SlideShare a Scribd company logo

AppInspect: Large-scale Evaluation of Social Networking Apps

Markus Huber
Markus Huber

Slides from the AppInspect presentation at ACM COSN, Boston/MA, 2013.

Technology
1 of 28
Download to read offline
AppInspect: Large-scale Evaluation of Social Networking Apps ACM COSN, Boston, 10/08/2013 Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl mhuber[AT]sba-research[DOT]org
Main Contributions • AppInspect: privacy and security analysis of OSN apps • Prototype for Facebook’s application ecosystem • Detected informationleaks, shortcomings in popular apps • Cooperated with Facebook to fix apps and protect users • AppInspect datasets available to the research community 2/28
Section 2 Background 3/28
OSN apps • Apps used by hundreds of millions of social networking users • Games, horoscopes, quizzes, etc. • Access sensitive personal information (date of birth, email address, personal messages etc.) • Access to information of application user’s friends 4/28
Modus operandi of OSN apps • OSNs act as proxies between user and app developer • Personal information is transferred to developers • App developers themselves rely on third-parties (analytics, advertising products) • Custom hosting infrastructures • Approval of apps with authentication dialog 5/28
Facebook’s application authorization dialog (a) Unified Auth Dialog, April 2010 (b) Enhanced Auth Dialog, January 2012 (c) App Center Auth Dialog, May 2012 6/28
Section 3 AppInspect Framework 7/28
AppInspect Framework Search Module Classifier Module Analysis Module Online Social Network (OSN)Start Analysis App list App samples Target OSN (1) Search Apps App Directory Fetch directory Search exhaustively (3) Analyse network traffic (4) Fingerprint provider(2) Collect app details Third-Party Applications Figure: AppInspect, a framework for automated security and privacy analysis of social network ecosystems. 8/28
(1) Search Module • Enumerate applications for target social network • Simple scrapers Google+, single HTML page with few applications LinkedIn, easy to enumerate via applicationId • Facebook Majority of apps not in directories Numeric identifier brute force not feasible (1014 ) Exhaustive search: character n-grams, keywords, etc. LinkedIn Example GET / opensocialInstallation /preview? _applicationId =1000 Host: https :// www.linkedin.com 9/28
(2) Classifier Module • Application properties: rating, popularity, permissions, type Web scraping Redirection behavior • Language Detect and translate non-english applications Redirect example GET /apps/application.php?id =194699337231859 Host: www.facebook.com =⇒ Redirects to http :// yahoo.com 10/28
(3) Analysis Module • Traffic collection Applications are installed on test accounts HTTP(S) proxy collects network traffic • Web tracker identification Detection of analytics and advertising products • Information leaks Leakage of personal data, auth tokens to third parties • Hosting infrastructure fingerprint Fingerprint the underlying hosting infrastructure Search vulnerability databases for detected services 11/28
Section 4 Evaluation 12/28
Prototype • Analysis of Facebook’s application ecosystem • Non-intrusive security audits • AppInspect Prototype Python with mechanize, Mozilla Firefox + Adobe Flash Fast crawling, and realistic network samples • Traffic Analysis HTTP(S) interception proxy XML parser for network samples • Web tracker identification Based on Ghostery DB • Hosting infrastructure fingerprint Standard unix tools (dig, nmap) Exploit-DB, metasploit-DB 13/28
Enumerated Apps • Exhaustive search with character trigrams • 434,687 unique applications in two weeks • Validation against Socialbakers’ Facebook applications 0⋅10 0 1⋅10 7 2⋅107 3⋅107 4⋅10 7 5⋅107 6⋅107 1 10 100 1000 10000 100000 1e+06 0 % 10 % 20 % 30 % 40 % 50 % 60 % 70 % 80 % 90 % 100 % MonthlyActiveUsers(MAU) PercentofCumulativeMAU Enumerated Application Sample cumulative application usage application usage 14/28
Application Sample • 10,624 most popular apps 94.07% of cumulative usage • In-depth analysis on 4,747 apps which transfer user data Application Type Applications Total % Authentication Dialog 4,747 44.68% Canvas 2,365 22.26% Connect 2,260 21.27% Defect 865 8.14% Page Add-ons 280 2.64% Mobile 107 1.01% Total 10,624 100.00% Table: Classification of subsample with popular applications 15/28
Section 5 Results 16/28
Requested Permissions (n=4,747) App Category Permission game app Total % Publish posts to stream 1,617 819 51.32% Personal email address 1,055 1,132 46.07% Publish action 435 857 27.22% Access user’s birthday 582 428 21.28% Access user’s photos 721 99 17.27% Access data offline 517 120 13.42% Access user likes 438 153 12.45% Access user location 350 143 10.39% Read stream 409 80 10.3% Access friends’ photos 319 17 7.08% Table: Most common requested permissions by third-party applications 17/28
Permissions per Provider • 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address 0 5 10 15 20 25 30 35 40 45 50 0 200 400 600 800 1000 1200 1400 1600 Numberofpermissionsrequested Mean = 2.91246 18/28
Developers with ≥ 10 Permission Requests • 40 providers requested more than 10 permissions • Manually verified requested permissions vs. app functionality • Legitimate uses Dating and job hunting applications XBOX application (not available anymore) • Excessive permission requests Hor´oscopo Di´ario, 2.5 million monthly users Would require data of birth, 25 different permissions Request permission but do not use them Users do not seem to verify requested permissions 19/28
Internet Hosting Services • 55% of applications hosted in the US • 64 different countries in total Provider Location Total % Amazon EC2 US (755), IE (82), SG (52) 18.72% SoftLayer US (505) 10.65% Peak Hosting US (244) 5.14% Rackspace US (147), GB (11), HK (4) 3.41% GoDaddy SG (51), US (29), NL (6) 1.82% Linode US (72), GB (6), JP (2) 1.69% OVH FR (42), PL (7), ES (2) 1.04% Hetzner DE (47) 0.99% Internap US (35) 0.73% 20/28
Discovered Web Services • 55% Apache httpd, nginx (15.63%), Microsoft IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-2010-2263) • 8 hosts ProFTPD buffer overflow (CVE-2006-5815, CVE-2010-4221) • Host with 1.2 million monthly users and sensitive information TCP Port Service Hosts % Total 22 ssh 662 40.22% 21 ftp 640 38.88% 25 smtp 572 34.75% 110 pop3 439 26.67% 143 imap 417 25.33% Table: Most common additional services on application hosts 21/28
Tracking and Advertisement Products Web bug Type Apps % Total Google Analytics analytics 3,378 71.16% DoubleClick advertising 529 11.14% Google Adsense advertising 361 7.61% AdMeld advertising 276 5.81% Cubics advertising 153 3.22% LifeStreet Media advertising 94 1.98% Google AdWords advertising 91 1.92% OpenX advertising 82 1.73% Quantcast analytics 49 1.03% ScoreCard Beacon analytics 48 1.01% Table: Common web trackers included in third-party applications 22/28
Information Leaks • 315 apps directly transferred personally identifiable information (via HTTP parameter) uuid, birthdate, gender GET socialanalytic -web -rest/rest/action /16/1000000000000/ wpc/ landingbirthday =5%2 F2%2 F2013&gender=male Host: removed from online version uuid, tracking! GET /delivery/ brandConnect .php?callback=siteUserId =1000000000000& siteId =1111& popup =0 Host: removed from online version 23/28
Information leaks II • 51 applications leaked unique user identifiers (HTTP Referer) • 14 out of 51 applications also leaked oAuth tokens Example leak, app with 4.7 million MAU GET /fnf/flash.php?hbref =&u=& page =-1& frli =& oauth_token= AAAAAAAAAAAAAAAAA &fbid =1000000000000& issec =0& locale=en_US: Host: removed from online version 24/28
Section 6 Discussion and Conclusion 25/28
Discussion • Reported our findings to Facebook in november 2012 Facebook responded quickly Facebook acknowledged problems and contacted developers Application issues fixed in May 2013 • Security and privacy implications Since January 2010 unproxied access to email address 60% of application providers request email address Social phishing, context-aware spam Users trackable with real name • Hosting Number of hosts possible vulnerable FTP/SSH bruteforce 26/28
Limitations • Limitation to Facebook canvas applications AppInspect adaption to other OSNs Mobile applications and websites • Detection of excessive permission requests App functionality vs. requested permissions Requires manual reviews • Detection of information leaks Obfuscated personal information Hidden back-ends for data transfer Offline passing on of data 27/28
Conclusion • Automated social app analysis is feasible • Helped to fix shortcomings in popular applications • Framework and dataset Plan: Release opensource version of code Datasets for social app research http://ai.sba-research.org 28/28

Recommended

Vulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using WebkillVulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using Webkillijtsrd
 
Automated classification and analysis of internet malware
Automated classification and analysis of internet malwareAutomated classification and analysis of internet malware
Automated classification and analysis of internet malwareUltraUploader
 
Cyber crime and investigation training
Cyber crime and investigation trainingCyber crime and investigation training
Cyber crime and investigation trainingMehedi Hasan
 
Optimised malware detection in digital forensics
Optimised malware detection in digital forensicsOptimised malware detection in digital forensics
Optimised malware detection in digital forensicsIJNSA Journal
 
An Ontology-based Technique for Online Profile Resolution
An Ontology-based Technique for Online Profile ResolutionAn Ontology-based Technique for Online Profile Resolution
An Ontology-based Technique for Online Profile Resolutionkcortis
 
Final report
Final reportFinal report
Final reportFraser Hiddleston
 
Insider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBAInsider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBALucas Ko
 
Android Malware Detection in Official and Third Party Application Stores
Android Malware Detection in Official and Third Party Application StoresAndroid Malware Detection in Official and Third Party Application Stores
Android Malware Detection in Official and Third Party Application StoresEswar Publications
 

Recommended

Vulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using WebkillVulnerability Assessment and Penetration Testing using Webkill
Vulnerability Assessment and Penetration Testing using Webkillijtsrd
 
Automated classification and analysis of internet malware
Automated classification and analysis of internet malwareAutomated classification and analysis of internet malware
Automated classification and analysis of internet malwareUltraUploader
 
Cyber crime and investigation training
Cyber crime and investigation trainingCyber crime and investigation training
Cyber crime and investigation trainingMehedi Hasan
 
Optimised malware detection in digital forensics
Optimised malware detection in digital forensicsOptimised malware detection in digital forensics
Optimised malware detection in digital forensicsIJNSA Journal
 
An Ontology-based Technique for Online Profile Resolution
An Ontology-based Technique for Online Profile ResolutionAn Ontology-based Technique for Online Profile Resolution
An Ontology-based Technique for Online Profile Resolutionkcortis
 
Final report
Final reportFinal report
Final reportFraser Hiddleston
 
Insider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBAInsider Threats Detection in Cloud using UEBA
Insider Threats Detection in Cloud using UEBALucas Ko
 
Android Malware Detection in Official and Third Party Application Stores
Android Malware Detection in Official and Third Party Application StoresAndroid Malware Detection in Official and Third Party Application Stores
Android Malware Detection in Official and Third Party Application StoresEswar Publications
 
Format skt-guru-2015
Format skt-guru-2015Format skt-guru-2015
Format skt-guru-2015osnamek62
 
Dr rusmini
Dr rusminiDr rusmini
Dr rusminiosnamek62
 
Jw Slide Show
Jw Slide ShowJw Slide Show
Jw Slide Showjonjw
 
El gat p4 c
El gat p4 cEl gat p4 c
El gat p4 cMDRCP3
 
Ppt mt sha
Ppt mt shaPpt mt sha
Ppt mt shaleehaisha
 
Ppt bm sha
Ppt bm shaPpt bm sha
Ppt bm shaleehaisha
 
Dskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s piDskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s piosnamek62
 
Der Pandabär
Der PandabärDer Pandabär
Der PandabärChristine Bazooka
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 bMDRCP3
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 bMDRCP3
 
Reunio pares
Reunio paresReunio pares
Reunio paresMDRCP3
 
El ós p 4 d
El ós p 4 dEl ós p 4 d
El ós p 4 dMDRCP3
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in reviewhope247
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in reviewhope247
 
Social Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social NetworksSocial Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social NetworksMarkus Huber
 
L'ocell p4 a
L'ocell p4 aL'ocell p4 a
L'ocell p4 aMDRCP3
 
Dskp thn 5 pen moral
Dskp thn 5 pen moralDskp thn 5 pen moral
Dskp thn 5 pen moralosnamek62
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Digital Methods Initiative
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5ObserveIT
 
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docxjoyjonna282
 

More Related Content

Viewers also liked

Format skt-guru-2015
Format skt-guru-2015Format skt-guru-2015
Format skt-guru-2015osnamek62
 
Jw Slide Show
Jw Slide ShowJw Slide Show
Jw Slide Showjonjw
 
El gat p4 c
El gat p4 cEl gat p4 c
El gat p4 cMDRCP3
 
Dskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s piDskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s piosnamek62
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 bMDRCP3
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 bMDRCP3
 
Reunio pares
Reunio paresReunio pares
Reunio paresMDRCP3
 
El ós p 4 d
El ós p 4 dEl ós p 4 d
El ós p 4 dMDRCP3
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in reviewhope247
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in reviewhope247
 
Social Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social NetworksSocial Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social NetworksMarkus Huber
 
L'ocell p4 a
L'ocell p4 aL'ocell p4 a
L'ocell p4 aMDRCP3
 
Dskp thn 5 pen moral
Dskp thn 5 pen moralDskp thn 5 pen moral
Dskp thn 5 pen moralosnamek62
 

Viewers also liked (17)

Format skt-guru-2015
Format skt-guru-2015Format skt-guru-2015
Format skt-guru-2015
 
Dr rusmini
Dr rusminiDr rusmini
Dr rusmini
 
Jw Slide Show
Jw Slide ShowJw Slide Show
Jw Slide Show
 
El gat p4 c
El gat p4 cEl gat p4 c
El gat p4 c
 
Ppt mt sha
Ppt mt shaPpt mt sha
Ppt mt sha
 
Ppt bm sha
Ppt bm shaPpt bm sha
Ppt bm sha
 
Dskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s piDskp tmk thn 4 sk sp s pi
Dskp tmk thn 4 sk sp s pi
 
Der Pandabär
Der PandabärDer Pandabär
Der Pandabär
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 b
 
El llop p4 b
El llop p4 bEl llop p4 b
El llop p4 b
 
Reunio pares
Reunio paresReunio pares
Reunio pares
 
El ós p 4 d
El ós p 4 dEl ós p 4 d
El ós p 4 d
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in review
 
This world we live in review
This world we live in reviewThis world we live in review
This world we live in review
 
Social Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social NetworksSocial Snapshots: Digital Forensics for Online Social Networks
Social Snapshots: Digital Forensics for Online Social Networks
 
L'ocell p4 a
L'ocell p4 aL'ocell p4 a
L'ocell p4 a
 
Dskp thn 5 pen moral
Dskp thn 5 pen moralDskp thn 5 pen moral
Dskp thn 5 pen moral
 

Similar to AppInspect: Large-scale Evaluation of Social Networking Apps

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptxsundar110567
 
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Digital Methods Initiative
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5ObserveIT
 
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docxjoyjonna282
 
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social Channels
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social ChannelsIdentifying and Mitigating Cross-Platform Phone Number Abuse on Social Channels
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social ChannelsIIIT Hyderabad
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиSergey Ulankin
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platformPham Thinh
 
Think tank event mobile app testing v1.3
Think tank event mobile app testing v1.3Think tank event mobile app testing v1.3
Think tank event mobile app testing v1.3Samer Desouky
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborationsjbasney
 
Reputation based model for decision making in the digital age
Reputation based model for decision making in the digital ageReputation based model for decision making in the digital age
Reputation based model for decision making in the digital ageTogar Simatupang
 
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptxInformed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptxNoreen Whysel
 
Data Cloud - Yury Lifshits - Yahoo! Research
Data Cloud - Yury Lifshits - Yahoo! ResearchData Cloud - Yury Lifshits - Yahoo! Research
Data Cloud - Yury Lifshits - Yahoo! ResearchYury Lifshits
 
Smashing SIlos: UX is the New SEO
Smashing SIlos: UX is the New SEOSmashing SIlos: UX is the New SEO
Smashing SIlos: UX is the New SEOBrightEdge
 

Similar to AppInspect: Large-scale Evaluation of Social Networking Apps (20)

18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013Tracking the Trackers tutorial at the Digital Methods Summer School 2013
Tracking the Trackers tutorial at the Digital Methods Summer School 2013
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5
 
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
 
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social Channels
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social ChannelsIdentifying and Mitigating Cross-Platform Phone Number Abuse on Social Channels
Identifying and Mitigating Cross-Platform Phone Number Abuse on Social Channels
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Diadem 1.0
Diadem 1.0Diadem 1.0
Diadem 1.0
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Eurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активностиEurecom уличили приложения для Android в тайной от пользователя активности
Eurecom уличили приложения для Android в тайной от пользователя активности
 
OpenSocial and Mixi platform
OpenSocial and Mixi platformOpenSocial and Mixi platform
OpenSocial and Mixi platform
 
Think tank event mobile app testing v1.3
Think tank event mobile app testing v1.3Think tank event mobile app testing v1.3
Think tank event mobile app testing v1.3
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Reputation based model for decision making in the digital age
Reputation based model for decision making in the digital ageReputation based model for decision making in the digital age
Reputation based model for decision making in the digital age
 
The Dangers of Lapto
The Dangers of LaptoThe Dangers of Lapto
The Dangers of Lapto
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptxInformed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
Informed Consent-Are Your Participants-Aware-o- What-They-Share.pptx
 
Data Cloud - Yury Lifshits - Yahoo! Research
Data Cloud - Yury Lifshits - Yahoo! ResearchData Cloud - Yury Lifshits - Yahoo! Research
Data Cloud - Yury Lifshits - Yahoo! Research
 
Smashing SIlos: UX is the New SEO
Smashing SIlos: UX is the New SEOSmashing SIlos: UX is the New SEO
Smashing SIlos: UX is the New SEO
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

AppInspect: Large-scale Evaluation of Social Networking Apps

  • 1. AppInspect: Large-scale Evaluation of Social Networking Apps ACM COSN, Boston, 10/08/2013 Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl mhuber[AT]sba-research[DOT]org
  • 2. Main Contributions • AppInspect: privacy and security analysis of OSN apps • Prototype for Facebook’s application ecosystem • Detected informationleaks, shortcomings in popular apps • Cooperated with Facebook to fix apps and protect users • AppInspect datasets available to the research community 2/28
  • 4. OSN apps • Apps used by hundreds of millions of social networking users • Games, horoscopes, quizzes, etc. • Access sensitive personal information (date of birth, email address, personal messages etc.) • Access to information of application user’s friends 4/28
  • 5. Modus operandi of OSN apps • OSNs act as proxies between user and app developer • Personal information is transferred to developers • App developers themselves rely on third-parties (analytics, advertising products) • Custom hosting infrastructures • Approval of apps with authentication dialog 5/28
  • 6. Facebook’s application authorization dialog (a) Unified Auth Dialog, April 2010 (b) Enhanced Auth Dialog, January 2012 (c) App Center Auth Dialog, May 2012 6/28
  • 8. AppInspect Framework Search Module Classifier Module Analysis Module Online Social Network (OSN)Start Analysis App list App samples Target OSN (1) Search Apps App Directory Fetch directory Search exhaustively (3) Analyse network traffic (4) Fingerprint provider(2) Collect app details Third-Party Applications Figure: AppInspect, a framework for automated security and privacy analysis of social network ecosystems. 8/28
  • 9. (1) Search Module • Enumerate applications for target social network • Simple scrapers Google+, single HTML page with few applications LinkedIn, easy to enumerate via applicationId • Facebook Majority of apps not in directories Numeric identifier brute force not feasible (1014 ) Exhaustive search: character n-grams, keywords, etc. LinkedIn Example GET / opensocialInstallation /preview? _applicationId =1000 Host: https :// www.linkedin.com 9/28
  • 10. (2) Classifier Module • Application properties: rating, popularity, permissions, type Web scraping Redirection behavior • Language Detect and translate non-english applications Redirect example GET /apps/application.php?id =194699337231859 Host: www.facebook.com =⇒ Redirects to http :// yahoo.com 10/28
  • 11. (3) Analysis Module • Traffic collection Applications are installed on test accounts HTTP(S) proxy collects network traffic • Web tracker identification Detection of analytics and advertising products • Information leaks Leakage of personal data, auth tokens to third parties • Hosting infrastructure fingerprint Fingerprint the underlying hosting infrastructure Search vulnerability databases for detected services 11/28
  • 13. Prototype • Analysis of Facebook’s application ecosystem • Non-intrusive security audits • AppInspect Prototype Python with mechanize, Mozilla Firefox + Adobe Flash Fast crawling, and realistic network samples • Traffic Analysis HTTP(S) interception proxy XML parser for network samples • Web tracker identification Based on Ghostery DB • Hosting infrastructure fingerprint Standard unix tools (dig, nmap) Exploit-DB, metasploit-DB 13/28
  • 14. Enumerated Apps • Exhaustive search with character trigrams • 434,687 unique applications in two weeks • Validation against Socialbakers’ Facebook applications 0⋅10 0 1⋅10 7 2⋅107 3⋅107 4⋅10 7 5⋅107 6⋅107 1 10 100 1000 10000 100000 1e+06 0 % 10 % 20 % 30 % 40 % 50 % 60 % 70 % 80 % 90 % 100 % MonthlyActiveUsers(MAU) PercentofCumulativeMAU Enumerated Application Sample cumulative application usage application usage 14/28
  • 15. Application Sample • 10,624 most popular apps 94.07% of cumulative usage • In-depth analysis on 4,747 apps which transfer user data Application Type Applications Total % Authentication Dialog 4,747 44.68% Canvas 2,365 22.26% Connect 2,260 21.27% Defect 865 8.14% Page Add-ons 280 2.64% Mobile 107 1.01% Total 10,624 100.00% Table: Classification of subsample with popular applications 15/28
  • 17. Requested Permissions (n=4,747) App Category Permission game app Total % Publish posts to stream 1,617 819 51.32% Personal email address 1,055 1,132 46.07% Publish action 435 857 27.22% Access user’s birthday 582 428 21.28% Access user’s photos 721 99 17.27% Access data offline 517 120 13.42% Access user likes 438 153 12.45% Access user location 350 143 10.39% Read stream 409 80 10.3% Access friends’ photos 319 17 7.08% Table: Most common requested permissions by third-party applications 17/28
  • 18. Permissions per Provider • 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address 0 5 10 15 20 25 30 35 40 45 50 0 200 400 600 800 1000 1200 1400 1600 Numberofpermissionsrequested Mean = 2.91246 18/28
  • 19. Developers with ≥ 10 Permission Requests • 40 providers requested more than 10 permissions • Manually verified requested permissions vs. app functionality • Legitimate uses Dating and job hunting applications XBOX application (not available anymore) • Excessive permission requests Hor´oscopo Di´ario, 2.5 million monthly users Would require data of birth, 25 different permissions Request permission but do not use them Users do not seem to verify requested permissions 19/28
  • 20. Internet Hosting Services • 55% of applications hosted in the US • 64 different countries in total Provider Location Total % Amazon EC2 US (755), IE (82), SG (52) 18.72% SoftLayer US (505) 10.65% Peak Hosting US (244) 5.14% Rackspace US (147), GB (11), HK (4) 3.41% GoDaddy SG (51), US (29), NL (6) 1.82% Linode US (72), GB (6), JP (2) 1.69% OVH FR (42), PL (7), ES (2) 1.04% Hetzner DE (47) 0.99% Internap US (35) 0.73% 20/28
  • 21. Discovered Web Services • 55% Apache httpd, nginx (15.63%), Microsoft IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-2010-2263) • 8 hosts ProFTPD buffer overflow (CVE-2006-5815, CVE-2010-4221) • Host with 1.2 million monthly users and sensitive information TCP Port Service Hosts % Total 22 ssh 662 40.22% 21 ftp 640 38.88% 25 smtp 572 34.75% 110 pop3 439 26.67% 143 imap 417 25.33% Table: Most common additional services on application hosts 21/28
  • 22. Tracking and Advertisement Products Web bug Type Apps % Total Google Analytics analytics 3,378 71.16% DoubleClick advertising 529 11.14% Google Adsense advertising 361 7.61% AdMeld advertising 276 5.81% Cubics advertising 153 3.22% LifeStreet Media advertising 94 1.98% Google AdWords advertising 91 1.92% OpenX advertising 82 1.73% Quantcast analytics 49 1.03% ScoreCard Beacon analytics 48 1.01% Table: Common web trackers included in third-party applications 22/28
  • 23. Information Leaks • 315 apps directly transferred personally identifiable information (via HTTP parameter) uuid, birthdate, gender GET socialanalytic -web -rest/rest/action /16/1000000000000/ wpc/ landingbirthday =5%2 F2%2 F2013&gender=male Host: removed from online version uuid, tracking! GET /delivery/ brandConnect .php?callback=siteUserId =1000000000000& siteId =1111& popup =0 Host: removed from online version 23/28
  • 24. Information leaks II • 51 applications leaked unique user identifiers (HTTP Referer) • 14 out of 51 applications also leaked oAuth tokens Example leak, app with 4.7 million MAU GET /fnf/flash.php?hbref =&u=& page =-1& frli =& oauth_token= AAAAAAAAAAAAAAAAA &fbid =1000000000000& issec =0& locale=en_US: Host: removed from online version 24/28
  • 25. Section 6 Discussion and Conclusion 25/28
  • 26. Discussion • Reported our findings to Facebook in november 2012 Facebook responded quickly Facebook acknowledged problems and contacted developers Application issues fixed in May 2013 • Security and privacy implications Since January 2010 unproxied access to email address 60% of application providers request email address Social phishing, context-aware spam Users trackable with real name • Hosting Number of hosts possible vulnerable FTP/SSH bruteforce 26/28
  • 27. Limitations • Limitation to Facebook canvas applications AppInspect adaption to other OSNs Mobile applications and websites • Detection of excessive permission requests App functionality vs. requested permissions Requires manual reviews • Detection of information leaks Obfuscated personal information Hidden back-ends for data transfer Offline passing on of data 27/28
  • 28. Conclusion • Automated social app analysis is feasible • Helped to fix shortcomings in popular applications • Framework and dataset Plan: Release opensource version of code Datasets for social app research http://ai.sba-research.org 28/28