Understanding Android VoIP security: A system-level vulnerability assessment

Understanding Android VoIP security: A system-level vulnerability assessment

VoIP is a class of new technologies that deliver voice calls over the packet-switched networks, which surpasses the legacy circuit-switched telecom telephony. Android provides the native support of VoIP, including the recent VoLTE and VoWiFi standards. While prior works have analyzed the weaknesses...

Full description

Saved in:
Bibliographic Details
Main Authors: HE, En, WU, Daoyuan, DENG, Robert H.
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2020
Subjects:
Android (operating system)
Internet telephony
Malware
Network security
Packet switching
Telephone circuits
Voice/data communication systems
Information Security
Online Access:https://ink.library.smu.edu.sg/sis_research/5924
https://ink.library.smu.edu.sg/context/sis_research/article/6927/viewcontent/UnderstandingAndroidVoIPSecurity_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-6927
record_format dspace
spelling sg-smu-ink.sis_research-69272021-05-11T06:18:41Z Understanding Android VoIP security: A system-level vulnerability assessment HE, En WU, Daoyuan DENG, Robert H. VoIP is a class of new technologies that deliver voice calls over the packet-switched networks, which surpasses the legacy circuit-switched telecom telephony. Android provides the native support of VoIP, including the recent VoLTE and VoWiFi standards. While prior works have analyzed the weaknesses of VoIP network infrastructure and the privacy concerns of third-party VoIP apps, no efforts were attempted to investigate the (in)security of Android’s VoIP integration at the system level. In this paper, we first demystify Android VoIP’s protocol stack and all its four attack surfaces. We then propose a novel vulnerability assessment approach that assembles on-device Intent/API fuzzing, network-side packet fuzzing, and targeted code auditing. By testing Android from version 7.0 to the recent 9.0, we have discovered 8 zero-day Android VoIP vulnerabilities, all of which were confirmed by Google with bug bounty awards. The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution. To mitigate these vulnerabilities and further improve Android VoIP security, we uncover a new root cause that requires developers’ attention during their design and implementation. 2020-06-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/5924 info:doi/10.1007/978-3-030-52683-2_6 https://ink.library.smu.edu.sg/context/sis_research/article/6927/viewcontent/UnderstandingAndroidVoIPSecurity_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Android (operating system) Internet telephony Malware Network security Packet switching Telephone circuits Voice/data communication systems Information Security
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Android (operating system)
Internet telephony
Malware
Network security
Packet switching
Telephone circuits
Voice/data communication systems
Information Security
spellingShingle Android (operating system)
Internet telephony
Malware
Network security
Packet switching
Telephone circuits
Voice/data communication systems
Information Security
HE, En
WU, Daoyuan
DENG, Robert H.
Understanding Android VoIP security: A system-level vulnerability assessment
description VoIP is a class of new technologies that deliver voice calls over the packet-switched networks, which surpasses the legacy circuit-switched telecom telephony. Android provides the native support of VoIP, including the recent VoLTE and VoWiFi standards. While prior works have analyzed the weaknesses of VoIP network infrastructure and the privacy concerns of third-party VoIP apps, no efforts were attempted to investigate the (in)security of Android’s VoIP integration at the system level. In this paper, we first demystify Android VoIP’s protocol stack and all its four attack surfaces. We then propose a novel vulnerability assessment approach that assembles on-device Intent/API fuzzing, network-side packet fuzzing, and targeted code auditing. By testing Android from version 7.0 to the recent 9.0, we have discovered 8 zero-day Android VoIP vulnerabilities, all of which were confirmed by Google with bug bounty awards. The security consequences are serious, including denying voice calls, caller ID spoofing, unauthorized call operations, and remote code execution. To mitigate these vulnerabilities and further improve Android VoIP security, we uncover a new root cause that requires developers’ attention during their design and implementation.
format text
author HE, En
WU, Daoyuan
DENG, Robert H.
author_facet HE, En
WU, Daoyuan
DENG, Robert H.
author_sort HE, En
title Understanding Android VoIP security: A system-level vulnerability assessment
title_short Understanding Android VoIP security: A system-level vulnerability assessment
title_full Understanding Android VoIP security: A system-level vulnerability assessment
title_fullStr Understanding Android VoIP security: A system-level vulnerability assessment
title_full_unstemmed Understanding Android VoIP security: A system-level vulnerability assessment
title_sort understanding android voip security: a system-level vulnerability assessment
publisher Institutional Knowledge at Singapore Management University
publishDate 2020
url https://ink.library.smu.edu.sg/sis_research/5924
https://ink.library.smu.edu.sg/context/sis_research/article/6927/viewcontent/UnderstandingAndroidVoIPSecurity_av.pdf
_version_ 1770575666082742272

Similar Items