10 50M MM100 M M M –M500–– M–500–50050500500 MM MM M MLife LifeLifeLife StyleLife Style StyleStyle ShoppingStyle ShoppingShoppingLifeShopping Shopping Style Middle MiddleMiddleMiddleMiddle Middle MiddleMiddleMiddle Middle SyrupSyrupSyrupSyrup 101010 10M M10M –M50–– M–5050–50 50M MM M M LifeLifeLifeLife LifeStyle StyleStyle Style Style MiddleMiddleMiddleMiddle Middle WhatsApp,WhatsApp,WhatsApp,WhatsApp,WhatsApp,WhatsApp, KakaoTalk, KakaoTalk, KakaoTalk,KakaoTalk, KakaoTalk, KakaoTalk, Facebook, Facebook, Facebook,Facebook, Facebook, Facebook,Amazon, Amazon, Amazon,Amazon, Amazon, and Amazon, and andand Syrupand Syrup SyrupSyrup Syrup and were were werewere Syrup were installed installed installedinstalled installedwere on installed on on ona on Nexusa aa Nexus NexusNexusa Nexus on 5X a 5X 5X 5XrunningNexus 5X running runningrunning running 5X running AndroidAndroidAndroidAndroidAndroid versions Android versions versionsversions WhatsApp,versionsWhatsApp,WhatsApp,WhatsApp,WhatsApp, 6.0 versions 6.0 6.06.0 and 6.0 and andand KakaoTalk,7.1, and KakaoTalk,KakaoTalk, 7.1, KakaoTalk, 7.1,6.07.1, KakaoTalk, and 7.1, and andand wereand were7.1, were wereFacebook, Facebook,were Facebook, Facebook,subjectedand Facebook, subjected subjectedsubjected subjectedwere Amazon, Amazon, Amazon,tosubjectedAmazon, Amazon,to toSIAto SIAto SIASIA thatSIA and that that andthatthat andthatandto createdthat and Syrup SIA created created Syrupcreatedcreated createdSyrupSyrup Syrupcreated that awere were were backupa a wereacreatedaa were backup backup backupbackupbackupa installed backup installed installedinstalled installedfile. a file.file. file.backupfile.file. The file.on The onThe onTheTheTheon a onbackup The a a Nexus file. backupa backup backupbackupNexusbackup NexusaNexus backup Nexus The file5X 5X filefile 5Xfilebackupfilefile5X running 5X file running running running running file waswaswaswas createdwas created createdcreated AndroidcreatedAndroidwasAndroidAndroid Androidusing using usingcreatedusing using versions ADB versionsversions versions ADB versionsADBADB usingADB backup. backup. backup.6.0backup. 6.0 6.0 backup.6.0ADB 6.0and andand and If 7.1,backup.IfADB IfIf 7.1, 7.1, 7.1,ADB ADBIfADB and ADB andand backup andand backup werebackupIfbackup were were backupwereADB subjectedwas subjected subjected was subjectedwasbackupwas notwas not notnot available, not to wasavailable, toavailable,toavailable, toSIA available, SIASIA SIAnot that that that thatasthatavailable, as ascreatedasin created createdcreated as increatedinthein thein thethe case theaas a case acasea backupcase a in backupbackup caseofbackup the ofofFacebookof Facebookof FacebookFacebook file.casefile. file.file. Facebookfile. TheTheof TheThe TheandFacebook backup backupand and andbackupbackup backupand filefile and filefile file was WhatsApp,WhatsApp,WhatsApp,WhatsApp,WhatsApp,waswasWhatsApp,waswas Huaweicreated created Huawei Huawei Huaweicreated createdcreated Huawei usingba using Huaweiba usingckupba usingbausing ckupbackupckup ADB ckup ADB was ADB ADB ADB was backup.wasbawas used.wasckupbackup. backup. used. backup.used.used.backup. used. Thewas If The ADB TheTheIf IfAndroid used.IfTheADBIf Android ADBAndroid ADBAndroid backupADB Android Thebackup backup backup backupemulator wasAndroid emulator emulatoremulator emulatorwas not was waswas available,used not emulator not used notusedusednot available, used Androidavailable, available, available, Android AndroidAndroid as Androidused in theversionas as Android asversion asversionversionin case in inversion inthe the the ofthe4.4 case Facebook4.4 4.4version4.4case caseofcase 4.4 of ofoftheof of of thethe theofthetheFacebook Nox Facebook4.4 Facebookthe Facebookand Nox NoxNox of Nox WhatsApp, the and andNox andand AppAppAppApp AppPlayer Player PlayerPlayerWhatsApp, PlayerWhatsApp,AppWhatsApp,WhatsApp, 3.8.1.2Huawei 3.8.1.2 3.8.1.23.8.1.2 Player 3.8.1.2 [3 1[3Huawei backup[3 [3]. HuaweiHuawei3.8.1.2 1 1 Huawei1[3In].].].].]. 1 In In InInaddition,].In addition, Inaddition, addition, wasaddition,addition,[3ba baba addition,1ckupba].ckupckupused. ckupIn root addition, was root root rootwasrootrootwas Thewas privilegesroot used. privileges privileges privilegesused.privilegesprivilegesused. Androidused. privileges root The TheThe The wereprivileges Android emulatorwere were AndroidwerewerewereAndroid Android were used used used usedusedused usedemulatorwereto usedemulatoremulator emulator toto tochangetoto change changeto changeusedchangechange Android change used theusedtoused used the the thethethechange IMEI, Androidthe version AndroidIMEI, IMEI, AndroidIMEI,IMEI,IMEI,Android IMEI, IMSI,the IMSI, IMSI, IMSI,IMSI,IMSI, 4.4version IMEI, IMSI,versionversion versionand of and and andandand the phoneIMSI,and 4.4 phone phone 4.4 Noxphonephone4.4phone 4.4 ofphone ofandof of Appthe the the the phone Nox Nox PlayerNox Nox numbers.numbers.numbers.numbers.numbers.App AfterAppnumbers.AppApp After 3.8.1.2AfterAfter Player After Player Player changingPlayer changing changingchanging [31 Afterchanging3.8.1.2 ]. 3.8.1.23.8.1.2 3.8.1.2 In these addition,changing these[3 these these [3[3 1 [3these]. 11values,1]. ].In ]. values, values,Invalues,In Inaddition, root thesevalues, addition,addition, addition, the privileges the thethevalues, root the rootroot root rootroot rootrootprivileges privilegesthe privileges wereprivileges privilegesprivileges privilegesprivileges root used wereprivileges were were towere werewere werewere changerevoked, revoked,used revoked, revoked, usedused usedrevoked,were theto to to andto change IMEI,revoked, changeandchange andandchange theand the the IMSI,the theappl the the the appl andtheapplappl IMEI, andications applIMEI,IMEI, IMEI,icationsicationstheicationsicationsications phone ications IMSI, appl IMSI,IMSI, IMSI,were were were ications numbers.werewerewereand andandwere and phone phonephone phone were After executed.executed.executed.executed.executed.numbers. numbers.executed.numbers.numbers. changing After AfterAfter After these changing changingchanging changing values, these the thesethese these root values, values,values, values, privileges the thethe the root rootroot wereroot privileges privilegesprivileges privileges revoked, were were andwere were revoked, the revoked,revoked, revoked, applications and andand and the thethe the were appl applappl appl executed.icationsicationsicationsications were werewere were AllAllAllAll fiveexecuted.All executed. fiveexecuted. fiveexecuted.five applicationsfive applications Allapplicationsapplications Allapplications five five applications applicationswere were werewere were attacked attacked attackedattacked attackedwere were successfully. attacked successfully. successfully.successfully. attacked successfully. successfully. successfully. Table Table TableTable Table 6 summarizes6 66 summarizes summarizesTablesummarizes6 Tablesummarizes 66 summarizes summarizes the the thethe possibl the possibl possiblpossibl possibl thee the informationee e possibl information information possibleinformatione informatione information information leakedleakedleakedleakedleakedleakedleaked by byby by bybytheleaked by the the leakedthethethe SIAAll theAll All SIASIA AllSIASIASIA .fiveby SIAWhatsApp, five five...five . . WhatsApp,WhatsApp, theby WhatsApp,WhatsApp,WhatsApp, applications. WhatsApp,applications applicationsSIAapplications the. WhatsApp, SIA. KakaoTalk, KakaoTalk,KakaoTalk, KakaoTalk,KakaoTalk,KakaoTalk, wereKakaoTalk, WhatsApp, were werewere attackedKakaoTalk, attacked attackedandattacked and and andandand Facebookand Facebook KakaoTalk,Facebook FacebookFacebookFacebooksuccessfully. successfully.Facebook successfully.successfully. and could Facebook could couldcould could and beTable TableTablebe beTableusedbe Facebookcould beused usedused 6 used 6to 6summarizes6 summarizes summarizesto toimpersonatebesummarizesto impersonate toimpersonateimpersonateused impersonate could to impersonatethe the bethe others,the possibl others, others,others,possibl possiblusedpossibl others, which e which towhich e whicheinformationothers, e informationwhich informationinformation impersonate which couldcouldcouldcouldcould lead leadleadleakedleadleadleadleaked couldleaked leakedlead toothers, to to to to to secondary by to secondarybylead secondaryby secondary secondary secondaryby the secondarythe whichthe the SIA to SIASIA SIA secondary. damage WhatsApp,could. . damageWhatsApp,. damageWhatsApp, damage damage damageWhatsApp, damage lead due damage due due due due due KakaoTalk,to dueKakaoTalk, toKakaoTalk, KakaoTalk, secondary to to to to to the to the the thedue the the abuse the abuseabuse abuseand to andandabuse and damage the ofFacebook Facebook ofFacebook ofFacebook of social abuse of social social social due social- engineering could of-- -- engineeringcould-engineeringcould engineeringto could- socialengineering the be bebe beused- abuse engineering usedused used hacking. hacking.to hacking. hacking. to ofto toimpersonate hacking. impersonateimpersonate social-engineeringimpersonate In hacking. In In In addition, In addition, addition, addition, others, addition, others, others, others, In addition, which which hacking.which which KakaoTalkKakaoTalkKakaoTalkKakaoTalkKakaoTalkcouldcouldKakaoTalkcould couldandIn and andand addition, lead Facebookand lead lead Facebook leadFacebookFacebook Facebook to and to to to secondary KakaoTalk secondary secondarywereFacebook secondary were werewere were linked linked linkedlinkedlinkedlinked damage linkedwere anddamage damage damage with with with withwithwith Facebooklinked with other due other otherdueother dueotherother due other with toapplicat to to applicatapplicat were toapplicatapplicatapplicat the theotherapplicat the the abuse linkedions abuseabuseabuse ionsionsionsapplicationsions ionsor of or or withoror ofwebsites;or of of socialorwebsites; websites; websites;websites;websites;ions social social socialwebsites; other -orengineering- -engineeringtherefore,- engineeringwebsites;engineering applications therefore, therefore, therefore,therefore,therefore, therefore, SIA therefore,hacking. SIA SIAhacking.SIA hacking. hacking. orwasSIA was was websites;was morewas SIA Inmore moremore In In Inmore addition, was addition, addition, addition, therefore, more dangerous,dangerous,dangerous,dangerous,dangerous,KakaoTalkKakaoTalkdangerous,KakaoTalk KakaoTalkasSIA as asadditionalas additionalas additional wasadditional additional and and moreandasand additionalFacebookinformation Facebook Facebook informationFacebook informationinformation dangerous, information were information werewere werecould could could could aslinked linkedcouldlinked linked additionalbe be becollectedbe with could becollected withcollectedcollectedwith with collected other otherbeother informationother from collected from fromfromapplicat applicatapplicat from linkedapplicat linked linkedlinked linkedfromions couldwebsitesionsionsions websites websiteswebsites orlinked websitesoror or bewebsites; websites;websites; websites;or collected websites or orapplicationor applicationor applicationapplication therefore,application therefore,therefore, therefore, fromor applications. sUnlike linkedss ... SIA. . Unlike Unlike Unlike UnlikesSIAUnlikeSIA .SIA Unlike was was websiteswaswass . moreUnlike moremore more or otherotherotherotherother app app appappdangerous,lications, dangerous,appotherdangerous,dangerous,lications,lications,lications,lications,applications.lications,lications, app KakaoTalk lications, as KakaoTalk KakaoTalk KakaoTalk KakaoTalkasKakaoTalkas asadditional KakaoTalk additionaladditional additional Unlike KakaoTalk allow allow allow allowallowallow otherinformation informationallowinformation edinformationeded edan applications, ed allowan an anattacker an attacker attackerattacker couldedattacker couldcould could an to betoattacker touse to beKakaoTalkbe be usecollectedto useuse collectedcollectedunused collecteduse unused unusedunused to unused use fromgift allowed fromfrom from gift giftunusedgift cards giftlinked cardslinked cardslinked cardslinked cards anbecause gift websites because because attackerbecause websiteswebsites websitescardsbecause the thebecause orthethe to orattackeror theor application attacker useattackerapplicationattackerapplication application attacker unusedthe ha haattacker hadha s dhad.ds s Unlike. s gift . d Unlike.Unlike Unlike ha cards d thethethethethethe purchasethe purchase purchase purchase purchase purchase purchaseotherothertheotherotherbecause details purchaseapp detailsapp detailsapp details details detailsapp lications, detailslications,lications, thelications, and and and and and andattacker details numbersand KakaoTalk numbers numbers numbers numbers numbersKakaoTalkKakaoTalk KakaoTalk numbers and had and numbers the and and andand andallow allow andcouldpurchaseallow allow couldcouldcould edcould ed andededcollect an ancollectan collectcollectan detailsattacker could collectattackerattacker attacker information information information informationandcollect informationto toto numberstouse useuse use informationunused unused suchunused unused such such such and such as gift as gift ascould asgift thegift as thecardssuch the the cardscards user’scards the collect user’s user’s user’s as because user’sbecausebecause because the address information address address address user’s addressthe thethe theand attacker attacker addressandattacker and andattacker and such ha ha asandha hadd d thed privateprivateprivateprivateprivate informationthe informationtheprivatethe information informationthe user’s informationpurchase purchase purchase purchase addressinformation by details by byby details detailschecking details by andchecking checking checking checking and private andby and and the numberschecking numbers the numbers the thenumbers information user’s the user’s user’s user’s user’s and the payment and and and payment payment payment user’scould by paymentcould couldcould checking history.collect payment collect history.collect history.collect history. history. the information Becauseinformation information user’sinformation history.Because Because Because Because payment Ama Because AmaAma suchAma such such Amazon suchzon zon history.zon as as zoncould as asAma the could couldcould the the the could user’s Becausezon user’sstore user’s user’s storestorestore could store address the address addressAmazon addressthe the the store the and and andcould andthe debit/creditdebit/creditdebit/creditdebit/creditdebit/creditprivateprivatedebit/creditprivateprivate cardstore card cardcard cardnumber information the information informationnumber number informationnumber debit/creditnumber card used usednumber usedused used byfor by by byfor forfor checkingcardpayment, checking for checking used payment, checkingpayment,payment, numberpayment, for thesome payment, the the some thesomesome used user’s some user’scard user’s user’s cardcard forcard cardsomeinformation payment payment, payment informationpayment informationinformation payment information card history.information some history. history.could history. could couldcould cardcould be Because Becausebe Because be informationleaked,be Because could beleaked, leaked,leaked, leaked, Ama andbe Ama Ama Ama and andandleaked, zon the couldandzon zon thezon thethe attacker couldthe attacker couldattacker beandcouldattackercould attacker leaked, thestore storestore store attacker and the the the the the couldcouldcouldcouldcould change change changechangedebit/creditdebit/credit coulddebit/creditchangedebit/creditattacker the the thethechange shipping the shipping shippingshipping card could cardshippingcard card the number location number changenumber shippingnumber location locationlocation location used theorusedused used orlocation ororcollect shipping for collector collect collectforfor for collectpayment, payment, payment, thepayment, or the thethe locationuser’scollect the user’s user’suser’s some user’s somesome addresssomethe address oraddressaddress card user’s cardaddress collectcard card throughinformation information information through addressthroughinformationthrough the through user’s the throughthe thethe ordercould the could addresscouldorder ordercouldorder order history, bethe be behistory, history, history,beleaked, throughleaked,orderhistory,leaked, leaked, similar similar history,similarandsimilar and and similar theand the to thethe order the to to toattackersimilar attacker attackerto attacker history, to KakaoTalk.KakaoTalk.KakaoTalk.KakaoTalk.KakaoTalk.couldcouldKakaoTalk.could couldFinally,similar Finally, Finally, Finally,change changeFinally,change change towhen whenFinally, KakaoTalk.whenthewhen the the whenthe Syrupshipping shipping shipping Syrup shippingSyrupSyrup whenSyrup use Finally, use uselocationuse d Syruplocation location use locationdadd membership a ada membershipwhen membership membershipause or membership oror orcollectd collect collect Syrupacollect membership card,the the usedthecard, card,thecard, user’s card, user’suser’sthe user’s a thethethe membershipstore addressthecard, storeaddressstoreaddress storeaddress store name the name namename through namethroughstorethrough throughwas card, was waswas namedisplayed;was the thedisplayed; displayed; thedisplayed;the the displayed;order storewas orderorder order displayed;thus,history, name history, history, thus, history,thus,thus, thus, the was the thesimilarthe similar similar thesimilarthus, displayed; tothe toto to radiusradiusradiusradiusradius of ofKakaoTalk. oftheofKakaoTalk.radiusKakaoTalk. KakaoTalk. the ofthethethus, user’s the user’s user’suser’s of theuser’s movementthe Finally, radiusmovement movementFinally,movementFinally, Finally,user’s movement ofwhen movement whenwhen c thewhenould c ccouldould ould user’s Syrupc Syrup ould SyrupbeSyrup be bebeascertained c movement beuseascertained ouldascertained ascertained useuse useascertaineddd d abed a amembership a membershipascertainedmembership membershipand could and andand theand the the bethe user’s the ascertaineduser’s anduser’scard,user’s card, card,user’scard, locationthe the location location locationthethe theuser’s location store storestore andstore can canlocation cannamecan thenamebe namecanname be bebeviewed user’s wasbe viewed viewed viewed was wascan wasviewed displayed; location bedisplayed;anydisplayed; displayed; any anyviewedany time.any time. time.time. can time. thus, anythus,thus, be thus, viewedtime.the thethe the InIn InInaddition,InIn addition,addition, In addition,addition,addition, addition,radiusradiusInradiusradius becauseany addition, because because becausebecausebecause of time.because ofof ofthe the the membershipthe membershipuser’smembershipInbecause membership membershipmembership user’suser’s user’smembership addition, movement movementmovement membershipmovement cardbecause card card cardcardcard cardnumbers c numbersnumbers numbersnumbersnumbers ouldcc ouldc ouldnumbersmembershipould card be werebebe benumbers ascertained were were wereascertainedascertained ascertained were disclosed, disclosed, disclosed,disclosed, card disclosed,were and numbers and and membershipdisclosed,and membership the membershipmembership thethe themembership user’s user’suser’s wereuser’s membership locationpoints disclosed, locationlocation locationpoints pointspoints points were can were werecanwerecan canpoints membership were beeasy be be easy beeasyeasyviewed viewed viewedeasytowereviewed to use,toto use, touse, use,easyany pointsuse,anyany any time.to time.time. time.use, were whichwhichwhichwhichwhich could c InccouldouldInouldwhichIn Incaddition, easy ould addition,causeaddition, addition, cause causecause c tocauseould problems. use, problems.because problems.problems. becausebecause becausecauseproblems. which membershipproblems. membership membershipcould membership cause card problems. cardcard card numbers numbersnumbers numbers were werewere were disclosed, disclosed,disclosed, disclosed, membership membershipmembership membership points pointspoints points were werewere were easy easyeasy easy to toto touse, use,use, use, whichwhich whichwhich c ould cc ouldcouldould cause causecause cause problems. problems.problems. problems.

SustainabilitySustainability 201 2018,8 8, ,8 x, xFOR FOR PEER PEER REVIEW REVIEW 8 8of of 20 20 Sustainability 2018, 8, x FOR PEER REVIEW 8 of 20 Sustainability 2018, 10, 1290 8 of 18 Sustainability 2018, 8, x FOR PEER REVIEW TableTable 6. 6. Results Results of of the the SIAs. SIAs. 8 of 20 Table 6. Results of the SIAs. Sustainability 2018, 8, xChat FORChat PEER REVIEWAccountAccount AccountAccount PaymentPayment 8 of 20 ApplicationApplication Chat Account TableAccount 6. Results of thePayment SIAs. OthersOthers VersionVersion Application HHistoryistory InformationInformation LinksLinks InformationInformation Others Version History Information TableLinks 6. ResultsInformation of the SIAs. Chat AccountTable Account6. Results of thePayment SIAs. ReceivingReceiving and and WhatsAppApplicationWhatsApp ㅇㅇ ㅇㅇ ReceivingOthers and 2.17.1462.17.146Version WhatsApp Historyㅇ Informationㅇ Links Information sendingsending files files 2.17.146 ChatChat AccountAccount AccountAccount PaymentPayment sending files ApplicationApplication MMobileReceivingobileOthers voucher voucher and OthersVersion Version WhatsApp HHistoryistoryㅇ InformationInformationㅇ Links Links Information Information Mobile voucher 2.17.146 sendinginquiryinquiry files KakaoTalkKakaoTalk ㅇㅇ ㅇㅇ ㅇㅇ ㅇㅇ Receivinginquiry and 6.2.06.2.0 KakaoTalkWhatsApp ㅇㅇㅇ ㅇㅇ ㅇ ㅇ ㅇ ReceivingReceivingMobileReceiving voucher and and and sending2.17.1466.2.0 files 2.17.146 Receivingsending filesand sendingsendinginquiry files Mobilefiles voucher inquiry KakaoTalk ㅇㅇ ㅇ ㅇㅇ ㅇㅇ ㅇ Msendingobile voucher files 6.2.0 6.2.0 SecuritySecurityReceivingReceiving code code and and sending files FacebookFacebook ㅇㅇ ㅇㅇ ㅇㅇ Securityinquiry code 120.0.0.18.72120.0.0.18.72 FacebookKakaoTalk ㅇㅇㅇ ㅇㅇ ㅇㅇㅇ ㅇ ㅇ generationgenerationsendingSecurity files code120.0.0.18.72 generation6.2.0 120.0.0.18.72 Receivinggeneration and AmazonAmazon ㅇㅇ ㅇ ㅇㅇ ㅇ Security code 5.1.05.1.0 5.1.0 AmazonFacebook ㅇ ㅇㅇ ㅇ ㅇ sending files 120.0.0.18.725.1.0 SyrupSyrup ㅇㅇ ㅇUser’sUser’sgeneration location locationUser’s location5.4.15.4.1 5.4.1 ㅇ Security code Syrup ㅇ ㅇ ㅇ User’s location 5.4.1 FacebookAmazon ㅇ ㅇㅇ: Acquire: Acquire information information.ㅇ . 120.0.0.18.725.1.0 ㅇ ㅇ: Acquire information. generation Syrup : Acquire informationㅇ. User’s location 5.4.1 Amazon ㅇ ㅇ 5.1.0 44. .N Newew D Defenseefense against against SIA SIA ㅇ: Acquire information. 4. New4. New Defense DSyrupefense against against SIA SIA ㅇ User’s location 5.4.1 ThisThis section section describes describes the the User User Authentication Authenticationㅇ: Acquire informationusing using Peripheral Peripheral. Devices Devices (UAPD) (UAPD) scheme, scheme, as as a a 4. NewThis D sectionefense againstdescribes SIA the User Authentication using Peripheral Devices (UAPD) scheme, as a defensedefenseThis against against section SIA SIA. .UAPD describes UAPD is is a a method method the User that that authenticates authenticates Authentication the the user’s user’s using smartphone smartphone Peripheral by by using using Devicesthe the user’s user’s (UAPD) scheme, defense against SIA. UAPD is a method that authenticates the user’s smartphone by using the user’s devicesdevices4. NewThis such suchD efensesection as as smart smart againstdescribes watches, watches, SIA the smartUser smart Authentication bands, bands, Bluetooth Bluetooth using earphones, earphones, Peripheral WiFi WiFiDevices routers, routers, (UAPD) etc., etc., scheme, which which are areas a as adevices defense such against as smart SIA. watches, UAPD smart is bands, a method Bluetooth that earphones, authenticates WiFi routers, the user’s etc., smartphonewhich are by using the usuallyusuallydefense used used against by by the theSIA original original. UAPD user. user.is a methodWe We added added that some someauthenticates routines routines tothe to the theuser’s Zygote Zygote smartphone process. process. Weby We usingfirst first describe thedescribe user’s user’susually devicesThis used section by such the describes original as smart the user. watches,User We Authentication added smart some bands,routines using Peripheral Bluetoothto the Zygote Devices earphones, process. (UAPD) We WiFifirst scheme, describe routers, as a etc., which are thethedevicesdefense background background against such asfor for SIA smartunderstanding understanding. UAPD watches, is a method UAPD, smartUAPD, bands,thatand and authenticatesthen then Bluetooth we we describe describe earphones,the user’sthe the overall overall smartphone WiFi process process routers, by of of usingUAPD. etc.,UAPD. whichthe user’s are usuallythe background used by for the understanding original user. UAPD, We addedand then some we describe routines the overall to the process Zygote of process.UAPD. We first describe the usuallydevices used such by as the smart original watches, user. smart We added bands, some Bluetooth routines earphones, to the Zygote WiFi process. routers, We etc., first which describe are 4.1.4.1.the Background Background background for understanding UAPD, and then we describe the overall process of UAPD. background4.1.usually Background used for by understanding the original user. We UAPD, added andsome then routines we to describe the Zygote the process. overall We process first describe of UAPD. theThe backgroundThe Zygote Zygote process process for understanding has has bee beenn used used UAPD, from from theand the initial theninitial we version version describe of of Android Androidthe overall to to the processthe present present of UAPD.[3 [322].]. When When 4.1. BackgroundThe Zygote process has been used from the initial version of Android to the present [32]. When 4.1.anan Backgroundapplication application is is run run on on an an Android Android system, system, Zygote Zygote is is called. called. It It is is a a neutral neutral process process that that is is forked forked an application is run on an Android system, Zygote is called. It is a neutral process that is forked aheadahead4.1. BackgroundofThe of time time Zygote in in order order process to to run run has applications applicationsbeen used from quickly quickly the on initialon Android Android version systems. systems. of Android to the present [32]. When ahead of time in order to run applications quickly on Android systems. anThe InapplicationIn Android, Android, Zygote ifis ifprocess you runyou clickon click an hason on Android an an been application application usedsystem, fromto toZygote run run theit, it, startActivityis startActivity initial called. version It is function functiona neutral of Androidwill will process be be called called that to from the fromis forked present the the [32]. When an InThe Android, Zygote ifprocess you click has on bee ann applicationused from the to runinitial it, startActivityversion of Android function to willthe presentbe called [3 from2]. When the applicationLauncher,Launcher,ahead of and timeand is the run thein Activityorder Activity on anto Managerrun Manager Android applications will will system, be be called, quicklycalled, Zygoteas as on shown shown Android is in in called.Figure Figure systems. 4. 4. ItThis This is awill will neutral initialize initialize process the the Dalvik Dalvik that is forked ahead Launcher,an application and the is runActivity on an Manager Android will system, be called, Zygote as shown is called. in Figure It is a 4. neutral This will process initialize that the is Dalvik forked VMVM from fromIn Android,Zygote Zygote using usingif you startVizZygote startVizZygoteclick on an application function function ,to ,load loadrun theit, the startActivity resources resources in infunction advance, advance, will and and be create calledcreate a froma child child the of timeVMahead from in of order timeZygote in to orderusing run to startVizZygote applications run applications function quickly quickly, load on Android Androidthe resources systems. systems. in advance, and create a child processprocessLauncher, using using and fork forkthe Activity functionfunction .Manager . In In order order will to to be run run called, an an application, as application, shown in Figure the the child child 4. This application application will initialize executes executes the Dalvik the the processInIn Android, Android, using fork if if youfunction you click click .on In an on order application an to application run to an run application, it, startActivity to run the it, childstartActivityfunction application will be called function executes from the willthe be called from applicationapplicationVM from processZygote process using by by passing passingstartVizZygote the the child child function process process, fromload from the the the resources Zygote Zygote to toin the advance, the execution execution and flowcreate flow of ofa thechild the applicationLauncher, and process the Activity by passing Manager the will child be processcalled, as from shown the in Zygote Figure 4. to This the will execution initialize flow the ofDalvik the theapplicationapplicationprocess Launcher, using class. class. and forkWhen Whenthe function all all Activity applications applications. In order Manager are are to executed, runexecuted, will an application, bethe the called,Zygote Zygote theprocess asprocess shown child is is applicationperformed. performed. in Figure executesTherefore, Therefore,4. This the will initialize the applicationVM from Zygote class. Whenusing allstartVizZygote applications functionare executed,, load thethe Zygoteresources process in advance, is performed. and create Therefore, a child Dalvikwhenwhenapplication the VM the Zygote Zygote from process process Zygoteprocess by passing is is using modified, modified, the startVizZygote child the the running process running fromapplication application function, the Zygote will will load follow tofollow the the the execution the resources operation operation flow ofin of of the advance, the the and create whenprocess the using Zygote fork process function is . modified, In order theto run running an application, application the will child follow application the operation executes of the the modifiedmodifiedapplication Zygote Zygote class. process. process. When UAPD allUAPD applications defends defends against againstare executed, SIAs SIAs by by the modifying modifying Zygote processthe the Zygote Zygote is performed. and and the the applicat applicat Therefore,ionion a childmodifiedapplication process Zygote process using process. by fork passing UAPD function. defends the child against In process order SIAs from toby runmodifying the Zygote an application, the to Zygote the execution and the the childapplicat flow of application ion the executes endendwhen routine routine the of Zygoteof the the Android Android process runtime runtime is modified, area area shown shown the running in in Figure Figure application 5. 5. will follow the operation of the theendapplication application routine ofclass. the process AndroidWhen all by runtime applications passing area shown theare executed, child in Figure process the 5. Zygote from process the is Zygote performed. to the Therefore, execution flow of the modifiedThereThere Zygoteare are multiple multiple process. ways ways UAPD to to defends terminate terminate against Android Android SIAs applications,by applications, modifying e.g.,the e.g., Zygote finishAffinity finishAffinity and the applicat functionfunctionion, , whenThere the Zygote are multiple process ways is modified, to terminate the running Android application applications, will e.g., follow finishAffinity the operation function of the, applicationfinishAndRemoveTaskfinishAndRemoveTaskend routine class. of the Android When function function allruntime, applications,and and killProcessarea killProcess shown arefunction infunction Figure executed,. .For 5.For all all application theapplication Zygote termination termination process methods ismethods performed. Therefore, finishAndRemoveTaskmodified Zygote process. function UAPD, anddefends killProcess against functionSIAs by . modifyingFor all application the Zygote termination and the applicat methodsion whenexcludiexcludi theTherengng ZygotekillProcess killProcess are multiple process function function ways is, modified,,an an toapplication application terminate the is runningis Androidterminated terminated applications,application by by the the Destroy Destroy e.g., will function finishAffinity followfunction function. thefunction.operation function For For , of the modified excludiend routineng killProcess of the Android function runtime, an application area shown is in terminated Figure 5. by the Destroy function function. For finishAffinityfinishAffinityfinishAndRemoveTask function function, ,all all function parent parent activities ,activities and killProcess can can be be closed closed function in in any any. For activity, activity, all application and and since since termination there there is is no no need methodsneed to to ZygotefinishAffinityThere process. are function UAPD multiple, all defends parent ways toactivities against terminate can SIAs be Android closed by modifying in applications, any activity, the e.g.,and Zygote since finishAffinity there and is the no function need application to , end routine useuseexcludi finish finishng function function killProcess in in a a root functionroot activity, activity,, an the applicationthe current current acti isacti terminatedvityvity does does not notby have havethe Destroyto to go go to to thefunction the root root activity. function.activity. For For For of theusefinishAndRemoveTask finish Android function runtime in a root function area activity, shown, and the killProcess current in Figure acti functionvity5. does. For not all have application to go to terminationthe root activity. methods For finishAndRemoveTaskfinishAndRemoveTaskfinishAffinity function function ,function all parent, ,the the activities activity activity canis is quit, quit,be closed and and the inthe anyapplication application activity, isand is removed removed since there from from is theno the needTask Task to finishAndRemoveTaskexcluding killProcess function function, ,an the application activity is quit,is terminated and the applicationby the Destroy is removed function from function. the Task For Manager.Manager.useThere finish However, However,function are multiple in even even a root though though waysactivity, the the tothe application application terminatecurrent acti is isvity terminated, Android terminated, does not have the applications, the process to process go to isthe is not notroot e.g., terminated. terminated.activity. finishAffinity For function, Manager.finishAffinity However, function even, all parent though activities the application can be closed is terminated, in any activity, the processand since is there not is terminated. no need to finishAndRemoveTaskTherefore,Therefore,finishAndRemoveTask it it is is possible possible to to functionconfirm confirm function, ,that thethat theactivity andthe application application killProcess is quit, class’s andclass’s function.the onCreate onCreate application function Forfunction is all removed will applicationwill not not frombe be executed executed the termination Task methods Therefore,use finish itfunction is possible in a toroot confirm activity, that the the current application activity class’s does onCreate not have function to go to willthe rootnot beactivity. executed For ifif theManager. the application application However, finishes finishes even termination termination though by theby calling calling application finishAndRemoveTask finishAndRemoveTask is terminated, the function function process and and is then then not runs runs terminated. again. again. excludingiffinishAndRemoveTask the application killProcess finishes function termination function,, the byactivity an calling application is finishAndRemoveTask quit, and isthe terminatedapplication function is removed by and the then from Destroy runs the again. Task function function. InIn Therefore,the the case case of of it killProcess iskillProcess possible function tofunction confirm, ,the the that Destroy Destroy the application function function should class’sshould onCreaten notot be be called. called. function This This willis is a a commandnot command be executed for for ForInManager. finishAffinity the case of However, killProcess function, even function though all, parent the the Destroy application activities function is can should terminated, be closed not be the called. in process any This activity, isis nota command terminated. and since for there is no need terminatingterminatingif the application a a process. process. finishes If If one onetermination activity activity is by is running, running,calling finishAndRemoveTask it it is is completely completely terminated. terminated. function However, However, and then if runs if several several again. terminatingTherefore, it ais process. possible Ifto one confirm activity that is the running, application it is class’s completely onCreate terminated. function However, will not be if executed several toactivitiesactivities useIn the finish case are are running,of running, function killProcess the the inprocess processfunction a root is is, terminated, the activity,terminated, Destroy theand functionand the current the previous previousshould activity nactivity activityot be called. doesis is executed executed This not is haveagain. again.a command to go for to the root activity. activitiesif the application are running, finishes the terminationprocess is terminated, by calling finishAndRemoveTaskand the previous activity function is executed and then again. runs again. For terminating finishAndRemoveTask a process. If one activity function, is running, the activity it is completely is quit, terminated. and the application However, if several is removed from the In the case of killProcess function , the Destroy function should not be called. This is a command for Taskactivitiesterminating Manager. are arunning, process. However, the If oneprocess even activity is though terminated, is running, the and application it the is completely previous isactivity terminated. terminated, is executed However, the again. process if several is not terminated.

Therefore,activities itare is running, possible the to process confirm is terminated, that the applicationand the previous class’s activity onCreate is executed function again. will not be executed if the application finishes termination by calling finishAndRemoveTask function and then runs again. In the case of killProcess function, the Destroy function should not be called. This is a command for terminating a process. If one activity is running, it is completely terminated. However, if several activities are running, the process is terminated, and the previous activity is executed again. Sustainability 2018, 10, 1290 9 of 18 Sustainability 2018, 8, x FOR PEER REVIEW 9 of 20 Sustainability 2018, 8, x FOR PEER REVIEW 9 of 20

Figure 4. Android boot sequence [33]. Figure 4.4. Android boot sequence [3 [333].].

Figure 5. Android architecture. Figure 5 5.. Android architecture architecture.. 4.2. User Authentication Using Peripheral Devices Architecture 4.2.4.2. User Authentication Using Peripheral Devices Architecture UAPD is an automated process to protect against the SIA presented in the previous section. It UAPD is an automated process to protect against the SIA presented in the previous section. It identifiesUAPD the is user’s an automated device before process the application to protectagainst is launched. the SIA presented in the previous section. identifies the user’s device before the application is launched. It identifiesFigure the6 shows user’s the device overall before process the applicationof UAPD, which is launched. is a detailed description of Figure 1. UAPD Figure 6 shows the overall process of UAPD, which is a detailed description of Figure 1. UAPD is a solution that reinforces the verification part of application execution. To verify a user’s identity, is a solution that reinforces the verification part of application execution. To verify a user’s identity, each application is validated before its execution. This process relies on the Zygote, and the each application is validated before its execution. This process relies on the Zygote, and the Sustainability 2018, 10, 1290 10 of 18

Figure6 shows the overall process of UAPD, which is a detailed description of Figure1. UAPDSustainability is asolution 2018, 8, x FOR that PEER reinforces REVIEW the verification part of application execution. To verify a10 user’s of 20 Sustainability 2018, 8, x FOR PEER REVIEW 10 of 20 identity, each application is validated before its execution. This process relies on the Zygote, and the authentication routine is applied to all applications except system applications. For validation, the authentication routine is applied to all applications except system applications. For validation, UAPDauthentication collects the routine necessary is applied information to all applications once through except the UAPDsystem Initialapplications. Setting For step validation, in Figure the 6. the UAPDUAPD collects collects thethe necessary information information once once through through the UAPD the UAPD Initial Initial Setting Setting step in step Figure in 6. Figure 6.

Figure 6. UAPD process. Figure 6. UAPD process. Figure 6. UAPD process. Figure 7 shows the UAPD Initial Setting process required to prepare the authentication process. In this phase, the smartphone collects the user peripheral information. When a user runs the backup FigureFigure7 shows7 shows the the UAPD UAPD Initial Initial Setting Setting process process requiredrequired toto prepareprepare thethe authentication process. process. process on a new smartphone, the new smartphone requests the information for smartphone InIn this this phase,phase, the the smartphone smartphone collects collects the the user user peripheral peripheral information. information. When Whena user runs a user the runs backup the backupauthentication process on a from new the smartphone, devices that the were new used smartphone by the user. requests The new the information smartphone forproceeds smartphone to processauthenticate on a new the usersmartphone, using the received the new information. smartphone If there requests is no device the information for authentication for smartphone around authentication from the devices that were used by the user. The new smartphone proceeds to authenticationthe user, the fromuser’s theapplication devices will that not were run. used by the user. The new smartphone proceeds to authenticateauthenticate the the user user using using the the received received information.information. IfIf therethere is no device for authentication around around thethe user, user, the the user’s user’s application application will will not not run. run.

Figure 7. UAPD Initial Setting process.

Figure 8 shows the existing backup recovery method and backup recovery method using UAPD. The backup process involves creating the backup file, backup file movement, and application Figure 7. UAPD Initial Setting process. execution. Sometimes, some applicationsFigure 7. UAPD check Initialthe IMEI Setting and process.IMSI values and initialize the data if the values differ from the values of the smartphone used by the user. However, as mentioned in the Figure 8 shows the existing backup recovery method and backup recovery method using UAPD. The backup process involves creating the backup file, backup file movement, and application execution. Sometimes, some applications check the IMEI and IMSI values and initialize the data if the values differ from the values of the smartphone used by the user. However, as mentioned in the Sustainability 2018, 10, 1290 11 of 18

Figure8 shows the existing backup recovery method and backup recovery method using UAPD. The backup process involves creating the backup file, backup file movement, and application execution. SustainabilitySometimes, 201 some8, 8, x applicationsFOR PEER REVIEW check the IMEI and IMSI values and initialize the data if the values11 of 20 differ from the values of the smartphone used by the user. However, as mentioned in the previous previoussection, the section, attacker the canattacker change can the change information the information on the smartphone, on the smartphone, such as IMEIsuch andas IMEI IMSI, and and IMSI, the andoriginal the original backup processbackup process cannot becannot protected be protected against against SIA. In theSIA. UAPD, In the UAPD, as the UAPD as the InitialUAPD Setting Initial Settingand Check and Other Check Devices Other StatesDevices elements States elements have been have added been to theadded original to the backup original process, backup the proc attackeress, willthe attacker not be able will to not perform be able SIA to becauseperform thereSIA because will be nothere peripheral will be devicesno peripheral for Check devices Other for Devices Check OtherStates Devices authentication, States authentication, near the attacker. near the attacker.

Figure 8. Original backup vs UAPD backup. Figure 8. Original backup vs UAPD backup.

5. Evaluation 5. Evaluation

5.1. UAPD Overhead There are two ways to defend Android applications against SIA SIA:: SIAD and the UAPD proposed in this paper.paper. However,However, sincesince SIADSIAD goesgoes throughthrough thethe encryption/decryptionencryption/decryption process, the execution time overhead overhead is is large. large. SIAD’s SIAD’s performance performance depends depends on on the the database database size size of ofthe the application. application. Thus, Thus, in orderin order to to compare compare the the performances performances of of SIAD SIAD and and UAPD, UAPD, we we used used a a test test application application provided provided by Android StudioStudio onon a a Nexus Nexus 5X 5X smartphone smartphone whose whose hardware hardware specification specification is Snapdragon is Snapdragon 808 CPU808 CPU and and2 GB 2 RAM.GB RAM. ExperimentExperimentss were were conducted conducted to to measure measure the the execution execution time time overhead, overhead resource, resource usage, and usage current, and currentconsumption. consumption. Since the Since entire the SIAD entire process SIAD process encrypted encrypted and decrypted and decrypted the databases the databases existing existing in the inapplication the application directory directory database database folder, thefolder, execution the execution time differed time differed according according to the size to ofthe the size database of the databof thease Android of the Andr application.oid application Therefore,. Therefore, for a more for a precisemore precise measurement, measurement, the execution the execution time time was wasmeasured measured in the in following the following manner, manner, after after increasing increasing the size the ofsize the of database the database by 1 MB.by 1 MB. 1. Place the database file in the application directory. 1.2. RunPlace the the application database file to generate in the application key values. directory. 3.2. QuitRun the application and to generate encrypt key the values.database files in the application directory. 4.3. RunQuit the the application application and and decrypt encrypt the the database database files files in in the the application application directory. directory. 5.4. DeleteRun the the application key values and and decrypt application the database data of the files application in the application for a new directory. test. 5. TheDelete blue the line key superimposed values and application on the horizontal data of the axis application in Figure for 9 a indicates new test. the additional time required when running the application with UAPD. It requires an average of 0.005 s. When the application database is small, UAPD is approximately 30 times faster than SIAD. While the time consumed by SIAD increases with the increase in the size of the application’s database, the UAPD consumes constant time. Eventually, it is shown that the UAPD is time-efficient over all time intervals, compared to SIAD. Sustainability 2018, 10, 1290 12 of 18

The blue line superimposed on the horizontal axis in Figure9 indicates the additional time required when running the application with UAPD. It requires an average of 0.005 s. When the Sustainability 2018, 8, x FOR PEER REVIEW 12 of 20 application database is small, UAPD is approximately 30 times faster than SIAD. While the time consumed by SIAD increases with the increase in the size of the application’s database, the UAPD consumes constant time. Eventually, it is shownUAPD that the UAPDSIAD is time-efficient over all time intervals, Sustainability 2018, 8, x FOR PEER REVIEW 12 of 20 compared to8 SIAD.

6 UAPD SIAD

84

Time Time (s) 62

40

1 7

97 13 19 25 31 37 43 49 55 61 67 73 79 85 91

Time Time (s)

139 109 115 121 127 133 145 151 157 163 169 175 181 187 193 2 103 Database Size of Running Application (MB)

0

1 7

97 13 19 25 31 37 43 49 55 61 67 73 79 85 91

139 109 115 121 127 133 145 151 157 163 169 175 181 187 193 Figure 9. Time required for an application103 to run with UAPD. Database Size of Running Application (MB) Figure 10 shows the time-consumption ratio of UAPD and SIAD. As the size of the application’s Figure 9. Time required for an application to run with UAPD. database increases, theFigure efficiency 9. Time can req uiredbe seen for toan varyapplication dramatically. to run with For UAPD example,. UAPD is 30 times faster than SIAD for a database size of 1 MB. Moreover, UAPD is 600 times faster than SIAD for a databaseFigureFigure size 10 10 showsof shows 100 MB.the the time The time-consumption- timeconsumption-consumption ratio ratio ratioof of UAPD UAPD increases and and SIAD. SIAD.as the As database As the the size size size of of the increases. the application’s application’s databasedatabase increases, increases, the the efficiency efficiency can can be be seen seen to to vary vary dramatically. dramatically. For For example, example, UAPD UAPD is is 30 30 times times fasterfaster than than SIAD SIAD for for a a database database size size of of 1 1 MB. MB. Moreover, Moreover, UAPD UAPD is is 600 600 times times faster faster than than SIAD SIAD for for a a databasedatabase size size of of 100 100 MB. MB. The The time time-consumption-consumption ratio ratio increases increases as as the the database database size size increases. increases.

1600 1400 1200 1600 1000 1400 800 1200 600 1000 400 800 200 600

Time Time Efficiency (SIAD/UAPD) 0

1 8

99 22 29 36 43 50 57 64 71 78 85 92

400 15

120 106 113 127 134 141 148 155 162 169 176 183 190 200 Database Size (MB)

Time Time Efficiency (SIAD/UAPD) 0 8

1 Figure 10. Time-efficiency comparison between SIAD and UAPD.

99 22 29 36 43 50 57 64 71 78 85 92

15

120 106 113 127 134 141 148 155 162 169 176 183 190 Figure 10. Time-efficiencyDatabase comparison Size between (MB) SIAD and UAPD. Figure 11 shows the test results illustrating the effects of the number of installed applications, especially,Figure that11 shows of application the test results packages, illustrating and other the effects running of the applications number of oninstalled Android applications, platform. Byespecially, default, that the numberof applicationFigure of 10 installed. Time packages,-efficiency packages and comparison isother 79. We running installedbetween applications SIAD 41 additional and UAPD. on applicationsAndroid platform. that were By indefault, the top the ranks number of the of applicationinstalled packages market, is such 79. asWe YouTube, installed Gmail,41 additional Map, Dropbox, applications and that so on. were Next, in wethe testedtopFigure ranks the 11 applications ofshows the application the test that results had market, database illustrating such sizes as YouTube, the of 100effects MB. Gmail, of As the the Map, number numbers Dropbox, of of installed installed and so applications,and on. Next, executed we especially,applicationstested the thatapplications increased, of application that there had werepackages, database no significant and sizes other of differences 100 running MB. As inapplications the the numbers time overhead. on of Android installed Therefore, platform.and executed even By if default,theapplications number the number of in packagescreased, of installed there increases, were packages theno significant efficiency is 79. We of differences UAPDinstalle remainsd 41in theadditional bettertime overhead. than applications that ofTherefore, SIAD. that were even in if thethe top number ranks ofof packagesthe application increases, market, the efficiencysuch as YouTube, of UAPD Gmail, remains Map, better Dropbox, than that and of so SIAD. on. Next, we tested the applications that had database sizes of 100 MB. As the numbers of installed and executed applications increased, there were no significant differences in the time overhead. Therefore, even if the number of packages increases, the efficiency of UAPD remains better than that of SIAD. Sustainability 2018, 8, x FOR PEER REVIEW 13 of 20 Sustainability 2018, 10, 1290 13 of 18 Sustainability 2018, 8, x FOR PEER REVIEW 13 of 20

UAPD SIAD UAPD SIAD 4 4 2.93 3.14 3 2.93 3.14 3 2 2

Time (s) Time 1 Time (s) Time 1 0.0057 0.0057 0 0.0057 0.0057 0 79 120 79 Number of packages 120 Number of packages

Figure 11.11. Time according to the number ofof applicationapplication packages.packages. Figure 11. Time according to the number of application packages.

InIn FigureFigure 1212,, wewe comparedcompared thethe CPUCPU consumptionconsumption of the original Android version (AOSP) from AndroidIn Figure Open 12, Source we compared Project (AOSP) the CPU with consumption the Android of versionthe original UAPD Android implemented version (UAPD)(AOSP) fromwith Android Open Source Project (AOSP) with the Android version UAPD implemented (UAPD) with AndroidAmazon Openapplications Source using Project the (AOSP) top command. with the WeAndroid repeated version this processUAPD implemented100 times and (UAPD) averaged with the Amazon applications using the top command. We repeated this process 100 times and averaged the Amazonresults. UAPD applications (the Android using the UAPD top command. implemented) We repeated and AOSP this (the process original 100 Android)times and didavera notged show the results. UAPD (the Android UAPD implemented) and AOSP (the original Android) did not show results.significant UAPD differences (the Android in terms UAPD of CPUimplemented) usage and and memory AOSP consumption.(the original Android) In Figure did 12, not the show CPU significant differences in terms of CPU usage and memory consumption. In Figure 12, the CPU significantconsumptions differences from zero in terms to two of seconds CPU usage are similar, and memory but there consumption. is a slight In difference Figure 12, in the the CPU CPU consumptions from zero to two seconds are similar, but there is a slight difference in the CPU consumptions from from two zero to to four two seconds. seconds Because are similar, Android but applications there is a slightare sometimes difference affected in the by CPU the consumptions from two to four seconds. Because Android applications are sometimes affected by the consumptionsAndroid OS or from other two applications, to four seconds. the CPU Because consumption Android may applications increase arein some sometimes time. For affected example, by the in Android OS or other applications, the CPU consumption may increase in some time. For example, Androida very rare OS case, or other the CPU applications, consumption the CPU is 7% consumption at one second, may but increase 35% at intwo some seconds. time. ForHowever, example, these in in a very rare case, the CPU consumption is 7% at one second, but 35% at two seconds. However, avalues very rareare notcase, enough the CPU to consumaffect theption overall is 7% performance at one second, because but 35% the atholding two seconds. times of However, the values these are these values are not enough to affect the overall performance because the holding times of the values valuesvery short. are not Therefore, enough applyingto affect theUAPD overall incurs performance little CPU overhead.because the holding times of the values are arevery very short. short. Therefore, Therefore, applying applying UAPD UAPD incurs incurs little little CPU CPU overhead. overhead.

UAPD AOSP UAPD AOSP 35 35 30 30 25 25 20 20 15 15 10 10 5 CPU Consumption CPU Consumption (%) 5 CPU Consumption CPU Consumption (%) 0 0 0 1 2 3 4 0 1 Time2 (s) 3 4 Time (s)

Figure 12. UAPD vs. AOSP (Android Open Source Project) for CPU usage. Figure 12. UAPD vs. AOSP (Android Open Source Project) for CPU usage. Figure 12. UAPD vs. AOSP (Android Open Source Project) for CPU usage. Figures 13 andand 1414 show show the the measured measured values values of ofthe the Virtual Virtual Set SetSize Size (VSS) (VSS) and andResident Resident Set Size Set Size(RSS) (RSS)Figures for the for 13Amazon the and Amazon 14 application. show application. the measured The values The values values of VSS of of andthe VSS VirtualRSS and in RSS UAPDSet Size in UAPDand (VSS) AOSP andand are AOSPResident similar; are Set similar; UAPD Size UAPD(RSS)has little for has overthe little Amazonhead. overhead. application. The values of VSS and RSS in UAPD and AOSP are similar; UAPD has little overhead. Sustainability 2018, 8, x FOR PEER REVIEW 14 of 20 Sustainability 2018, 8, x FOR PEER REVIEW 14 of 20 Sustainability 2018, 10, 1290 14 of 18 Sustainability 2018, 8, x FOR PEER REVIEW 14 of 20 UAPD AOSP UAPD AOSP 1760 UAPD AOSP 17601740 174017601720 172017401700 170017201680 168017001660

Size Size (MB) 166016801640

Size Size (MB) 164016601620 16201600 Size Size (MB) 1640 16001620 0 1 2 3 4 1600 0 1 Time2 (s) 3 4 0 1 Time2 (s) 3 4 Time (s) Figure 13. UAPD vs. AOSP for VSS (Virtual Set Size) usage. Figure 13. UAPD vs. AOSP for VSS (Virtual Set Size) usage. Figure 13. UAPD vs. AOSP for VSS (Virtual Set Size) usage. Figure 13. UAPD vs. AOSP for VSS (Virtual Set Size) usage. UAPD AOSP UAPD AOSP 100 UAPD AOSP 100 80 10080 60 6080 40

Size Size (MB) 4060

20 Size Size (MB) 2040 Size Size (MB) 0 200 0 1 2 3 4 0 0 1 Time2 (s) 3 4 0 1 Time2 (s) 3 4 Time (s) Figure 1 14.4. UAPD vs vs.. AOSP AOSP for for RSS RSS (Resident (Resident Set Size) usage usage.. Figure 14. UAPD vs. AOSP for RSS (Resident Set Size) usage. Figure 15 shows Figure the memory 14. UAPD usages vs. AOSP for severalfor RSS (Resident applications Set Size) in UAPD usage. and AOSP. All three Figure 15 shows the memory usages for several applications in UAPD and AOSP. All three applicationsFigure 15 such shows as Amazon, the memory Kakaotalk usages, and for severalFacebook, applications running in in the UAPD UAPD and environment, AOSP. All threehave applications such as Amazon, Kakaotalk, and Facebook, running in the UAPD environment, have total applicationstotal Figurememory 15such sizes shows as similar Amazon, the memory to thoseKakaotalk usagesrunning, and for in Facebook,several the AOSP applications running environment; in inthe UAPD theUAPD application and environment, AOSP. memory All have three is memory sizes similar to those running in the AOSP environment; the application memory is often totaloftenapplications memory changed such sizes by externalas similar Amazon, factors to those Kakaotalk or runningapplication, and in Facebook, thebehaviors. AOSP runningenvironment; in the theUAPD application environment, memory have is oftentotalchanged memorychanged by external bysizes external similar factors factors to or those application or applicationrunning behaviors. in behaviors.the AOSP environment; the application memory is often changed by external factors or application behaviors. UAPD AOSP UAPD AOSP 25 UAPD AOSP 25 2025 20 1520 15

1015 Size Size (MB)

10 Size Size (MB) 10 Size Size (MB) 5 5 05 0 amazon kakaotalk facebook

0 amazon kakaotalk facebook

Figureamazon 1 15.5. UAPD vs vs.. AOSP AOSPkakaotalk in in term termss of of memory memory us usage.facebookage. Figure 15. UAPD vs. AOSP in terms of memory usage. Figure 1 5. UAPD vs. AOSP in terms of memory usage.

Sustainability 2018, 10, 1290 15 of 18

5.2. UAPD Compatibility Both the CipherSQL and SIAD mentioned earlier in the Related Works section have some compatibility with Android. CipherSQL is compatible with the versions 4 and 8 of Android. However, this is true only for the applications developed using CipherSQL. That is, as not all applications use CipherSQL, CipherSQL is not applied to all applications. SIAD modifies the Android Framework part, and therefore, can be applied to all applications. On the other hand, there are different ways to terminate applications on Android, which rely on the developers creating the Android applications. A typical smartphone uses a custom OS of the original Android OS, which is provided by its manufacturer. Therefore, it is not possible to ensure that a routine added at the end of an application is applicable to all Android smartphones. The UAPD proposed in this paper modifies only the behavior of the application when it runs. Therefore, it can be applied to any Android OS. Moreover, the UAPD does not control all applications. Sensitive data such as card information, chat history, etc., of the applications we use are stored in the actual running application data area. As a result, it is possible to minimize the impact on traditional usage behavior by applying UAPD to commonly used applications other than system rights applications. The execution flow in the UAPD proceeds as follows: Start- > startViaZygote- > Check Other Devices Status- > zygoteSendArgsAndGetResult. Start calls startViaZygote. If an error occurs during execution, it is treated as a runtime exception.

5.3. UAPD Security UAPD’s goal is to defend against SIA. The previously proposed CipherSQL encrypted the database of the Android application so that, even if the attacker obtained the backup data, it was difficult to acquire the information of the application. However, the attacker could use the backup data to acquire and apply information such as the IMEI and IMSI from other applications that did not apply CipherSQL. In this case, even if the attacker did not know the key to decrypt the application data with CipherSQL applied, he/she could execute the application using the SIA method. On the other hand, UAPD defends against SIA through application execution via user authentication without additional encryption/decryption processes. With this approach, an attacker can acquire some application information from the backup data. However, the UAPD prevents the attacker from impersonating a user, by preventing the application from running. Applying this proposal has the disadvantage that an attacker can obtain some application information from the backup data. However, it does not allow the attacker to run applications. It also prevents the attacker from pretending to be a user. There are two major security issues to consider when applying UAPD. The first is when the user is authenticated via UAPD by verifying the peripheral connection. The information required for authentication must not be visible to the outside. The UAPD checks the configured WiFi or paired Bluetooth device on the smartphone. This will not require any input from outside the smartphone during UAPD. It also does not require a data transfer from the smartphone to the peripheral device. Therefore, UAPD does not involve data exchange for authentication, and is thus resistant to attacks on networks such as Man In the Middle attacks (MIMT) or packet modulation. The second is related to an attacker circumventing the authentication process of UAPD using duplicated or modified information of the configured WiFi devices or paired Bluetooth devices. Information about WiFi configured on Android will be saved to the /data/misc/wifi/wpa_supplicant.conf file on the user’s smartphone. The stored information includes the Service Set Identifier (SSID), Pre-Shared Key (PSK), Priority, and connection methods. To get these values, the attacker accesses the wpa_supplicant.conf file directly from the rooted device, or uses the application from an unrooted device. However, we do not consider rooted devices because rooted devices do not guarantee security and is an unusual situation. Moreover, the WiFi information will not be displayed using an application on an unrooted device, as the Android KitKat version displays the password of the WiFi as an encrypted hash value instead of in a plain text format. As a result, Sustainability 2018, 10, 1290 16 of 18 the attacker cannot set the key value of WiFi and configure a WiFi environment similar to that of the user. On the other hand, regular users can synchronize and recover WiFi information that is configured on the Google Server by Google. Therefore, ordinary users can check the authentication of UAPD even if they backup, but an attacker cannot pass the authentication of UAPD using only the backup file. When the smartphone is paired with another Bluetooth device, a gatt profile is created in/data/misc/Bluetooth/(gatt_cache_number). However, as in the case of WiFi, only a rooted device can obtain information such as the key of a paired Bluetooth device, directly. Additionally, the information on paired Bluetooth devices are not backed up. Therefore, an attacker cannot arbitrarily create a Bluetooth device for authentication using only the backup file. In Check Other Devices States, UAPD checks the connections to the devices configured or paired with the smartphone. The function that performs the connection checks uses the function that is used by the Android framework. Therefore, it has the same security as the connections made with WiFi and Bluetooth in the existing Android framework. Moreover, because they only check connections and do not perform any data exchange, they do not receive any data from external devices during the application execution. This ensures that you can prevent attacks that insert random codes.

6. Conclusions In this paper, we showed that a copy of an application could be created by an attacker via SIA, which could subsequently be used to compromise security and obtain personal information. In particular, copies of WhatsApp, KakaoTalk, Facebook, Amazon, and Syrup were created with the same privileges as the user, and it was confirmed that they could cause secondary and tertiary damage. We proposed UAPD to protect Android applications. As an improved defense of Android applications, which does not depend on the smartphone manufacturer, UAPD prevents data-replication attacks using IMEI, IMSI, or phone number, effectively. It was applied to and tested on a Nexus 5X smartphone to check its practicality. From the results, it was observed that the proposed UAPD was practical and useful, in terms of its performance, overhead, and compatibility. UAPD is a proposal for companies that develop Android OSs, such as smartphone companies or Google. In the future, we plan to study the server communication protocol for UAPD use. Such a study will provide new user authentication methods.

Acknowledgments: This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Korea (2017R1D1A1B03034950) and by the BK21 Plus project funded by the Ministry of Education, Korea (21A20131600011). Author Contributions: All the authors contributed equally to this work. All authors read and approved the final manuscript. Conflicts of Interest: The authors declare no conflicts of interest.

References

1. All Products Require an Annual Contract Prices Do Not Include Sales. Google Play: Number of Downloads 2010–2016. Available online: https://www.statista.com/statistics/281106/number-of-android- app-downloads-from-google-play/ (accessed on 13 April 2018). 2. Armando, A.; Merlo, A.; Migliardi, M.; Verderame, L. Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures). In IFIP International Information Security Conference; Springer: Berlin/Heidelberg, Germany, 2012; pp. 13–24. 3. Lee, H.-T.; Kim, D.; Park, M.; Cho, S. Protecting Data on Android Platform against Privilege Escalation Attack. Int. J. Comput. Math. 2016, 93, 401–414. [CrossRef] 4. Sabt, M.; Traoré, J. Breaking into the Keystore: A Practical Forgery Attack against Android Keystore. In European Symposium on Research in Computer Security; Springer: Heraklion, Greece, 2016; pp. 531–548. 5. Davi, L.; Dmitrienko, A.; Sadeghi, A.-R.; Winandy, M. Privilege Escalation Attacks on Android. In International Conference on Information Security; Springer: Berlin/Heidelberg, Germany, 2010; pp. 346–360. Sustainability 2018, 10, 1290 17 of 18

6. Jung, J.-H.; Kim, J.Y.; Lee, H.-C.; Yi, J.H. Repackaging Attack on Android Banking Applications and Its Countermeasures. Wirel. Pers. Commun. 2013, 73, 1421–1437. [CrossRef] 7. Tam, K.; Feizollah, A.; Anuar, N.B.; Salleh, R.; Cavallaro, L. The Evolution of Android Malware and Android Analysis Techniques. ACM Comput. Surv. (CSUR) 2017, 49, 76. [CrossRef] 8. Wei, X.; Gomez, L.; Neamtiu, I.; Faloutsos, M. Malicious Android Applications in the Enterprise: What Do They Do and How Do We Fix It? In Proceedings of the 2012 IEEE 28th International Conference on Data Engineering Workshops (ICDEW), Arlington, VA, USA, 1–5 April 2012; pp. 251–254. 9. Joshi, J.; Parekh, C. Android Smartphone Vulnerabilities: A Survey. In Proceedings of the IEEE International Conference on Advances in Computing, Communication, & Automation (ICACCA), Dehradun, India, 8–9 April 2016; pp. 1–5. 10. Anglano, C. Forensic Analysis of WhatsApp Messenger on Android Smartphones. Digit. Investig. 2014, 11, 201–213. [CrossRef] 11. Al Mutawa, N.; Baggili, I.; Marrington, A. Forensic Analysis of Social Networking Applications on Mobile Devices. Digit. Investig. 2012, 9, S24–S33. [CrossRef] 12. Hacking Android Apps Using Backup Techniques. Available online: http://resources.infosecinstitute.com/ android-hacking-security-part-15-hacking-android-apps-using-backup-techniques/ (accessed on 13 April 2018). 13. GitHub-Irsl/ADB-Backup-APK-Injection: Android ADB Backup APK Injection POC. Available online: https://github.com/irsl/ADB-Backup-APK-Injection/ (accessed on 13 April 2018). 14. Mutti, S.; Bacis, E.; Paraboschi, S. Sesqlite: Security Enhanced Sqlite: Mandatory Access Control for Android Databases. In Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA, 7–11 December 2015; pp. 411–420. 15. Paraboschi, S.; Bacis, E.; Mutti, S. Extending Mandatory Access Control Policies in Android. In International Conference on Information Systems Security; Springer: Cham, Switzerland, 2015; pp. 21–35. 16. Rachmawan, A. Developing Secure Android Application with Encrypted Database File Using Sqlcipher. Ph.D. Thesis, Universiti Teknikal Malaysia Melaka, Durian Tunggal, Malaysia, 2014. 17. Dai, Z.; Chua, T.-W.; Balakrishnan, D.K.; Thing, V.L. Chat-App Decryption Key Extraction through Information Flow Analysis. In Systems Approach to Cyber Security; IOP Press: Singapore, 2017. 18. Google Android: CVE Security Vulnerabilities, Versions and Detailed Reports. Available online: https: //www.cvedetails.com/product/19997/GoogleAndroid.html?vendor_id=1224 (accessed on 13 April 2018). 19. Kim, J.; Jung, I.Y. Android App Protection Using Same Identifier Attack Defensor. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics (ISI), Beijing, China, 22–24 July 2017; p. 201. 20. Kim, J.; Jung, I.Y. Private Data Protection of Android Application. In Advances in Computer Science and Ubiquitous Computing; Springer: Singapore, 2017; pp. 1470–1475. 21. Church, K.; De Oliveira, R. What’s up with Whatsapp?: Comparing Mobile Instant Messaging Behaviors with Traditional SMS. In Proceedings of the 15th International Conference on Human-Computer Interaction with Mobile Devices and Services, Munich, Germany, 27–30 August 2013; pp. 352–361. 22. Ha, Y.W.; Kim, J.; Libaque-Saenz, C.F.; Chang, Y.; Park, M.-C. Use and Gratifications of Mobile SNSs: Facebook and KakaoTalk in Korea. Telemat. Inform. 2015, 32, 425–438. [CrossRef] 23. KaKaoTalk. Available online: http://www.kakaocorp.com/service/KakaoTalk (accessed on 13 April 2018). 24. Syrup. Available online: http://www.smartwallet.co.kr/index.do#about_syrup (accessed on 13 April 2018). 25. Jain, V.; Gaur, M.S.; Laxmi, V.; Mosbah, M. Detection of Sqlite Database Vulnerabilities in Android Apps. In International Conference on Information Systems Security; Springer: Cham, Switzerland, 2016; pp. 521–531. 26. Jiang, Y.Z.X.; Xuxian, Z. Detecting Passive Content Leaks and Pollution in Android Applications. In Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 23 April 2013. 27. Hassanshahi, B.; Yap, R.H. Android Database Attacks Revisited. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, 2–6 April 2017; pp. 625–639. 28. Felt, A.P.; Chin, E.; Hanna, S.; Song, D.; Wagner, D. Android Permissions Demystified. In Proceedings of the 18th ACM conference on Computer and communications security, Chicago, IL, USA, 17–21 October 2011; pp. 627–638. 29. Tamma, R.; Tindall, D. Learning Android Forensics; Packt Publishing Ltd.: Birmingham, UK, 2015. Sustainability 2018, 10, 1290 18 of 18

30. App Annie App Store Stats | Google Play Top App Matrix Overall. Available online: https://www.appannie. com/apps/google-play/matrix/?category=1&date=2017-06-07 (accessed on 13 April 2018). 31. Free Android Emulator on PC and Mac- Download Nox App Player. Available online: https://en.bignox. com/ (accessed on 13 April 2018). 32. Yaghmour, K. Embedded Android: Porting, Extending, and Customizing; O’Reilly Media, Inc.: Sebastopol, CA, USA, 2013. 33. Android Booting Sequence Explained. Available online: http://androidsrc.net/android-booting-sequence- explained/ (accessed on 13 April 2018).

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).