1 Introduction

The technology of mobile phones has advanced dramatically over the last decade, in both hardware and software. The performance of its hardware is now almost comparable with portable computers. For example, the Samsung Galaxy S3 manufactured in 2012 contains in it a 1.5 GHz dual-core processor and a 2-GB RAM, along with various high-end sensor gadgets such as GPS, gyroscope, and accelerometer. With these technological advancements in hardware, smartphones are now able to perform numerous intelligent functions like, for example, automatically adjusting the brightness of display according to illumination value. A great technological advancement was also made in software. The main role for this was played by major OS manufacturers such as Google, Apple, and Symbian, which have released the open SDK and created official markets for smartphone applications. With the creation and subsequent growth of such application markets, many developers now spend their time and money to invent new smartphone applications, bringing ever more intelligent applications to smartphone users. Thanks to all these technological advancements in hardware and software, mobile phones have now evolved into smart phones.

However, some types of these intelligent applications require internet connections to identify users and store their information in web storage. Some other types of applications also need internet connections for downloading real-time information like real-time traffic information. In gaining such internet connections, many users avoid using mobile networks because they cost them money, and instead use free Wi-Fi, sometimes even if the access points for Wi-Fi are unknown.

But, it can be very dangerous connecting their smartphones to unknown access points, because wireless communication, which transmits information on air, is more vulnerable to external intervention than wired communication, which transmits information through cables. This signifies malicious users can more easily eavesdrop on conversations or intercept messages by installing rogue access points.

Today, a smartphone has become a necessity for many of us: we need it to wake up in the morning, check schedules or emails, save memos, and communicate with colleagues through social applications. Because of these broad uses for everyday life, many smartphone users knowingly and unknowingly save in their phone much of their personal information such as e-mail passwords, schedules, business documents, and personal photographs in their smartphones, making them an easy target for those with malicious intentions. The security of smartphones is now in more danger than ever before, although most people remain unaware of the danger.

In this paper, we seek to show the risk of using unknown Wi-Fi access points. To this end, we demonstrate the MITM attacks, and we show that the benign application can import and display injected HTML documents. For understanding, we describe briefly security model of the smartphone. However, smartphone OSs are not the same. So we would focus on the Android OS because we believe it is more open and thus more vulnerable. The security model of the Android OS has three security holes in this model; (1) Android OS will be left a big responsibility to ignorant user about security (2) permission-based security model is vulnerable about privilege escalation attacks, and (3) permission-based security model is not able to cover application-level vulnerability.

The rest of this paper is organized as follows. Section 2 describes the role of the smartphone in ubiquitous computing environment. We can easily associate the smart devices like smartphone and tablet PC when we imagine the vision of the ubiquitous computing. Section 3 gives the security model of the Android OS and vulnerability of this. And, Sect. 4 shows results of MITM attack demonstration. Finally, Sect. 5 concludes the work.

2 Smartphone in ubiquitous computing

The smartphones have become very important devices in ubiquitous computing. In this section, we describe definition, core requirements of ubiquitous computing, and roles of the smartphone in ubiquitous computing.

2.1 Definition of ubiquitous computing

The word “ubiquitous” derives from the Latin word ubique, which means “present everywhere at the same time.” Ubiquitous computing (UbiComp) indicates the environments where people have access at anytime and anywhere to information and communication technology (ICT) system. In other words, a ubiquitous system allows people to surround themselves with computing devices that understand and support their life cycles. The term ubiquitous computing, first used in 1991 by Mark Weiser in his journal [1], has been redefined by various researchers and institutes [15]. Mark Weiser first defined UbiComp as actualization of the “virtual reality” by using invisible computing. Friedemann Mattern [2] now redefines it as comprehensive computerization and interconnection of everyday objects. Yvonne Rogers [3] proposes a new definition of the term: changing roles of the users from calming people to engaging people in UbiComp environment.

The Mark Weiser’s vision of UbiComp is composed of three devices, as described in Table 1. The devices are classified according to the size of their display. A tab, which is about the size of an ID card, is the smallest device, and a board, which is about a yard size, is the biggest one, with the pad between them. The tab is designed for wearable devices, and this is mainly used for personal functions such as calendar and diary. The pad is a hand-hold device, and it is intended to replace paper. Users can easily read, write, and scrap information using pads. And also the pad is a main interface for handling UbiComp. Boards are used for playing video or sharing information between co-workers.

Table 1 The smart device: tab, pad, and board
Full size table

Nowadays, we can easily associate the smartphone and tablet PC when we imagine a tab and a pad. It means that UbiComp has already been partly realized, and the rest may be fulfilled soon.

2.2 Core requirements of ubiquitous computing

The following are core requirements of UbiComp distinct from distributed computing: context-aware computing, ambient and ubiquitous intelligence, and recording, tracking and monitoring [3, 6, 7]. The most important characteristic of UbiComp is context-aware computing. Service provider expects that UbiComp can provide suitable services to a suitable person at a proper moment without user intervention. For this service, computing ability to understand context information about personal and environmental context is required in UbiComp. In order to collect context information, sensor devices which can collect information and transfer collected information to base station are deployed in UbiComp field. We call this computing environment context-aware computing. Context-aware computing is used to infer situation and decide next operation. This process is important because if the inference result does not match up with the actual user’s expectations, UbiComp will lose trust from the user. This is a difficult part of research about context-aware computing.

Second core requirement is related to ambient and ubiquitous intelligence. Sometimes, more accurate interface is necessary in UbiComp. For example, when the user wants to adjust the volume of the audio or change the TV channel, he needs accurate interfaces for communication with the UbiComp system. Generally, speech recognition and gesture recognition technology are often used in this area. However, the error rate is still high, and therefore, technical research is needed to enhance accuracy.

The rest of the requirements are recording, tracking and monitoring. These requirements are adopted to develop human-assistive applications through sensing and alerting [3]. UbiComp has sufficient information for tracking and monitoring human resources because sensor devices of context-aware computing periodically report personal and environmental contexts to it. If UbiComp tracks and monitors the vulnerable people such as the elderly, the physically and mentally disabled, UbiComp can respond to emergency situations. However, it has the following problems. First, it is difficult to record, track, and monitor all of the transactions that occur in UbiComp because of the massive amounts of transactions. UbiComp is composed of a lot of sensor devices that collect context information or wait user input. Thus, the massive amounts of transactions occur in short time. Second, recording, tracking, and monitoring personal information are conflicted with the protection of personal information.

2.3 Smartphone in ubiquitous computing

Over the last decade, a mobile phone has made remarkable advancements in both hardware and software. The mobile phone, also called smartphone, is equipped with a high-speed multi-core processor and enough gigabytes storage incomparable with those of the past feature phone. Furthermore, the smartphone has various built-in sensor gadgets such as GPS, an accelerometer, and a gyroscope. As a result, the smartphone has become so intelligent and more user-friendly as to support our life, just like the vision of UbiComp envisioned. Table 2 shows the specification of Samsung Galaxy S3.

Table 2 The specification of Samsung Galaxy S3
Full size table

And also, there have been great advancements in software technology. Smartphone OS manufacturers like Google, Apple and Symbian, release the SDK for developing smartphone applications. And also, they create official markets for application deployment. With the growth of markets, many developers are now motivated to invent new smartphone applications, producing a large number of useful applications reactive to context by means of multiple sensors built in the smartphone. According to the Android official blog, the Google Play has reached 25 billion downloads and 675,000 total apps [8].

Evolution of the smartphone has greatly changed our lifestyle. From a morning call service to a remote control vehicle service, the smartphone offers various services to the user [9]. The smartphone already plays the roles similar to the tab and the pad as envisioned by Weiser. People at anytime and everywhere carry their smartphones like wearable devices. And the smartphone performs most of the personal tasks such as scheduling, checking e-mail, and sharing files. It is similar to the tab in the vision of Weiser. And also, the size of smartphone is similar to that of the pad. Moreover, the user writes notes on and clips information to his smartphone. All these technological advances are realization of Weiser’s vision [10].

Furthermore, we expect the smartphone to become the most important equipment in UbiComp. The smartphone can be used for satisfying the core requirements of UbiComp. The smartphone can collect context information and transfer collected information to the base station through wireless communication. And also, the smartphone can be used for human interfaces. Lastly, the smartphone can be utilized as an identification of its owner by using universal subscriber identity module (USIM) information.

The smartphone can play the role of deployed sensor devices in context-aware computing. Context-aware system needs wireless sensor networks for collecting context information. Thus, large numbers of sensor devices are deployed in UbiComp to continuously collect context information such as personal and environmental context and transfer it to the base station. However, it is highly costly to construct these sensor networks. Moreover, these sensor devices have energy limitation. So, sensor devices cannot perform permanently. However, most of these problems can be solved by using the smartphone. People always carry their smartphone with them, which contains various built-in sensors. And all smartphones have wireless network interfaces. Thus, the smartphone can easily transfer messages to the base station. Since the smartphone is fully charged on a daily basis, so users can be free of the fear of energy shortage. As a result, the smartphone can play a role of deployed sensor devices in UbiComp field. Andrew et al. [11] and Tor-Morten et al. [12] show several examples of sensing applications for cognitive phones.

Next topic is the suitability of smartphones for Human–Computer interfaces. The smartphone has various interfaces for interactive functions such as camera, touch panel, gyroscope, and up-down buttons. Various technologies already have been used for interaction between human and devices in smartphone. For examples, the smartphone can adjust the brightness of the screen automatically by recognizing the user’s eye, and the scroll of web browser is controlled by just tilting the device. Rafael et al. [13] and George et al. [14] suggest a possibility of smartphone usable as an input device in UbiComp. Following them, we expect interaction between humans and UbiComp using the smartphone is possible.

The last core requirements of UbiComp are recording, tracking and monitoring the people. It can reduce the cost spent identifying and tracking the user by using the smartphone. Generally, the smartphone has a USIM card with unique serial numbers, which is issued by mobile network providers for identification of the owner. Thus, if UbiComp can read USIM information, it will be able to easily track and monitor human resources.

Figure 1 illustrates the abstract roles of the smartphone and its interactions with UbiComp environment. The smartphone has resources such as privacy information (e.g., schedule, contact, etc.), built-in sensor devices (e.g., GPS module, gyroscope, accelerometer, etc.), and applications for UbiComp that are optionally installed with the permission of the user. The solid line points to interaction between the human and the computer and the dotted line machine-to-machine interaction. The Context-aware Computing component demands context information of personal and environmental context. So, this component communicates with optional applications to receive personal context. Every component of UbiComp interacts with built-in sensors of the smartphone to collect context information. The Context-aware Computing component and Ambient and Ubiquitous computing component have direction access to sensor devices. These components receive raw data from the smartphone and process them according to their function. On the other hand, the Recording, Tracking and Monitoring component communicates with optional applications because this component requires refined data.

Fig. 1
figure 1

The abstract roles of Smartphone and interactions with UbiComp environments

Full size image

3 Threats of the compromised access points

In this section, we describe the security model of the smartphone through the Android platform and critical security threats posed by the MITM attack, which can occur from compromised AP connections.

3.1 Security model of smartphone

The smartphone has a dual- or quad-core processor and a gigabyte memory and storage. Whenever and wherever users desire, they can gain connections to the Internet using mobile networks or Wi-Fi networks. And, it can access user information stored in the device or on the web. Although functional aspects of the smartphone have grown significantly, the security technology of the smartphone still falls short of expectations of many. Smartphone OSs are slightly different from each other, and we will focus on the Android OS, because it is more open and thus more vulnerable to external invasion. In this subsection, we describe security flaws of the Android OS.

Basically, all applications run within their own sandbox, and no application can escape this sandbox. However, these restrictions are so strong as to cut off most of the functionality of smartphone application. So, the Android platform allows use of the API depending on application permissions as approved by the user [15]. Every Android application has permission information that is approved during the install time in its own AndroidManifest.xml file. This permission never changes until the application is re-installed. Figure 2 shows an example code of the AdnroidManifest.xml file of the Test Application 1 [34]. The permissions are defined separately for each API that has a risk of being exploited. The permission “INTERNET,” that is in the Fig. 2, is necessary for connection with Internet. Android OS verifies permission just when the user application calls the API that has a risk of being exploited. In other words, if some application does not call API, that is, related socket, the Android OS will never check the permission “INTERNET.”

Fig. 2
figure 2

An example code of permissions that is stored in AndroidManifest.xml file

Full size image

The permission-based security model of Android OS has the following security holes. First, Android OS will be left a big responsibility to ignorant user about security [1619]. Most users do not understand about the risk of approving the permission to applications. Furthermore, the user has only the two choices giving an approval or not. As a result, the user thinks less of permission authorizing process because of this permission policy. Second, the permission-based security model is vulnerable to privilege escalation attacks [20, 21]. Multiple applications share the role for achieving their purpose. For an example, malicious application A has permission for accessing to sensitive internal data such as the contact, but it does not have permission for sending message through the Internet. Malicious application B does not have permission for accessing to sensitive internal data, but it has permission about the Internet. In this case, malicious application A is to transmit the contact to malicious application B by using internal communication path and malicious application B flows out the contact through the Internet [22]. Last, the permission base security model is only able to cover low-level behaviors that are related to API call. If android application has application-level vulnerability, the Android OS will not be able to protect itself. We focus on this security hole. In the next section, we demonstrate the MITM attack by using this application-level vulnerability.

3.2 Threats of the compromised access points

According to growth of wireless networks, wireless network interface becomes the most basic parts of a portable computing device. Some research predicts that wireless communications will exceed wired communications by 2015. Like this, wireless communication technology has become the most important communication means for connecting the smart device. The growth of wireless communication contributes to realize UbiComp and popularizes smartphone. However, security threats exist in the hidden side of the rapidly growth of wireless communication.

We can easily see that wireless APs are installed in a narrow area more than needs. Figure 3 shows the map that presents the density of APs in Chicago. We obtain this map from wireless geographic logging engine (WIGLE) project which is a dataset for collecting the wireless hotspots around the world [23, 24]. Wireless APs are distributed in Chicago more difficult to read the map. According to WIGLE project, about 5 million APs exist in California that is a region where the AP is installed most in the United States. Density of the wireless AP is very high considering that the each AP can support a range of up to 150 feet indoors and 300 feet outdoors. Table 3 shows regions and the number of wireless APs. We are surrounded by many wireless APs. It is look like a spider web that is configured in a wireless network. In fact, all of the AP that is searched by our devices is not a benign. When you indiscriminately try to connect to unknown AP, you and your device will be in danger.

Fig. 3
figure 3

The map of wireless APs in Chicago

Full size image
Table 3 Number of wireless AP that is located in United State in Sep 2013
Full size table

In the wired network, the MITM attacks are very difficult attack technique [25]. It is impossible that an adversary physically break into an end-user and the ISP. Thus, an adversary uses domain name system (DNS) cache poisoning for changing the direction of traffic flows [26] in Fig. 4a. However, in the wireless network, an adversary can easily break into an end-user and the ISP [2731] in Fig. 4b because the messages are transmitted on air in wireless network. Thus, wireless network is more vulnerable than wired networks.

Fig. 4
figure 4

MITM attack patterns in (a) wired and (b) wireless communication environment

Full size image

Generally, the smartphone user wants his smartphone is always connected to the Internet because applications that are installed in his smartphone usually requires the Internet connection for uploading or downloading the real-time information. Thus, the smartphone user often searches open wireless networks. Therefore, if an adversary installs open AP, he can easily connect to victims. The way to install the AP for the MITM attack can be divided into two major types. First, an adversary installs the compromised AP on the public places such as airport, bank, and coffee shop [31]. An adversary can easily catch victims in these places, because the probability of using the smartphone is increased when the people stay a long time in one place. Second method is use rogue AP [27, 28]. Rogue AP is installed outside range of benign AP and masquerade as this benign AP. An end-user is easily cheated because rogue AP use the SSID of the benign AP.

In particular, the smartphone users are required more attention about this unknown APs because the smartphone has became the critical point of user’s information security. Generally, all information is included in his smartphone from privacy photographs to business documents. Thus, if the smartphone is compromised by an adversary, the user will suffer socially or financially irreparable damage.

4 Demonstrations

To indicate the risk of unknown AP, we demonstrate the MITM attack by using compromised AP. We show that an adversary can easily intercept your message and inject modified message into communication between your handset and the service provider. In this section, we describe our demonstration environments and progresses. After then, we explain the results of our penetration test.

4.1 Testbed for the MITM attack

We use five devices for demonstration; two Samsung Galaxy S3s are Android handsets for running applications; a laptop serves as the compromised AP; an Iptimes N40006R is benign wireless AP; and a server for MITM attack. The basic architecture of our testbed is shown in Fig. 5. Two Android handsets connect to each AP through Wireless Local Area Network based on IEEE 802.11. The Android handset 1 is connected to the benign AP, and the other handset is connected to compromise AP. Each AP and the spoofing server which serves as the DNS spoofing server and web proxy server connect to the Internet through same gateway. We set DNS configuration of compromised AP to the spoofing server for DNS spoofing. An adversary is able to catch every packets pass through these compromised AP and divert some packets by using DNS spoofing.

Fig. 5
figure 5

Architecture of our testbed

Full size image

Table 4 shows the tools and software used in our demonstrations. We use top five applications that are registered in “Top New Free Games” of Google Play. These applications import pop-up advertisements of event notification and commercial advertisement from their web servers. Wireshark and Connectify Hotspot are installed on the laptop. Wireshark is used to analyze packets to find vulnerability of communication process. Connectify Hotspot is used to set up the laptop as Wi-Fi AP. Apache2 and Bind is installed on the desktop. Apache2 is used to reply HTTP requests, and Bind is used to deceive Android handset 2.

Table 4 The tools and software used in our demonstrations
Full size table

4.2 Preliminaries

We obtained abstract operations of android applications by analyzing the traffic of applications, as following Fig. 6. Generally, applications communicate with more than one server. First one is a data server. The data server checks application suitability such as user authentication, application version and integrity, and so on. If application fails to test the suitability or access to the date server, then this application is immediately terminated. The second server is an advertisement server, and this server is an optional object. The advertisement server provides html files and image files of event notification and commercial advertisement via HTTP. The connection of the advertisement server does not affect launch of application differently from the connection of the data server. We masquerade as advertisement server for the MITM attack.

Fig. 6
figure 6

Abstract operation process of the application which imports pop-up advertisement

Full size image

Figure 7 shows the MITM attack progress, which consists of passive attack phase and active attack phase.

Fig. 7
figure 7

Man-in-the-Middle attack progress

Full size image

For the purpose of the passive attack phase, an adversary confirms the existence of the advertisement server and understands communication process between the application and the advertisement server. An adversary monitors the DNS query and response and intercepts the packets between the application and the advertisement server by using the compromised AP. He can easily figure out the IP address and domain name of the advertisement server by using the extracted html documentations and image files through Wireshark. Figure 8 shows an example of the passive attack phase. After receiving a DNS response, the Android handset 2 immediately requests the HTML document to androweb.cafe24.com. This HTML document contains the URL on the pop-up advertisement.

Fig. 8
figure 8

An example of passive attack phase

Full size image

In the active attack phase, an adversary puts the modified HTML documents on the specific path which came from the previous phase. Then he sets up the DNS configuration to divert the HTTP request messages to spoofing server. The code in the Fig. 9 is an example of inserted code in named.conf, that is, configuration file of named which is a DNS server, part of the BIND9 distribution.

Fig. 9
figure 9

An example of inserted code in named.conf

Full size image

4.3 Man-in-the-middle attack progress

Figure 10 shows the MITM attack process. When target applications are launched on the Android handset 2, it checks status of connection to the Internet and tries to request IP address of the data server. DNS query of the Android handset 2 is delivered to the spoofing server passing through the compromised AP. The spoofing server returns the correct IP address of data server for normally launching the target application. Next, the Android handset 2 communicates with the data server for application-specific launching process. Generally, these communications are protected by SSL. If the target application is launched successfully, it tries to request IP address of the advertisement server. In this case, however, the spoofing server returns IP address of itself in order to inject modified messages. As a result, the target application requests HTML documents and image files to the spoofing server and exposes incorrect advertisements that are modified by an adversary.

Fig. 10
figure 10

An example of the MITM attack process

Full size image

4.4 The results of man-in-the-middle attack

As mentioned above, we target top five applications that are registered in “Top New Free Games” of Google Play.

Figure 11 presents screenshot of the target application’s pop-up advertisement; the (a) image is a view of normal case, the (b) image is a view of abnormal case that the target application imports modified HTML document, and the (c) image is a screen when the link contained in the modified HTML document has been executed of target application. In many cases, Android applications are used as simple objects such as WebView for pop-up advertisement. As a result, an adversary can easily insert link of the other URLs into modified HTML document. Figure 12 is a part of the code of original HTML document of target application and link-embedded HTML document that is made by us.

Fig. 11
figure 11

Captured images of the target application’s pop-up advertisement

Full size image
Fig. 12
figure 12

An example code of the (a) original HTML document and (b) link-embedded HTML document

Full size image

Figure 13 shows the results of our MITM attack demonstration. We have inserted “Modified advertisement” to all the images and added the link of the injected HTML document to the original HTML document. We have succeeded in exposing modified advertisement page to user through the all benign applications. And also, the link that is injected by us is working properly in the all test applications.

Fig. 13
figure 13

The results of demonstration of the test application 1–4

Full size image

Figure 14 shows the partial code for generating pop-up advertisement of the Test application 1. WebView is Android API for simple display online content within applications [40]. By using loadUrl method of WebView class, developer can easily handle online content. However, these objects, such as WebView, are in danger of being misused as a result of our demonstration. If developer can to block that execution of embedded link, it is possible to significantly reduce the threat of these attacks.

Fig. 14
figure 14

The partial code for generating pop-up advertisement by using WebView class

Full size image

A spear phishing is more effective because phishing messages are customized for victims [34]. Customized message, which contains trustworthy information such as victim’s nickname, is easier to be believed. Thus, the threat of the MITM attack is more critical when it is combined with the social engineering for customizing injected advertisement. Who do not click it when the phrase “Only one chance! Click and Receive Gift” is inserted in the pop-up advertisement of well-known application?

It is necessary to mitigate the MITM attack as follows: (1) the smartphone user avoids connecting to unknown AP, and (2) pays attention to pop-up advertisement even if it is pop-up message of well-known application. (3) The application developer avoids using vulnerable API, and (4) must use mutual authentication process and secure protocol such as SSL [33] when an application communicates with external devices.

5 Conclusions

We describe the roles and potentiality of smartphone in the UbiComp environments. The smartphone has done a remarkable development enough to satisfy core requirements of UbiComp: context-aware computing, ambient and ubiquitous intelligence, and recording, tracking and monitoring environments. However, the growth of the smartphones is sufficient to attract the attention of adversaries. Moreover, the security model of the Android platform has security vulnerabilities such as the following: (1) Android OS will be left a big responsibility to ignorant user about security, (2) permission-based security model is vulnerable about privilege escalation attacks, and (3) permission-based security model is not able to cover application-level vulnerability. In this paper, we reveal the risk of the using unknown APs by using demonstration. The testbed is composed to five devices: two android handsets, one laptop, one desktop, and one wireless AP. The android handsets are used for running application. The laptop plays the role of compromised AP; we change its DNS information. The desktop is used for DNS spoofing and web server. We can intercept and inject packets of passes through the laptop. We divert some packets to the desktop by using DNS spoofing. As a result, test applications that are launched on the handset 2 display abnormal advertisements. We shows that benign application, which is running on uncompromised devices, can be exploited just connecting to the compromised AP. To mitigate this MITM attack, developer must use mutual authentication process when an application communicates with external devices.

In future work, we will continue to research about the MITM attack for attack-protected sessions such as SSL/TLS. Many user applications depute security function to SSL APIs. However, vulnerabilities about these applications have been reported in research of Georgiev et al. [32]. For the development of smartphone security, we continuously study for finding out the vulnerability of smartphone platform and resolving these threats.