Analyzing mobile data leakages
Published Dec 10, 2013
After his Masters degree in 2008 at KTH, Pasquale Stirparo started working in the field of IT security and Digital Forensics. But only three years later he came back to the university for doctoral studies. He started analyzing mobile data leakages and the results were quite alarming. Now he has presented his results so far in his licentiate thesis.
Where are you from and where did you study before coming to KTH?
– I am from a small village in Calabria, Marina di Gioiosa Ionica, in the south of Italy. I was a masters student at KTH from 2006 to 2008 within the Double Degree Erasmus program, between KTH and Polytechnic of Turin, in Italy, where I also received my Bachelors Degree, both in Computer Engineering. However, between my Masters degree and the beginning of my docotral studies I was actually working for almost three years in the field of IT Security and Digital Forensics, fascinating fields.
What is your topic and why did you choose it?
– My research is about security and privacy threats that come from the usage of smartphones and mobile applications, in particularly I look for leakages of user sensitive and personal information. Hence I named my research work "MobiLeak". I chose to focus on security since it is, together with forensics, a great passion of mine, while the mobile dimension is because it was a growing interest I have been developing on anything concerning the mobile ecosystem. Moreover, smartphones are so pervasive in our daily life that is very important to have them properly secured.
Describe your topic in short for a person that doesn't know much about it.
– Basically, I wanted to develop a methodology to properly assess the level of security and privacy of mobile applications, in order to evaluate how well (or how bad) they handle user personal data. I started looking at all possible states in which data can exist. I found this to be Data at Rest, which are the data actually stored inside the smartphone, Data in Use, which are the data currently used and processed by the mobile applications, and Data in Transit, which are data being sent in or out the smartphone (e.g. over Wi-Fi connection). Therefore, I started to dig into each of these three states.
Tell us something about your results
– Until now I have mainly analysed the Data at Rest and Data in Use state. I have analyzed so far 12 of the most downloaded applications for Android, such as Twitter, Skype, Facebook, Groupon, and 15 mobile banking applications. Results have been quite interesting so far: 25% of the application stores user password in cleartext (i.e. no encryption), 83% reveal user personal information like physical address, location coordinates, and credit card number. Instead, for the mobile banking applications, I have been able to "easily" retrieve username and password from the memory for about 75% of them.
What will the future bring for your research, how will you continue and what focus will you have on your PhD thesis?
– For my Ph.D. I will continue my work completing the research on the Data in Transit state, focusing on mobile payments applications. Finally, I plan to complete the development of MobiLeak and make it a point of reference for privacy assessment of mobile applications.