|Title: Perplexed Messengers from the Cloud: Automated Security Analysis of Push-Messaging Integrations
Time: 2016年1月27日(周三), 上午10:00-11:30
Speaker: 陈恺, 中科院信工所
Organizer: 中科院计算所 武成岗老师，wucg[AT]ict.ac.cn
We report a large-scale, systematic study on the security qualities of emerging push-messaging services, focusing on their app-side service integrations. We identified a set of security properties different push messaging services (e.g., Google Cloud Messaging) need to have, and automatically verified them in different integrations using a new tool, called Seminal. Using this tool, we studied 30 leading services around the world, and scanned 35,173 apps. Our findings are astonishing: over 20% apps in Google Play and 50% apps in mainstream Chinese app markets are riddled with security-critical loopholes, putting a huge amount of sensitive user data at risk. Also, our research brought to light new types of security flaws never known before, which can be exploited to cause serious confusions among popular apps and services (e.g., Facebook, Skype, Yelp, Baidu Push). Taking advantage of such confusions, the adversary can post his content to the victim’s apps in the name of trusted parties and intercept her private messages.