AppInspect: Large-scale Evaluation of Social Networking Apps

508 views
436 views

Published on

Slides from the AppInspect presentation at ACM COSN, Boston/MA, 2013.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
508
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AppInspect: Large-scale Evaluation of Social Networking Apps

  1. 1. AppInspect: Large-scale Evaluation of Social Networking Apps ACM COSN, Boston, 10/08/2013 Markus Huber, Martin Mulazzani, Sebastian Schrittwieser, Edgar Weippl mhuber[AT]sba-research[DOT]org
  2. 2. Main Contributions • AppInspect: privacy and security analysis of OSN apps • Prototype for Facebook’s application ecosystem • Detected informationleaks, shortcomings in popular apps • Cooperated with Facebook to fix apps and protect users • AppInspect datasets available to the research community 2/28
  3. 3. Section 2 Background 3/28
  4. 4. OSN apps • Apps used by hundreds of millions of social networking users • Games, horoscopes, quizzes, etc. • Access sensitive personal information (date of birth, email address, personal messages etc.) • Access to information of application user’s friends 4/28
  5. 5. Modus operandi of OSN apps • OSNs act as proxies between user and app developer • Personal information is transferred to developers • App developers themselves rely on third-parties (analytics, advertising products) • Custom hosting infrastructures • Approval of apps with authentication dialog 5/28
  6. 6. Facebook’s application authorization dialog (a) Unified Auth Dialog, April 2010 (b) Enhanced Auth Dialog, January 2012 (c) App Center Auth Dialog, May 2012 6/28
  7. 7. Section 3 AppInspect Framework 7/28
  8. 8. AppInspect Framework Search Module Classifier Module Analysis Module Online Social Network (OSN)Start Analysis App list App samples Target OSN (1) Search Apps App Directory Fetch directory Search exhaustively (3) Analyse network traffic (4) Fingerprint provider(2) Collect app details Third-Party Applications Figure: AppInspect, a framework for automated security and privacy analysis of social network ecosystems. 8/28
  9. 9. (1) Search Module • Enumerate applications for target social network • Simple scrapers Google+, single HTML page with few applications LinkedIn, easy to enumerate via applicationId • Facebook Majority of apps not in directories Numeric identifier brute force not feasible (1014 ) Exhaustive search: character n-grams, keywords, etc. LinkedIn Example GET / opensocialInstallation /preview? _applicationId =1000 Host: https :// www.linkedin.com 9/28
  10. 10. (2) Classifier Module • Application properties: rating, popularity, permissions, type Web scraping Redirection behavior • Language Detect and translate non-english applications Redirect example GET /apps/application.php?id =194699337231859 Host: www.facebook.com =⇒ Redirects to http :// yahoo.com 10/28
  11. 11. (3) Analysis Module • Traffic collection Applications are installed on test accounts HTTP(S) proxy collects network traffic • Web tracker identification Detection of analytics and advertising products • Information leaks Leakage of personal data, auth tokens to third parties • Hosting infrastructure fingerprint Fingerprint the underlying hosting infrastructure Search vulnerability databases for detected services 11/28
  12. 12. Section 4 Evaluation 12/28
  13. 13. Prototype • Analysis of Facebook’s application ecosystem • Non-intrusive security audits • AppInspect Prototype Python with mechanize, Mozilla Firefox + Adobe Flash Fast crawling, and realistic network samples • Traffic Analysis HTTP(S) interception proxy XML parser for network samples • Web tracker identification Based on Ghostery DB • Hosting infrastructure fingerprint Standard unix tools (dig, nmap) Exploit-DB, metasploit-DB 13/28
  14. 14. Enumerated Apps • Exhaustive search with character trigrams • 434,687 unique applications in two weeks • Validation against Socialbakers’ Facebook applications 0⋅10 0 1⋅10 7 2⋅107 3⋅107 4⋅10 7 5⋅107 6⋅107 1 10 100 1000 10000 100000 1e+06 0 % 10 % 20 % 30 % 40 % 50 % 60 % 70 % 80 % 90 % 100 % MonthlyActiveUsers(MAU) PercentofCumulativeMAU Enumerated Application Sample cumulative application usage application usage 14/28
  15. 15. Application Sample • 10,624 most popular apps 94.07% of cumulative usage • In-depth analysis on 4,747 apps which transfer user data Application Type Applications Total % Authentication Dialog 4,747 44.68% Canvas 2,365 22.26% Connect 2,260 21.27% Defect 865 8.14% Page Add-ons 280 2.64% Mobile 107 1.01% Total 10,624 100.00% Table: Classification of subsample with popular applications 15/28
  16. 16. Section 5 Results 16/28
  17. 17. Requested Permissions (n=4,747) App Category Permission game app Total % Publish posts to stream 1,617 819 51.32% Personal email address 1,055 1,132 46.07% Publish action 435 857 27.22% Access user’s birthday 582 428 21.28% Access user’s photos 721 99 17.27% Access data offline 517 120 13.42% Access user likes 438 153 12.45% Access user location 350 143 10.39% Read stream 409 80 10.3% Access friends’ photos 319 17 7.08% Table: Most common requested permissions by third-party applications 17/28
  18. 18. Permissions per Provider • 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address 0 5 10 15 20 25 30 35 40 45 50 0 200 400 600 800 1000 1200 1400 1600 Numberofpermissionsrequested Mean = 2.91246 18/28
  19. 19. Developers with ≥ 10 Permission Requests • 40 providers requested more than 10 permissions • Manually verified requested permissions vs. app functionality • Legitimate uses Dating and job hunting applications XBOX application (not available anymore) • Excessive permission requests Hor´oscopo Di´ario, 2.5 million monthly users Would require data of birth, 25 different permissions Request permission but do not use them Users do not seem to verify requested permissions 19/28
  20. 20. Internet Hosting Services • 55% of applications hosted in the US • 64 different countries in total Provider Location Total % Amazon EC2 US (755), IE (82), SG (52) 18.72% SoftLayer US (505) 10.65% Peak Hosting US (244) 5.14% Rackspace US (147), GB (11), HK (4) 3.41% GoDaddy SG (51), US (29), NL (6) 1.82% Linode US (72), GB (6), JP (2) 1.69% OVH FR (42), PL (7), ES (2) 1.04% Hetzner DE (47) 0.99% Internap US (35) 0.73% 20/28
  21. 21. Discovered Web Services • 55% Apache httpd, nginx (15.63%), Microsoft IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-2010-2263) • 8 hosts ProFTPD buffer overflow (CVE-2006-5815, CVE-2010-4221) • Host with 1.2 million monthly users and sensitive information TCP Port Service Hosts % Total 22 ssh 662 40.22% 21 ftp 640 38.88% 25 smtp 572 34.75% 110 pop3 439 26.67% 143 imap 417 25.33% Table: Most common additional services on application hosts 21/28
  22. 22. Tracking and Advertisement Products Web bug Type Apps % Total Google Analytics analytics 3,378 71.16% DoubleClick advertising 529 11.14% Google Adsense advertising 361 7.61% AdMeld advertising 276 5.81% Cubics advertising 153 3.22% LifeStreet Media advertising 94 1.98% Google AdWords advertising 91 1.92% OpenX advertising 82 1.73% Quantcast analytics 49 1.03% ScoreCard Beacon analytics 48 1.01% Table: Common web trackers included in third-party applications 22/28
  23. 23. Information Leaks • 315 apps directly transferred personally identifiable information (via HTTP parameter) uuid, birthdate, gender GET socialanalytic -web -rest/rest/action /16/1000000000000/ wpc/ landingbirthday =5%2 F2%2 F2013&gender=male Host: removed from online version uuid, tracking! GET /delivery/ brandConnect .php?callback=siteUserId =1000000000000& siteId =1111& popup =0 Host: removed from online version 23/28
  24. 24. Information leaks II • 51 applications leaked unique user identifiers (HTTP Referer) • 14 out of 51 applications also leaked oAuth tokens Example leak, app with 4.7 million MAU GET /fnf/flash.php?hbref =&u=& page =-1& frli =& oauth_token= AAAAAAAAAAAAAAAAA &fbid =1000000000000& issec =0& locale=en_US: Host: removed from online version 24/28
  25. 25. Section 6 Discussion and Conclusion 25/28
  26. 26. Discussion • Reported our findings to Facebook in november 2012 Facebook responded quickly Facebook acknowledged problems and contacted developers Application issues fixed in May 2013 • Security and privacy implications Since January 2010 unproxied access to email address 60% of application providers request email address Social phishing, context-aware spam Users trackable with real name • Hosting Number of hosts possible vulnerable FTP/SSH bruteforce 26/28
  27. 27. Limitations • Limitation to Facebook canvas applications AppInspect adaption to other OSNs Mobile applications and websites • Detection of excessive permission requests App functionality vs. requested permissions Requires manual reviews • Detection of information leaks Obfuscated personal information Hidden back-ends for data transfer Offline passing on of data 27/28
  28. 28. Conclusion • Automated social app analysis is feasible • Helped to fix shortcomings in popular applications • Framework and dataset Plan: Release opensource version of code Datasets for social app research http://ai.sba-research.org 28/28

×