Abstract

Mobile device-to-device (D2D) network has now become a standardized feature in many mobile devices, by which mobile devices can communicate with each other even when commercial Internet access is not available. Because D2D network is expected to be an intrinsic part of the Internet of Things (IoT) and mobile device is the smartest and the most advanced commercial device in everyday usage, the D2D feature and related security protocols it adopts influences the design and implementation of many other IoT devices. While D2D network provides tangible benefits to users, it also raises the security risks of information leaking. This paper presents an in-depth empirical security analysis on mobile D2D network among Android devices. Android apps could establish a mobile D2D network in various ways, including Wi-Fi hotspot, Wi-Fi Direct, and Bluetooth. Those mobile D2D protocols normally take different protection mechanisms, which makes security investigation considerably challenging. In this paper, we focus on most popular apps in the Google Play Store, with aggregated downloads more than 500 million. Our analysis reveals some critical vulnerabilities. The key findings are bi-fold. First, the current mobile D2D network framework enabled by Android has significant flaw of overprivilege issue. Second, we have identified that most data transfer over mobile D2D network is unencrypted. Furthermore, we exploit the identified Android framework flaws to construct three proof-of-concept attacks and we conclude this paper with security lessons and suggestions of possible solutions against the identified security issues.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.