It appears you don't have support to open PDFs in this web browser. To view this file, Open with your PDF reader
Abstract
TLS is the de-facto standard for encrypting network communications. Today, upwards of 80% of pages loaded on Firefox, Chrome, and Safari are encrypted with TLS. This might be the story for web, but what about mobile? Existing measurements of mobile network encryption fall short: they often focus on the Google Play ecosystem, which necessarily excludes mobile users in China, who comprise a massive portion of the global Internet.
This thesis demonstrates that HTTPS is, in fact, not everywhere, and that a massive portion of mobile network communications remains poorly encrypted and accessible to systems of mass surveillance. These issues are particularly concentrated in mobile applications developed in China, which have been overlooked by the global security community despite their massive popularity and influence.
Three studies provide different perspectives that demonstrate both the (1) massive popularity of proprietary network encryption protocols in top mobile applications, and (2) the insecurity of such homegrown protocols. First, I present our reverse-engineering of WeChat’ s proprietary transport encryption protocol and subsequent privacy analysis of the WeChat Mini Program ecosystem. Then, I review the network encryption used by popular Chinese keyboards to encrypt user keystrokes. Finally, I present a large-scale study of encryption protocols used by thousands of popular mobile applications.
I discovered severe vulnerabilities enabling network attackers to decrypt sensitive data in the vast majority of the proprietary encryption protocols we analyzed. Through the vulnerabilities fixed as a result of this work, this research has directly improved the network security of over one billion people.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer






