WeChat – A good example of bad API security!

In last few days Muhammad Haris was looking into network traffic data of mobile applications for related research on mobile privacy and security. However, in the process, we figure out shocking vulnerability in very famous WeChat messenger application. First, for those of you who never heard of Wechat: it is a primary messenger app in the Asian region specifically China, used by half a billion of individuals. 

This app has one important feature named moments. By this feature users can share photos and status with their friends only.  For the sake of privacy, photos and status shared by your friends are only visible to you in your moment (not the default friends-of-friends like in Facebook wall). Similarly there is another feature of album; which lets you see all pictures and status shared by a particular friend. You can visit your friends’ album through their profile. Important point to note here is that official explanation by WeChat mentioned that things shared on moments (and album) are visible to your friends only.  However it seems like backend communicationa between the WeChat application and its server suffer from serious security flaws. Let me take you there step by step.

To capture mobile application data Haris used fiddler which is very nice proxy; should you wish to use fiddler to capture your mobile data you can follow this nice tutorial by Troy Hunt. 

If you visit WeChat moments in phone, all the pictures visible in your moments are being loaded over HTTP. Hence by just looking at the mobile traffic data from fiddler you can get all the moments' pictures.  Picture:1 shows Haris's WeChat moments, his friend has shared some photos of his hiking trip. 

Now in the picture:2 as we browse over moments, the highlighted packets are sent by WeChat server to the application in the phone. Notice that protocol used for these packets is HTTP, which means photo data is not sent over secured HTTPS channel. 

In picture:3 and picture:4 we see selected individual packets, you can see the same pictures of his friend which are in the moments here.

This simply means that if a WiFi provider collect the raw packets on the channel from mobile devices, they can easily get all the photos of your friends as soon as you visits moments on your WeChat. As a result on one hand personal photos (of you and your friends) can be leaked and on the other hand a malicious WiFi provider can also infer your social links by looking at the pictures. This just illustrates the point of how harmful a poorly implemented API (application programming interface) security can be!

In comparison with other OSNs, Instagram seems to be still suffering form similar security issues, but in case of WeChat there is no need to hijack any sessions, it's all open by default! Google offered full encryption as an option for Gmail in 2008, but two years later made it the default. Facebook switched it on by default in January 2011. 

Privacy-preserving Adsense Systems Using Delay Tolerant Networking

an undergrad student of mine did this work based on our research on MobiAd, which I found pretty impressive!



With the ever-increasing number of smart phones, a growing num- bers of people view advertisements on their phones and hence the smart phone advertising market has become rich and noticeable. To raise click-through rate and maximize profit, ad brokers ensure their ads are more personalized and targeted. Therefore, they col- lect personal information to build an accurate user profile. The use of sensitive and personal information may raise privacy concerns. In this paper we focus using Delay Tolerant Networking (DTN) to anonymize click reports, aiming to stop attackers tracking and identifying users based on behaviour and location. The results of our simulations prove that a few-hop DTN-based system can protect users’ identity and privacy while not heavily increasing their energy costs.

http://www.eecs.qmul.ac.uk/~hamed/papers/advdtn.pdf

Do-Not-Record-Me: Quantified Self and the Privacy Challenge

We are increasingly surrounded by recording and quantifying devices. Devices such as Google Glass can record images and sound from an individual, even of the owner of the device has no such intensions. Can we use a Privacy-Beacon to avoid this? something like, a local area broadcast, that forces, or at least politely asks the intruding device, to either not record an individual, or remove their data after recording has been done? In a short note, myself and Ian Brown think this is possible! here's a short note on this topic:

The increasing availability of personal activity monitors, tracking devices, wearable recording devices, and associated smartphone apps has given rise to a wave of Quantified Self individuals and applications. The data from these apps and sensors are usually collected by associated apps and uploaded to the software developers for feedback to individual and their selected partners. In this paper we highlight the privacy risks associated with this practice, demonstrating the ease with which an app provider can infer individuals co-location and joint activities without having access to specific location data. We highlight a number of potential solution to this challenge in order to minimise the privacy leakage from these applications.

http://www.eecs.qmul.ac.uk/~hamed/papers/qselfprivacy2014.pdf

The Rise of Panopticons: Examining Region-Specific Third-Party Web Tracking

Today’s web has a huge, diverse ecosystem of third party websites collecting information about users and providing them with content such as targeted advertisements. In this paper we study this ecosystem of third-party websites. We sample every continent, targeting the 500 most popular websites in the US, UK, Australia, China, Egypt, Iran and Syria. This allows us to contrast the commonplace, western-dominated views of the web with less studied countries. We find 2,097 third-party websites, reflecting the diversity of services and types of application/content they involve, e.g., advertisement, ad trackers, CDNs, news, sport, and pornography. We find those third-party websites offering ad tracking services to be the most prevalent. In addition to the usual suspects (e.g., DoubleClick and Google), we find a rich ecosystem of local third-party websites that are country and language dependent.

Marjan Falahrastegar, Hamed Haddadi, Steve Uhlig, and Richard Mortier, “The Rise of Panopticons: Examining Region-Specific Third-Party Web Tracking”, In Sixth Workshop on Traffic Monitoring and Analysis (TMA), London, UK, April 2014. 

Promoted tweets versus promoted trends

Advertising on Twitter? There are a number of factors to consider: use of hashtags, use of keywords, target audience and locations. But also choosing the type of adverts is important: promoted tweets, or promoted trends? Our research shows that promoted trends lead to higher number of tweets, while promoted tweets lead to higher user engagement, which may be the ultimate measure of success. For a use-case study, see:


Shana Dacres, Hamed Haddadi, Matthew Purver, “Topic and Sentiment Analysis on OSNs: a Case Study of Advertising Strategies on Twitter”, arXiv, December 2013 (PDF)


Meeyoung Cha, Hamed Haddadi, Fabricio Benevenuto, Krishna Gummadi, "Measuring User Influence in Twitter: The Million Follower Fallacy", in ICWSM 2010, 4th Int'l AAAI Conference on Weblogs and Social Media, May 23-26, 2010, George Washington University, Washington, DC (paper) (NYTimes coverage ) (Harvard Business Review coverage ) (Media coverage)

Human-Data Interaction

I have been thinking about this concept a lot recently... just to clarify, this is NOT a new discipline or field, it is basically an interest group, and a way of thinking about the aggregate effect of user profiling, advertising, interface, HCI, privacy and the way the users' behaviour may be changed due to change in these topics, rather similar to the way that the Quantified Self movement is shaping up.. an interest group of inter-disicplinary researchers..

This all started after a casual talk and meeting with Mort in Nottingham, then filtering the ideas through Jon, Mac and Tristan, which resulted to a draft of our thoughts for the UK Digital Economy all-hands meeting:

 Richard Mortier, Hamed Haddadi, Tristan Henderson, Derek McAuley, and Jon Crowcroft, "Challenges & Opportunities in Human-Data Interaction", DE2013: Open Digital, November 2013, MediaCityUK, Salford, UK. (PDF)


On 4th October 2013, we had the EPSRC/ITaaU first workshop on HDI, which brought in a large number of top-notch industry and academic researchers across law, privacy, HCI, economics, computer science, engineering, geography, and financial sector. You may enjoy reading the detailed liveblog by Cambridge guys. The participants all took part in a range of activities, and are interested in officially forming an interest group, so watch this space for more news!

Individual's perception of the value of privacy, a contextual experiment.

There are a large number of studies surveying individuals about the value fo their personal information. These are particularly motivated by the claims of big cloud , good or bad, that individuals can't evaluate their personal information, so it must be free!

we recently did a survey using android apps , asking individuals to let us know twice a day, what they are doing, who they are with, and how much are these information worth to them. However we divided the individuals into 4 groups, with different buying and selling criteria..

In brief, the results show that individual's CAN evaluate the value of their personal info, and these values are in agreement with findings of others (see Vijay Erramilli's paper in WWW'13 for example or Bernardo Huberman's information market paper)

The paper is published at ACM SIGCOMM HOTPLANET 2013 workshop. you can ready it here

Bernadette Kamleitner, Stephan Dickert, Marjan Falahrastegar, Hamed Haddadi, “Information Bazaar: a Contextual Evaluation”, 5th ACM HotPlanet workshop, co-located with SIGCOMM 2013, August 2013, HongKong.