Security and Privacy Threats to Mobile Social Networks

Download PDF
49 downloads 1323932 Views 87KB Size Report
Comment
Index terms - Mobile social network (MSN), Privacy,. Security. ... world all the time and provide a platform for .... identity is given out like list of the user's favorite.
Security and Privacy Threats to Mobile Social Networks – A Review Satwinder Singh Department of Computer Science & Engineering Guru Nanak Dev University, Regional Campus Jalandhar, India [email protected]

Mohit Pal Singh Birdi Department of Computer Science & Engineering Guru Nanak Dev University, Regional Campus Jalandhar, India [email protected]

Abstract - Mobile social networks is network of connected people that communicate with each other through their Mobile Phones or Tablets. The increasing number of users of such applications in general and location aware applications more specifically suffers from the various security issues that must be resolved. But the information on social is being used in the ways for it may have not been originally made. In this paper we discuss several issues related to security and privacy of Mobile Social Networks and some sort of possible solutions to mitigate these issues.

behind that is because mobile phones are more common than Internet-based communications in everyday life. Security is major concern which is not unique to MSNs. Safety can be described as the state of being protection against various types of error, failure, damage, harm, accidents any other undesirable event [3]. The basic aim of security in MSNs is to protect the information against various attacks and misbehaviour throughout the network. Privacy is also a major concern of safety in MSNs that has recently gained attention that never done before. This paper briefly outlines the various

Index terms - Mobile social network (MSN), Privacy, Security.

security and privacy threats to MSN.

I. INTRODUCTION Smartphones now allow millions of people to be in touch with their friends and families across the world all the time and provide a platform for developer to develop these Social networking applications [1]. Mobile Social Networking (MSN) is network of mobile nodes usually third party mobile applications which allow user to connect with world by posting or sharing the content such status massages, locations, photo or even videos. In 1999 the very first chatting application is developed and this becomes the evolution point of mobile social networks [2]. MSNs have mainly been introduced by combining social networks from social science and mobile communication networks. Now days Social Networks are integrated with locations by proving a geo tag to the multimedia content. Geo tags can be directly

mapped to world maps to get the location of content. For example Facebook provides us with location services like check-ins. A lot of these applications allow you to check if there’s anyone near a particular attractions or location, and some these applications will notify you if your contacts or any friend comes within a certain distance. MSNs like Facebook, Twitter, and Instagram etc. also provide a user with a feature to send and receive individual and/or group text and multimedia massages as well. Compared to online social networks (OSNs), MSNs represent social interactions more realistically. The main reason

II. RELATED WORK In [3] authors discovered that in peer to peer and client sever MSNs the user’s privacy can be hacked by intercepting the login information and by the area of login. This they represent these privacy attacks as direct anonymity, where the exposure of user’s names and locations in both peer to peer and client server systems allows user’s to be compromised. The authors also represent Indirect anonymity or K-anonymity issues in which information like favourite Movie etc is mapped back to user’s profile to extract the user’s information. They also provide the solution to these problems by implementing Identity Server. A practical definition of K-anonymity is provided by [4] that shows the MSNs could provide privacy guarantees to users of their API. This paper presents Social-K, a new approach to Kanonymizing social network data whereby data is released without modification as long as Kanonymity constraints are met, and is otherwise selectively withheld. In research [5], researchers proposed a two times k-anonymity algorithm which based on now existing k-anonymity algorithm. Experiment results proved that their method had improved the anonymity operations both on running speed and decrease the amount of information loss. We also found that, using the subset characteristics, they

could mark a large number of lattice nodes, however, their method did not do a good job on the speed of finding non-anonymity nodes. In the further, they consider combining degree priority method with OLA method, that is to say, they calculate the height of minimum k-anonymity node by using OLA, after this they use degree priority method to get the lattice node near this height, from this way, we can improve the speed of our anonymity algorithm. Authors in [6] as well as [7] were amongst the first researchers to raise awareness for information extraction vulnerabilities of MSNs. While their techniques were rather straightforward (automated scripts which retrieve web pages), their results eventually led to security improvements of social networking services. Jagatic [8] showed that they could increase the success rate of phishing attacks from 16 to 72 per- cent using “social data”. The findings of [8] have furthermore been confirmed by the experiments of X. He. [9].

According to the Fraud report “Phishing and The Social World October 2012” presented by EMC2, four years ago, near about 20% of U.S.A citizens were users of social networks. Now this numbers goes to 50% today. Microsoft done a research few years ago and they found, phishing through mobile social networks in early 2010, which was only used in 8.3% of all attacks and by the end of 2011 that number stood at 84.5% of attacks delivered through social media. One of the privacy enhancement mechanism presented by [10] is onion routing. Using this mechanism, messages are repeatedly encrypted and routed through a group of collaborating nodes to prevent the intermediary nodes from knowing the origin, destination, and content of the message. Like someone peeling an onion, each onion router removes a layer of encryption to uncover routing instructions and sends the message to the next router where this is repeated. To combine onion routing and multicast routing in mobile networks, Aad et al. [11] introduced methods to improve anonymity by using bloom filters to compress and obscure a packet’s routing list. III. PRIVACY AND SECURITY THREATS In this section of paper some major privacy and security issues are discussed. We provide a reader with basic details of these threats which may help other researcher to find the solutions for these threats.

A) Direct Anonymity Issues A little protection for user’s privacy is provided by information exchange model of MSN.MSN provide the user to personalize its personal features. For example Facebook, Twitter etc. requires user’s information through their API. The user must agree to give his/her information to the applications. In Whozthat and social aware system anyone can use Bluetooth device to enquire secretly to the use’s shared social network ID nearby the mobile user. Thus the data transmitted over the wireless connection in the clear weakens the link layer encryption exit[12]. In social aware model networks systems a user can be tracked by login time and date that each mobile device detects the user’s social network ID. By gathering all the information of the user possible in client-server mobile social network systems. The user location and time a history can be build ,compromising the user’s privacy. When given access to the user’s social network ID someone can access the user’s public information. In a cleartext exchange of social networking in systems like Whozthat and social aware leads to security and privacy risks. In which user’s anonymity likely to be compare directly compromised called direct anonymity attacks. These attacks also possible in client-server mobile social network systems. The user social network ID are generally not directly exchange between mobile devices. Mobile or stationary devices can still track a user by logging date and time that device finds the user by. In their systems each device can find social network user names and full names of the nearby user’s. Thus we have a direct anonymity issue-exposure of user names and locations in client-server systems allow the user’s anonymity to be compromised. B) Indirect or K -Anonymity issue When the user does not provide direct his/her identification information like preferences favorite sport etc., information is mapped back to the user’s profile through social networking site and stationary devices in the environment. When a piece information indirectly compromises user’s identity there exit indirect anonymity problem. An insane when a unique piece of information of user’s identity is given out like list of the user’s favorite sports this information might be easily mapped back to the user. The k-anonymity problem arises when n pieces of information or n set of associated information can be used all together to uniquely map back to user’s identity. The most challenging task is to design an algorithm that can decide what information should or should not be given out in order to ensure the anonymity of related user’s. The multifariousness and abundance of the social

network information this assures more complication. Officially, peculiar problem is to find which personal problem can share out so that this information cannot be used to relate the user’s identity with particular problem. A few data sets of high percentage of records can be re-identified. Sweeney in his paper shows how re- identification process is done using hospital and voter records [13]. K-1 anonymity assures that information released between the k-1 individuals cannot be distinguished k-anonymity. The k-anonymity guarantee problem refers to the minimum no. of identical sets that are enough to the account for all the released information. There cannot be more than k-1 sets which are not subsets of each other’s and all other sufficient sets are supersets of some of the minimum sets. By determining the minimum set of set’s is equal to the simplification of a Boolean algebra expression in which the conjunction (AND) is used for sufficient sets and for logically disjunction (OR). A set of data for which more than k-1 minimal sets exist is admissible under k-anonymity guarantee of k. Suppose the sets 1&2, where 1 is the set of all users and user 2 is set of all social network information that is supplied to a mobile social network application. The information in 2 is in many – to-many relation with 1. Since the user can have many pieces of information related to him/her and many users may be relate with same piece of information. The problem is to define an admissible set under a k-anonymity guarantee, which would define whether or not a subset of x of 2 is admissible. This problem is very important. It provides an alternative without compromising their privacy they can take advantage of new mobile social networking applications. The k-anonymity problem is both client server was peer – to – mobile social system because both systems required sharing of user’s social network profile data with other users of these systems. C) Phishing Attack User devices are usually constrained by small screens. Operating systems and browsers of mobile devices lacks secure application identity indicators. While interacting with the website or mobile application a user is uncertain that whether he/she interacting with trusted website or mobile application. There arises a risk of expose to the malicious application. Websites and mobile applications frequently interact with each other to share data to associate the user to a related service. For instance, news related website may be linked to BBC or CNN news application. In an inter application a target application is set by the sender application. After following the link the user might provide the target application with authorization credentials or payment information.

Due to lack secure identity indicator it is possible that an inter-application link could be subverted and the user is linked to an untrusted target. Phishing attack is of two types, in a direct phishing attack instead of linking with a real target application, the sender is a malicious application which relate the user to its own spoof screen and second phishing attack is man-in-the-middle attack the sender is benign another party intercepts the link instead of intended target application it loads a spoofed target application. These attacks exist when user become accustomed to entering their passwords in repeated familiar settings. When user frequently encounter with these legitimate links which asks the user for private data then the user becomes conditioned to reflexively supply the requested data. 40% of the Smartphone users enter private details such as passwords into their phones at least once a day [14]. Most of the mobile social application link the user to password protected social network and payment applications. Thus, making the user to reflexively enter its credentials. It possible to build phishing attacks on android and iOS. These attacks are categorized accordingly to whether the sender and target are mobile applications or websites: mobile-to-web, mobile-tomobile, web-to-mobile and web-to-web. D) Eavesdropping, replay, spoofing and wormhole attacks When a user’s social network ID is intercepted in a peer-to-peer mobile social network system it s possible that it can be used to mount a replay and spoofing attack. In a spoofing attack, a malicious user can pretend as a real user whose social ID was compromised by simply replaying the intercepted ID to a stationary or mobile device that request for user’s social network ID. Hence, a replay attack is a maliciously repeated compromised user’s ID used to perform spoofing attack. Wormhole attack is a particular replay attack [15]. In wormhole attack one end of the network of wireless transmission are captured and replayed on another end of the network. A malicious user could use wormhole attack to capture user ID in a systems like Whozthat and social aware and masquerade as a user in a different distant location. Therefore these are so vulnerable to such replay attacks that we cannot assure the user’s who participates in these systems are trustworthy. Furthermore these attacks could be used for wicked purposes. For instance, a malicious user could masquerade user’s compromised social ID at specific time and place while committing crime. Thus, spoofing attacks presents serious security in mobile social network systems. In a wireless network, a malicious user could use eavesdrop on information transmitted by the

user when requested for social network profile information from a social server to intercept the user’s social network ID via eavesdropping. For instance, in a peer-to-peer systems of a mobile device when uses HTTP (REC 2616) to connect to the Facebook API REST server[16] instead of HTTPS (REC 2818) the user’s information can be intercepted in a cleartext when requested by Facebook API server. Interception of these profile information allows the malicious user to take control over the privacy controls and to access the user’s profile information. By using robust security protocols such as HTTPS in conjunction with client authentication using username and passwords or client certificates eavesdropping, spoofing, replay and wormhole attacks can be defended however these attacks are not major threads to client-server mobile social network systems. If user’s social network login credential then it is nearly impossible for a malicious user to masquerade as that user.

A’s profile to capture A’s friend’s (B, C, D) secret details to execute context aware spam.

E) HTTP Session Hijacking

In this paper we have surveyed on various issues related to privacy and security in mobile social media. We hope our survey on these issues provide the basic platform for the other researchers to find possible solutions for these issues. As the social media and mobile usages increasing day by day, user of these media catch up with new issues which is quit challenging for the researchers to do come with solution for these latest issues. Our survey may be helpful to address some of the other related issues with social media.

HTTP session Hijacking sometimes refers to cookie hijacking is security attack in which attacker exploits the session control mechanism, which is basically managed by a session variable or token. This man-in-middle attack used to obtain the secret information about the active session and the context aware information from the victim, and his/her friend’s details that can be used to execute a context aware spam.

III. RESEARCH GAPS The lots of research is being done in the field of security and privacy in mobile social networks, But some of the hidden security and privacy threats are yet to be discover. This research paper basically highlight the some of the these issues and doesn’t provide with the solutions to these issues. So basic research gap would be to find the possible solutions to these threats for mitigation of these issues. Some of the solution may were provided by the researcher like implementation of identity server to mitigate the issues of direct and indirect anonymity. In future researcher must provide some protocols that help us in reducing the risk of security and privacy leaks in mobile social networks. IV. CONCLUSION

REFERENCES [1] Aaron Beach, Mike Gartrell, and Richard Han “Solutions to Security and Privacy Issues in Mobile Social Networking” University of Colorado at Boulder. [2] Nick Lane, Nicky Walton-Flynn, “White Paper – Mobile Social Networking”. [3] Yashar Najaflou, Behrouz Jedari, Feng Xia, Laurence T. Yang, and Mohammad S. Obaidat, “Safety Challenges and Solutions in Mobile Social Networks”, Wireless Communications, IEEE vol. 1, February 2014, pp. 33 – 41. [4] Aaron Beach, Mike Gartrell, Richard Han, “Social-K: RealTime K-Anonymity Guarantees for Social Network Applications”, University of Colorado at Boulderx. Fig. 1 HTTP Session Hijacking of Social Network Users

Figure 1 shows how session hijacking is done on mobile social users. In this process the attacker first try to sniff the session ID or variable between the social sites like Facebook, Twitter or Google+ etc. It’s become very easy for the attacker to sniff session if it is not encrypted by the data encryption techniques. After this the attacker copy the HTTP header which contains session cookies and now attacker can use HTTP session to access the victim’s profile and personal information like contact number or email address. Attacker may use

[5] Zhao FeiFei, Dong LiFeng, Wang Kun, Li Yang, “Study on Privacy Protection Algorithm Based on K-Anonymity”, 2012 International Conference on Medical Physics and Biomedical Engineering, Physics Procedia 33 ( 2012 ) 483 – 490. [6] R. Gross and A. Acquisti. Information revelation and privacy in online social networks (the Facebook case). In Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pages 71–80, 2005. [7] H. Jones and J.H. Soltren. Facebook: Threats to Privacy. Project MAC: MIT Project on Mathematics and Computing, 2005.

[8] T.N. Jagatic, N.A. Johnson, M. Jakobsson, and F. Menczer. Social phishing. Communications of the ACM, 50(10):94–100, 2007. [9] G. Brown, T. Howe, M. Ihbe, A. Prakash, and K. Borders. Social networks and context-aware spam. In Proceedings of the ACM 2008 conference on Computer supported cooperative work, pages 403–412. ACM New York, NY, USA, 2008. [10] D. Goldschlag, M. Reed, and P. Syverson, “Onion routing,” Commun. ACM, vol. 42, no. 2, pp. 39–41, Feb. 1999. [11] I. Aad, C. Castelluccia, and J. P. Hubaux, “Packet coding for strong anonymity in ad hoc networks,” in Proc. SecurecommWorkshops, 2006, pp. 1–10. [12] A. Becker, “Bluetooth security & hacks,” http://gsyc.es/_anto/ubicuos2/bluetooth security and hacks.pdf. [13]L. Sweeney, “Uniqueness of simple demographics in the U.S. population,” in LIDAPWP4, 2000. [14]M. Jakobsson, E. Shi, P. Golle, and R. Chow. Implicit Authentication for Mobile Devices. In HotSec, 2009. [15] R. Maheshwari, J. Gao, and S. Das, “Detecting wormhole attacks in wireless networks using connectivity information,” in 26th IEEE Conference on Computer Communications (INFOCOM 2007), May 2007. [16] “API - facebook developers wiki”, developers.face book.com/ index.php/API.

http://wiki.