Popular mobile apps use push notifications extensively to offer an "always connected" experience to their users. Social networking apps use them as a real-time channel to notify users about new private messages or new social interactions (e.g., friendship request, tagging, etc.). Despite the cryptography used to protect these communication channels, the strict temporal binding between the actions that trigger the notifications and the reception of the notification messages in the mobile device may represent a privacy issue. In this work, we present the push notification attack designed to bind the physical owners of mobile devices with their virtual identities, even if pseudonyms are used. In an online attack, an active attacker triggers a push notification and captures the notification packets that transit in the network. In an offline attack, a passive attacker correlates the social network activity of a user with the received push notification. The push notification attack bypasses the standard ways of protecting user privacy based on the network layer by operating at the application level. It requires no additional software on the victim's mobile device.

Loreti, P., Bracciale, L., Caponi, A. (2018). Push attack: Binding virtual and real identities using mobile push notifications. FUTURE INTERNET, 10(2), 13 [10.3390/fi10020013].

Push attack: Binding virtual and real identities using mobile push notifications

Loreti P.
;
Bracciale L.;Caponi A.
2018-01-01

Abstract

Popular mobile apps use push notifications extensively to offer an "always connected" experience to their users. Social networking apps use them as a real-time channel to notify users about new private messages or new social interactions (e.g., friendship request, tagging, etc.). Despite the cryptography used to protect these communication channels, the strict temporal binding between the actions that trigger the notifications and the reception of the notification messages in the mobile device may represent a privacy issue. In this work, we present the push notification attack designed to bind the physical owners of mobile devices with their virtual identities, even if pseudonyms are used. In an online attack, an active attacker triggers a push notification and captures the notification packets that transit in the network. In an offline attack, a passive attacker correlates the social network activity of a user with the received push notification. The push notification attack bypasses the standard ways of protecting user privacy based on the network layer by operating at the application level. It requires no additional software on the victim's mobile device.
2018
Pubblicato
Rilevanza internazionale
Articolo
Esperti anonimi
Settore ING-INF/03 - TELECOMUNICAZIONI
English
online social network; push notification; privacy
Loreti, P., Bracciale, L., Caponi, A. (2018). Push attack: Binding virtual and real identities using mobile push notifications. FUTURE INTERNET, 10(2), 13 [10.3390/fi10020013].
Loreti, P; Bracciale, L; Caponi, A
Articolo su rivista
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2108/200557
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 11
  • ???jsp.display-item.citation.isi??? 8
social impact