Andrea Possemato
ABSTRACT
In the context of mobile-based user-interface (UI) attacks, the common belief is that clickjacking is a solved problem. On the contrary, this paper shows that clickjacking is still an open problem for mobile devices. In fact, all known academic and industry solutions are either not effective or not applicable in the real-world for backward compatibility reasons. This work shows that, as a consequence, even popular and sensitive apps like Google Play Store remain, to date, completely unprotected from clickjacking attacks. After gathering insights into how apps use the user interface, this work performs a systematic exploration of the design space for an effective and practical protection against clickjacking attacks. We then use this exploration to guide the design of ClickShield, a new defensive mechanism. To address backward compatibility issues, our design allows for overlays to cover the screen, and we employ image analysis techniques to determine whether the user could be confused. We have implemented a prototype and we have tested it against ClickBench, a newly developed benchmark specifically tailored to stress-test clickjacking protection solutions. This dataset is constituted by 104 test cases, and it includes real-world and simulated benign and malicious examples that evaluate the system across a wide range of legitimate and attack scenarios. The results show that our system is able to address backward compatibility concerns, to detect all known attacks (including a never-seen-before real-world malware that was published after we have developed our solution), and it introduces a negligible overhead.
Supplemental Material
- Yair Amit. 2016. 95.4 Percent of All Android Devices Are Susceptible to Accessibility Clickjacking Exploits. https://www.skycure.com/blog/95--4-android-devices-susceptible-accessibility-clickjacking-exploits/.Google Scholar
- Yair Amit. 2016. "Accessibility Clickjacking" -- The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. https://www.skycure.com/blog/accessibility-clickjacking/.Google Scholar
- Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie. 2017. UiRef: analysis of sensitive user inputs in Android applications. In WISEC. Google ScholarDigital Library
- Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. What the App is That? Deception and Countermeasures in the Android User Interface. In Proc. of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Nicholas Carlini and David A. Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA.Google Scholar
- Qi Alfred Chen, Zhiyun Qian, and Z Morley Mao. 2014. Peeking Into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks. In Proc. of the USENIX Security Symposium. Google ScholarDigital Library
- F-Droid. 2018. Free and Open Source (FOSS) software on the Android platform. https://f-droid.org/en/Google Scholar
- Adrienne Porter Felt and David Wagner. 2011. Phishing on Mobile Devices. In Proc. of IEEE Workshop on Web 2.0 Security & Privacy (W2SP).Google Scholar
- Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. 2016. Android UI Deception Revisited: Attacks and Defenses. In Proc. of Financial Cryptography and Data Security (FC).Google Scholar
- Yanick Fratantonio, Chenxiong Qian, Pak Chung, and Wenke Lee. 2017. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).Google ScholarCross Ref
- geeksonsecurity. 2018. Android Overlay Protector. https://geeksonsecurity.github.io/overlay-protector-website/.Google Scholar
- Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In USENIX Security Symposium. Google ScholarDigital Library
- Google Inc. 2018. Documentation for the FLAG_WINDOW_IS_OBSCURED flag. https://developer.android.com/reference/android/view/MotionEvent.html#FLAG_WINDOW_IS_OBSCUREDGoogle Scholar
- Luka Malisa, Kari Kostiainen, and Srdjan Capkun. 2015. Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception. In Cryptology ePrint Archive, Report 2015/709.Google Scholar
- Amar Menezes. 2018. Privilege Escalation via adbd Misconfiguration. https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-android-adbd-privilege-escalation-advisory-2018-01--17.pdf .Google Scholar
- Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiaofeng Wang. 2015. UIPicker: User-Input Privacy Identification in Mobile Applications. In USENIX Security Symposium. Google ScholarDigital Library
- Marcus Niemietz and Jörg Schwenk. 2012. UI Redressing Attacks on Android devices. Black Hat Abu Dhabi (2012).Google Scholar
- Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17). Google ScholarDigital Library
- Chuangang Ren, Peng Liu, and Sencun Zhu. 2017. WindowGuard: Systematic Protection of GUI Security in Android. In Proc. of the Annual Symposium on Network and Distributed System Security (NDSS).Google ScholarCross Ref
- Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu. 2015. Towards Discovering and Understanding Task Hijacking in Android. In Proc. of USENIX Security Symposium. Google ScholarDigital Library
- Talia Ringer, Dan Grossman, and Franziska Roesner. 2016. AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems. In Proc. of the Conference on Computer and Communications Security (CCS). Google ScholarDigital Library
- Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J Wang, and Crispin Cowan. 2012. User-driven Access Control: Rethinking Per- mission Granting in Modern Operating Systems. In Proc. of the IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh. 2010. Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In Proc. of the USENIX Conference on Offensive Technologies. Google ScholarDigital Library
- Tara Seals. 2016. Autorooting, Overlay Malware Are Rising Android Threats. http://www.infosecurity-magazine.com/news/autorooting-overlay-malware-are/.Google Scholar
- SFYLABS. {n. d.}. Client Side Detection (CSD). https://clientsidedetection.com.Google Scholar
- Tom Spring. 2016. SCOURGE OF ANDROID OVERLAY MALWARE ON RISE. https://threatpost.com/scourge-of-android-overlay-malware-on-rise/117720/.Google Scholar
- Cameron Summerson. 2017. How to Fix the "Screen Overlay Detected" Error on Android. https://www.howtogeek.com/271519/how-to-fix-the-screen-overlay-detected-error-on-android/Google Scholar
- Urbandroid Team. 2018. Twilight App. https://play.google.com/store/apps/details?id=com.urbandroid.lux&hl=en.Google Scholar
- Longfei Wu, Benjamin Brandt, Xiaojiang Du, and Bo Ji. 2016. Analysis of click-jacking attacks and an effective defense scheme for Android devices. 2016 IEEE Conference on Communications and Network Security (CNS) (2016), 55--63.Google ScholarCross Ref
- Martin Zhang. 2016. Android ransomware variant uses clickjacking to become device administrator. http://www.symantec.com/connect/blogs/android-ransomware-variant-uses-clickjacking-become-device-administrator.Google Scholar
- Wu Zhou, Linhai Song, Jens Monrad, Junyuan Zeng, and Jimmy Su. 2016. The Latest Android Overlay Malware Spreading via SMS Phishing in Europe. https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html.Google Scholar
Index Terms
- ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android
Recommendations
SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyCross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a ...
VenomAttack: automated and adaptive activity hijacking in Android
AbstractActivity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Comments