Transcript
What the App is that? Deception and countermeasures in the Andriod User Interface
Presented By: Vijay Soppadandi
Pursuing M.Sc in Applied CS
Semester: Fourth
ID number: 21363273
1
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security
Proffesor : Dr. Konrad RieckAdvisor : Hugo GasconTerm: Summer semester-2015
Course: Security and Privacy in Smartphones
Overview
-Importance Mobile Applications-Mobile Application Security Issues and Threats-Analyzing Malicious Applications* GUI Confusion Attacks* State Exploration Tools-Detecting Malicious Applications using Static Analysis-Defensive Mechanism -Evaluation-Conclusion-References
2
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
Importance of Mobile Applications
* Part of everyday lives
* Sensitive information
* Usage is high
* Trust
3
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Image source: http://goo.gl/rw0Rbf
Mobile Application Security Issues and Threats
• Some of previously know attacks
GUI mimic
phishing-style
click-jacking-style
• Some of noval based attacks
Non-escapble full screen
4
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Image source: http://goo.gl/CCAfkH Referenced source: Wikipedia
Mobile Applications security
• Why do we care about security in mobile applications?
• Why previous security techniques are not enough?
Course: Security and Privacy in Smartphones
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security
Analyzing Malicious Applications
• Analyze in detail the ways Android users confused into misidentifying an app
* GUI confussion attacks
* State exploration tools
6
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Telematics Course: Security and Privacy in Smartphones
GUI confusion Attack
7
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
Category Attack vector
Drawn on top
UI-interception draw-over
Non-UI-interception draw-over
Toast message
App switch
StartActivity API
Screen pinning
MoveTastTo APIs
KillBackgroundProcesses API
Back / power button (passive)
Sit and wait (passive)
Fullscreen
Non-“immersive” fullscreen
“immersive” fullscreen
“inescapable” fullscreen
Enhancing techniques getRunning Tasks API
Reading the system log
Accessing proc file system
App repackaging
Table 1: [2] Attack vectors and enhancing techniques.
Referenced source
addView API
PRIORITY_PHONE flagClick-jackingInteresting exception
GUI mimic
Active and Passive
app
Drawn on top activity without permissionsLocks the specific appREORDER_TASKS permissionsOther attack vectors used User believe app switch occured, in fact, its nottabnabbing
SYSTEM_UI_FLAG_IMMERSIVE
Techinque in detect how user
interacts with the system
GET_TASKS, name of the top Activity.READ_LOGS
Retrive the list of app running by listing /procProcess of modifying existing app
State exploration tools
• Study how a main GUI APIs used to mount GUI confusion attacks
• Drawn on top even if belongs to different apps
1) entirly covers the device´s screen.
2) No permission accesing close or navigation bar.
A) Study of the “startActivity API“.
8
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Telematics Course: Security and Privacy in Smartphones Referenced source
Component type Active, Service, Content Provider, Broadcast Receiver
LaunchMode attribute Standard, SingleTop, singleTask, singleInstance
StartActivity flags MULTIPLE_TASK, NEW_TASK, CLEAR_TASK,
CLEAR_TOP_FRONT, SINGLE_TOP; TASK_ON_HOME
REORDER_TO_FRONT, PREVIOUS_IS_TOP
Table 2: [4] Component types, flags, and launchMode values tested by our tool
State exploration tools API exploration tools effectively helps to detect critical situaltions like “inescapble“ fullscreen
possibility.
B) Study of “inescapable“ fullscreen Windows
* Removing the SYSTEM_ERROR type.
9
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
TYPEs TOAST; SYSTEM_ERROR, PHONE,
PRIORITY_PHONE, SYSTEM_ALERT,
SYSTEM_OVERLAY
Layout flags IN_SCREEN; NO_LIMITS
System-UI Visibility flags HIDE_NAVIGATION, FULLSCREEN,
LAYOUT_FULLSCREEN, IMMERSIVE,
IMMERSIVE_STICKY
Table 3: [4] Window types and flags
Referenced source
SYSTEM_ERROR
+
NO_LIMITS
Covers entire
screen in 4.3
version
Patch is used to
address this
problem
SYSTEM_ERROR
+
System-UI Visibility flags uses
“Immersive“ to create
“inescapable“ fullscreen is
introduced in Android 4.4
version
Same parameters are
verified in 5.0
version
Detecting via Static Analysis
• A tool is developed to explore how real world apps use of attack vectors and enhancing techniques
* Guides to defense mechanism
* detect malicious usage of technique
• It flags an app as potentially-malicious if detects
• Detection process
10
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
First, checks which permission the app
requires
Extracts and parses the app`s bytecode
Identifies invocations and applies the
backward program slicing techniques
check values
Analyzer checks weather particular technique used by
given app
At final stage we analyze the app´s
control flow
Detecting Malicious Applications using Static Analysis
11
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
Permissions name Bening1 set Bening2 set Malicious set App-locker set
GET_TASKS
READ_LOGS
KILL_BACKGROUND_PROCESSES
SYSTEM_ALERT_WINDOWS
REORDER_TASKS
32 6.4%
9 1.8%
3 0.6%
1 0.2%
0 0.0%
80 16.0%
35 7.0%
13 2.6%
34 6.8%
4 0.8%
217 17.2%
240 19.1%
13 1.0%
3 0.2%
2 0.2%
19 95.0%
13 65.0%
5 25.0%
10 50.0%
2 10.0%
Table 4 (a): Number of apps requesting permissions used by GUI confusion attacks
Referenced source
Detecting Malicious Applications using Static Analysis
12
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
Technique Bening1 set Bening2 set Malicious set App-locker set
StartActivity API
KillBackgroundProcesses API
Fullscreen
moveToFront API
drawn over using addview API
custom toast message
53 10.4%
1 0.2%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
135 27.0%
08 1.6%
22 4.4%
00 0.0%
09 1.8%
01 0.2%
751 59.6%
6 5.5%
0 0.0%
1 0.1%
0 0.0%
0 0.0%
20 100.0%
4 20.0%
1 05.0%
1 05.0%
3 15.0%
1 05.0%
getRunning Tasks API
Reading the system log
Accessing proc file system
23 4.6%
8 1.6%
3 0.6%
68 13.6%
18 3.6%
26 5.2%
147 11.7%
28 2.2%
43 3.4%
19 95.0%
8 40.0%
4 20.0%
Table 4 (b): Number of apps using each detected technique in the analyzed data sets
Referenced source
Defensive Mechanism
• After completing defense approach with a system designed then inform users and leave the final decision to them.
• Find root cause of our attacks and what compromises user security is that there is simply no way for the user to know which application she is actually interacting.
• Android system need to establish a trusted path to inform the user without compromising UI functionality.
• Particularly, our proposed modifications need to address three challenges
1) Understanding which app the user is actually interacting.
2) Understanding who is the real author of that app.
3) Showing this information to the user in an unobtrusive but reliable and non-manipulable way.
13
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
Defensive Mechanism
1) Get to know with which app the user is actually interacting
* Navigation bar and the status bar are drawn separately by the system in specific Windows
* Interaction with utility components can be safely
* Windows can be interrupted with multiple apps on top activity
* Some legalized apps which acts as an “always-visible” on top of the currently top app
* create an “always-visible” Windows a specific permission is necessary to create
* filterTouchesWhenObscured API helps to prevent user inputs when content from other apps is present at the click location
14
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
Defensive Mechanism
2) Understanding who is the real author of that app
* every app contains its own unique identifier in to a message.
* Extended-Validation HTTPS infrastructure to validate it
* Windows can be interrupted with multiple apps on top activity
* Some legalized apps which acts as an “always-visible” on top of the currently top app
* multiple cloned apps of the same name makes difficult in identifying the trustworthy app
* "Top Developer Badge" to help show users who are the best, and most trustworthy apps.
15
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
Defensive Mechanism 3) Conveying trust information to the user
16
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
If Then
No domain specified in
the manifest
Resulting UI state Visualization Equivalent in browsers Visualization in browsers
Apps not associated Regular black navigation Regular HTTP pages no lock icon
With any organization bar
domain specified in the
manifest, successful
verification, no visible
Windows from other
apps
Sure interaction with Green lock and company HTTPS verified page Green lock, domain name, and
A verified app name (optionally) company name
domain specified in the
manifest, successful
verification, visible
Windows from other
apps
Likely interaction with a Yellow half-open lock mixed HTTP and HTTPS Varies with browsers, a yellow
Verified app, but external Content warning signal is common
Elements are present
domain specified in the
manifest, unknown
validity.
Incomplete verification Red warning page, self-signed or missing CA Usually, red warning page,
(networking issues) user allowed to proceed certificate user allowed to proceed
(other cases) Failed verification Red error page Failed verification Red error page
Table 5: Possible screen states and how they are visualized
Referenced source
Evaluation
17
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
Group 1:
Stock
Android
Group 2:
Defensive
activity
Subject not
aware of
attacks
Group 3:
Defensive
activity
Subjects
aware of
attacks
Total
subjects
113 102 132
Valid
subjects
99 93 116
TABLE 7: [4] Results of the experiments with Amazon Turk
• The effectivness of GUI confusion attacks• How helpful our defense mechanism to the
users in finding malicious apps
Evaluation
18
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones Referenced source
B1 and B2 67(67.68%) 70(75.27%) 85(73.28%)
Astd 19(19.19%) 60(64.52%) 80(68.97%)
Afull 17(17.17%) 71(76.34%) 86(74.14%)
Astd and Aful 8(8.08%) 55(59.14%) 67(57.76%)
Astd and B1
and B2
4(4.04%) 51(54.84%) 73(62.93%)
Afull and B1
and B2
6(6.06%) 63(67.74%) 76(65.52%)
Astd and Afull
and B1 and B2
2(2.02%) 50(53.76%) 66(56.90%)
Table 8 : Percentages are computed with respect to the number of Valid SubjectsSubjects answers correctly to the tasks
Figure 1: shows security companion
Conclusion
• How Android user misleads
• Categorizing known attacks
• Studied about the tools in detail how GUI API can mount such attacks
• Developed two layer defense to prevent
• Developed static analysis tool to identify code
• Presented on-device defense system design to improve the ability of the user to judge the impact of their actions
19
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
References• Bianchi, Antonio, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna.
"What the App is That? Deception and Countermeasures in the Android User Interface." (2015).
• Mann, Mr Ian. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd., 2012.
• “Owasp,”[Online]. Available: http://www.owasp.org/index.php/index.php/Static_Code_Analysis
“tutorialspoint,”[Online].Available:http://www.tutorialspoint.com/android/android_application_components.htm.
• M. Niemietz and J. Schwenk, “UI Redressing Attacks on Android Devices,” Black Hat Abu Dhabi, 2012.
• A. P. Felt and D. Wagner, “Phishing on mobile devices,” Web 2.0 Security and Privacy, 2011
• T. Luo, X. Jin, A. Ananthanarayanan, and W. Du, “Touchjacking Attacks on Web in Android, iOS, and Windows Phone,” in Proceedings of the 5th International Conference on Foundations and Practice of Security (FPS). Berlin, Heidelberg: Springer-Verlag, 2012, pp. 227–243.
• TrendLabs, “Tapjacking: An Untapped Threat in Android,” http://blog.trendmicro.com/trendlabs-security-intelligence/tapjacki ng-an-untapped-threat-in-android/, December 2012.
• Q. A. Chen, Z. Qian, and Z. M. Mao, “Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks,” in Proceedings of the 23rd USENIX Security Symposium. Berkeley, CA, USA: USENIX
Association, 2014, pp. 1037–1052.
TrendLabs, “Bypassing Android Permissions: What You Need to Know,” http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-android-permissions-what-you-need-to-know/, November 2012.
20
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
References• S. Jana and V. Shmatikov, “Memento: Learning Secrets from Process Footprints,” in Proceedings of the IEEE
Symposium on Security and Privacy (SP), May 2012, pp. 143–157.
• S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song, “Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications,” in Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Berlin, Heidelberg: Springer-Verlag, 2012, pp. 62–81.
• W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting Repackaged Smartphone Applications in Third-party Android Marketplaces,” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy (CODASPY). New York, NY, USA: ACM, 2012, pp. 317–326.
• W. Zhou, X. Zhang, and X. Jiang, “AppInk: Watermarking Android Apps for Repackaging Deterrence,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS). New York, NY, USA: ACM, 2013, pp. 1–12
• M. Weiser, “Program slicing,” in Proceedings of the 5th international conference on Software engineering. IEEE Press, 1981, pp. 439–449
• CA/Browser Forum, “Guidelines For The Issuance And Management Of Extended Validation Certificates,” https: //cabforum.org/wp-content/uploads/Guidelines v1 4 3.pdf, 2013.
• Andriod stackexchange,”[Online].Available:http://android.stackexchange.com/questions/31830/what-is-a-top-developer-in-google-play.
21
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security Course: Security and Privacy in Smartphones
END
22
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Telematics Course: Security of Self-organizing Networks
Thanks for your attention
top related