“You received $100,000 from Johnny”: A Mixed-Methods Study on Push Notification Security and Privacy in Android Apps
- Push notifications are widely used in Android apps to show users timely and potentially sensitive information outside the apps’ regular user interface. Google’s default service for sending push notifications, Firebase Cloud Messaging (FCM), provides only transport layer security and does not offer app developers message protection schemes to prevent access or detect modifications by the push notification service provider or other intermediate systems.We present and discuss an in-depth mixed-methods study of push notification message security and privacy in Android apps. We statically analyze a representative set of 100,000 up-to-date and popular Android apps from Google Play to get an overview of push notification usage in the wild. In an in-depth follow-up analysis of 60 apps, we gain detailed insights into the leaked content and what some developers do to protect the messages. We find that (a) about half of the analyzed apps use push notifications, (b) about half of the in-depth analyzed messaging apps do not protect their push notifications, allowing access to sensitive data that jeopardizes users’ security and privacy and (c) the means of protection lack a standardized approach, manifesting in various developer-defined encryption schemes, custom protocols, or out-of-band communication methods. Our research highlights gaps in developer-centric security regarding appropriate technologies and supporting measures that researchers and platform providers should address.
Document Type: | Article |
---|---|
Language: | English |
Author: | Thomas Neteler, Sascha Fahl, Luigi Lo Iacono |
Parent Title (English): | IEEE Access |
Volume: | 12 |
First Page: | 112499 |
Last Page: | 112516 |
ISSN: | 2169-3536 |
URN: | urn:nbn:de:hbz:1044-opus-85473 |
DOI: | https://doi.org/10.1109/ACCESS.2024.3439095 |
Publisher: | IEEE |
Publishing Institution: | Hochschule Bonn-Rhein-Sieg |
Date of first publication: | 2024/08/05 |
Copyright: | 2024 The Authors. This work is licensed under a Creative Commons Attribution 4.0 License. |
Keyword: | FCM; Push notifications; android; end-to-end security; intermediate systems |
Departments, institutes and facilities: | Fachbereich Informatik |
Institut für Cyber Security & Privacy (ICSP) | |
Dewey Decimal Classification (DDC): | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten |
Open access funding: | Hochschule Bonn-Rhein-Sieg / Publikationsfonds / Förderung durch den Publikationsfonds der H-BRS |
Deutsche Forschungsgemeinschaft / DFG Förderung Open Access Publikationskosten 2023 - 2025 | |
Entry in this database: | 2024/08/20 |
Licence (German): | Creative Commons - CC BY - Namensnennung 4.0 International |