ABSTRACT
More and more malicious apps and mobile rootkits are found to perform sensitive operations on behalf of legitimate users without their awareness. Malware does so by either forging user inputs or tricking users into making unintended requests to online service providers. Such malware is hard to detect and generates large revenues for cybercriminals, which is often used for committing ad/click frauds, faking reviews/ratings, promoting people or business on social networks, etc.
We find that this class of malware is possible due to the lack of practical and robust means for service providers to verify the authenticity of user-driven operations (i.e., operations supposed to be performed, or explicitly confirmed, by a user). We design and build the VButton system to fill this void. Our system introduces a class of attestation-enabled app UI widgets (called VButton UI). Developers can easily integrate VButton UI in their apps to allow service providers to verify that a user-driven operation triggered by a VButton UI is indeed initiated and intended by a real user. Our system contains an on-device Manager, and a server-side Verifier. Leveraging ARM TrustZone, our system can attest operation authenticity even in the presence of a compromised OS. We have implemented the VButton system on an ARM development board as well as a commercial off-the-shelf smartphone. The evaluation results show that the system incurs negligible overhead.
Supplemental Material
- "Keeping facebook activity authentic," https://www.facebook.com/notes/facebook- security/keeping-facebook-activity-authentic/10152309368645766/, 2014.Google Scholar
- "Kingroot," https://kingroot.net, 2016.Google Scholar
- "Authentication | android open source project," https://source.android.com/security/authentication/index.html, 2017.Google Scholar
- "boringssl," https://boringssl.googlesource.com/boringssl/, 2017.Google Scholar
- "Chinese click farm where 10k phones boost app ratings," http://www.dailymail.co.uk/news/article-4499730/click-farm-10-000-phones-boost-product-ratings.html, 2017.Google Scholar
- "Libtomcrypt," https://github.com/libtom/libtomcrypt, 2017.Google Scholar
- "monkeyrunner," https://developer.android.com/studio/test/monkeyrunner/, 2017.Google Scholar
- "textimagegenerator library," https://github.com/jcraane/textimagegenerator, 2017.Google Scholar
- "Trustkernel tee," https://www.trustkernel.com, 2018.Google Scholar
- T. Abera, N. Asokan, L. Davi, J.-E. Ekberg, T. Nyman, A. Paverd, A.-R. Sadeghi, and G. Tsudik, "C-flat: control-flow attestation for embedded systems software," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 743--754. Google ScholarDigital Library
- Alipay, "Ali pay," https://www.alipay.com/, 2017.Google Scholar
- T. Alves and D. Felton, "Trustzone: Integrated hardware and software security," ARM white paper, vol. 3, no. 4, 2004.Google Scholar
- A. Amiri Sani, "Schrodintext: Strong protection of sensitive textual content of mobile applications," in Proceedings of the 15th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2017, pp. 197--210. Google ScholarDigital Library
- Apple, "Apple pay," www.apple.com/apple-pay/, 2017.Google Scholar
- ARM, "Connected devices need e-commerce standard security say cyber security experts," https://www.arm.com/about/newsroom/connected-devices-need-e-commerce-standard-security-say-cyber-security-experts.php, 2016.Google Scholar
- L. P. Cox and P. M. Chen, "Pocket hypervisors: Opportunities and challenges," in Mobile Computing Systems and Applications, 2007. HotMobile 2007. Eighth IEEE Workshop on. IEEE, 2007, pp. 46--50. Google ScholarDigital Library
- J. Crussell, R. Stevens, and H. Chen, "Madfraud: Investigating ad fraud in android applications," in Proceedings of the 12th annual international conference on Mobile systems, applications, and services. ACM, 2014, pp. 123--134. Google ScholarDigital Library
- W. Cui, R. H. Katz, and W.-t. Tan, "Binder: An extrusion-based break-in detector for personal computers," in USENIX Annual Technical Conference, General Track, 2005, pp. 363--366. Google ScholarDigital Library
- A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, "A survey of mobile malware in the wild," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2011, pp. 3--14. Google ScholarDigital Library
- O. I. I. E. T. Force, "The open trust protocol (otrp)," https://tools.ietf.org/html/draft-pei-opentrustprotocol-01, 2017.Google Scholar
- P. Gilbert, J. Jung, K. Lee, H. Qin, D. Sharkey, A. Sheth, and L. P. Cox, "Youprove: authenticity and fidelity in mobile sensing," in Proceedings of the 9th ACM Conference on Embedded Networked Sensor Systems. ACM, 2011, pp. 176--189. Google ScholarDigital Library
- I. J. Goodfellow, Y. Bulatov, J. Ibarz, S. Arnoud, and V. Shet, "Multi-digit number recognition from street view imagery using deep convolutional neural networks," arXiv preprint arXiv:1312.6082, 2013.Google Scholar
- R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy, "Not-a-bot (nab): Improving service availability in the face of botnet attacks," 2009.Google Scholar
- Z. Hua, J. Gu, Y. Xia, H. Chen, B. Zang, and H. Guan, "vtz: Virtualizing arm trustzone," in 26th {USENIX} Security Symposium ({USENIX} Security 17), 2017, pp. 541--556. Google ScholarDigital Library
- Y. Jang, S. P. Chung, B. D. Payne, and W. Lee, "Gyrus: A framework for user-intent monitoring of text-based networked applications." in NDSS, 2014.Google Scholar
- M. Jiang, P. Cui, and C. Faloutsos, "Suspicious behavior detection: Current trends and future directions," IEEE Intelligent Systems, vol. 31, no. 1, pp. 31--39, 2016. Google ScholarDigital Library
- N. Krawetz, "Perceptual hash algorithm: the average hash algorithm," http://www.hackerfactor.com/blog/?/archives/432-Looks-Like-It.html, 2011.Google Scholar
- K. Lee, J. Caverlee, and S. Webb, "Uncovering social spammers: social honeypots+ machine learning," in Proceedings of the 33rd international ACM SIGIR conference on Research and development in information retrieval. ACM, 2010, pp. 435--442. Google ScholarDigital Library
- W. Li, H. Li, H. Chen, and Y. Xia, "Adattester: Secure online mobile advertisement attestation using trustzone," in Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2015, pp. 75--88. Google ScholarDigital Library
- D. Liu and L. P. Cox, "Veriui: Attested login for mobile devices," in Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM, 2014, p. 7. Google ScholarDigital Library
- H. Liu, S. Saroiu, A. Wolman, and H. Raj, "Software abstractions for trusted sensors," in Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 2012, pp. 365--378. Google ScholarDigital Library
- W. Liu, Y. Zhang, Z. Li, and H. Duan, "What you see isn't always what you get: A measurement study of usage fraud on android apps," in Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2016, pp. 23--32. Google ScholarDigital Library
- C. Marforio, R. J. Masti, C. Soriente, K. Kostiainen, and S. Capkun, "Hardened setup of personalized security indicators to counter phishing attacks in mobile banking," in Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2016, pp. 83--92. Google ScholarDigital Library
- S. Mirzamohammadi, J. A. Chen, A. A. Sani, S. Mehrotra, and G. Tsudik, "Ditio: Trustworthy auditing of sensor activities in mobile & iot devices," in Proceedings of the 15th ACM Conference on Embedded Network Sensor Systems. ACM, 2017, p. 28. Google ScholarDigital Library
- G. Petracca, A.-A. Reineh, Y. Sun, J. Grossklags, and T. Jaeger, "Aware: Preventing abuse of privacy-sensitive sensors via operation bindings," in 26th USENIX Security Symposium (USENIX Security 17). Vancouver, BC: USENIX Association, 2017, pp. 379--396. {Online}. Available: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/petracca Google ScholarDigital Library
- H. Raj, S. Saroiu, A. Wolman, R. Aigner, J. Cox, P. England, C. Fenner, K. Kinshumann, J. Loeser, D. Mattoon et al., "ftpm: A software-only implementation of a tpm chip," 2016.Google Scholar
- T. Ringer, D. Grossman, and F. Roesner, "Audacious: User-driven access control with unmodified operating systems," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016, pp. 204--216. Google ScholarDigital Library
- F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan, "User-driven access control: Rethinking permission granting in modern operating systems," in Security and privacy (SP), 2012 IEEE Symposium on. IEEE, 2012, pp. 224--238. Google ScholarDigital Library
- S. Sivakorn, J. Polakis, and A. D. Keromytis, "I'm not a human: Breaking the google recaptcha," Black Hat,(i), pp. 1--12, 2016.Google Scholar
- T. Support, https://twitter.com/support/status/421400317524070402, 2016.Google Scholar
- Tecent, "Wechat pay," https://pay.weixin.qq.com/index.php/public/wechatpay, 2017.Google Scholar
Index Terms
- VButton: Practical Attestation of User-driven Operations in Mobile Apps
Recommendations
TruZ-Droid: Integrating TrustZone with Mobile Operating System
MobiSys '18: Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and ServicesMobile devices today provide a hardware-protected mode called Trusted Execution Environment (TEE) to help protect users from a compromised OS and hypervisor. Today TEE can only be leveraged either by vendor apps or by developers who work with the ...
A-mash: providing single-app illusion for multi-app use through user-centric UI mashup
MobiCom '22: Proceedings of the 28th Annual International Conference on Mobile Computing And NetworkingMobile apps offer a variety of features that greatly enhance user experience. However, users still often find it difficult to use mobile apps in the way they want. For example, it is not easy to use multiple apps simultaneously on a small screen of a ...
Enhancing security enforcement on unmodified Android
SAC '13: Proceedings of the 28th Annual ACM Symposium on Applied ComputingAndroid OS have several security vulnerabilities. Most of existing proposals require extensive modification of Android kernel or application framework. So, they are not feasible for end users which use stock Android OS. In this paper, we present a novel ...
Comments