Intercepting Sensitive Data in Smartphone App Network Connections

So my name is Elenia, I'm a first year PhD student at the University of Paris. I'm also at the Internet of Things Institute at the University of Paris, which is about sensitive data, and therefore various applications, search terms, etc. goes to the whole data application server. But sometimes, users are just there to have the service. Therefore, we should use data travels. And how do the applications handle this data? and also go to your library to search. Number six, I'm not sure why many patients last year were in two categories. Using shopping, travel, etc. 51 were from the Apple App Store and tested them and the framework at the time was the Android. Over the years, two categories shared

messages address information age and what we use our laptop for. And we just connected to Microsoft. and all the keywords we used during our simulations. To ensure integrity of the capture data, we had to make sure that other users allowed the request for permission to create an app. So we did four experiments, passively observing traffic using virus tactics as you can see. We performed two manually-made attacks, one using verbs and using manually-made objects. I'm going to explain more after.

We use Wireshark, we run through the WiFi, we are a online network and we also explore and assess the ciphers used. Apps and servers use ciphers to negotiate terms and usually they have a list of ciphers used. We have our mobile phone and Wireshark. Results from the first test show that all the applications are yes. and they're not able to intercept any women. And also, we've figured out that 45 out of 51 eyes of the nation of Andrian have sent four-week ciphers, and that makes them rather able to tell us about the raid attack. And the ciphers are these. After this, the main task is to do something about it. The first one in the video. So the

main attack basically targets the super-human and splits the original DC protection into two new ones.

If the attacker is successful in normalizing the attack, it will be marked as a problem. So, we used the web search for that. We wanted to check if the client board tells the claim to me itself, so it generates a face and it presents it to the client. So, we had to make sure not to install the devices, just install them. If we were able to reset the traffic this way, then we could say that the app is vulnerable to each drop in identification. What about the results? Now the application has been presented and that is good, we could be in trouble. And once again, we weren't able to intercept. So, we moved on to the next

attack, the first one, instead of virtual tool, already the famous tool. The idea behind this attack was similar to the other one, but this time we installed the fake certificate into the device's trust code. And we also registered the market middle proxy as a mismanaged phone, which we can use to deploy. The passports are not valid so if you... I'll just open my card for the investment opportunity. I'm not going to see your grades and your modules and everything. So at the same time I have the request. The checker is not as great but... And my internet connection is just messing around although I don't see anything. So I am able to inspect these requests in money that is information sent

and where I can see the domain. So one of these post requests contains a good for this experience. I did this for Facebook as well but it didn't work because Facebook is an example of an application that you manually inspect the data goes where and it will take you forever so it does capture the communications save them into a text file it's quite quick to look through these files for all the keywords I use throughout my simulations and to ensure the review of my results every time that my script said "okay I found an occurrence" I had to manually inspect this to make sure that for example 1990 was indeed So, some general on the results from this attack.

On the phone I got a warning about the things I didn't say in the chat about the apps. From the 51 applications, 31 didn't have a future in applications. From these 31, 21 forwarded it to 8 applications using 12 users. Google saw these are the correct ones. User names, passwords, emails, and text. And they also managed to capture user-demand passwords for Instagram, Glamour and EasyTel. And that was very successful. We're going to see exactly what they know about that. Gaming apps seem to transmit the data. It seems like Google is deep in the wrong state about the data that was sent by iOS applications. I'm going to go to the example that you can see here. I sent the email to Instagram

and EasyTel and they said "Wow, this is wrong." So I used the Responsible Disclosure Procedure to report my findings. once again So, for all these applications, what that means is that I present and place certificates to the apps, and the demands are about to be met. So no matter what I present to the app, it will not accept and open it into the certificate. So, to my asset, I generally download a tool which is not a tool. That is a purposeful task on my side, and therefore a video that shows the tool, I will not face it because it is a invention,

I used the disposal of the app requests and one of these actually entered my name and password. My internet was lost, sorry. I used 75% of the applications. Obviously, my device was jailbroken and I didn't allow it to operate. I'm glad because few were ranking in the social media apps. So, just a small comparison. All of the applications, both systems, employed SSL. 90% of iOS apps and 80% of Android apps weak ciphers none of the applications accept the subs the 60% of iOS and only 25% of Android forwarded data to the link and 23% of iOS apps has almost turned off the opening so here we can see the fire result which we can see in the system yeah, my

efforts were I had to have physical access obviously I go through trouble and generate my device which is a mess which was a personal surprise but the Android 2.0 as we warn the user about what was less data One application from I have a full list if you want to understand the language I have to... This work was last year's work, so at the time it was the post-current OS. I'm pretty sure the code was updated up to date, to the best of my knowledge, so... So, for example, you buy a phone now, it's for one year. Maybe that's the case, because this Android phone was used also being the kind of wallet. Let's say Android 7. Yeah, so, kind of

one of the students that I have are extending this work. So, he's going to compare paid apps as opposed to free apps as well, because he wants to see the difference. And we want to somehow see 0 days to remove 0 frames