Security and privacy in smartphones

What the App is that? Deception and countermeasures in the Andriod User Interface

Presented By: Vijay Soppadandi

Pursuing M.Sc in Applied CS

Semester: Fourth

ID number: 21363273

1

Institute of Informatics Georg-August-Universitaet Goettingen, Germany

Department of Security

Proffesor : Dr. Konrad RieckAdvisor : Hugo GasconTerm: Summer semester-2015

Course: Security and Privacy in Smartphones

Overview

-Importance Mobile Applications-Mobile Application Security Issues and Threats-Analyzing Malicious Applications* GUI Confusion Attacks* State Exploration Tools-Detecting Malicious Applications using Static Analysis-Defensive Mechanism -Evaluation-Conclusion-References

2


Department of Security Course: Security and Privacy in Smartphones

Importance of Mobile Applications

* Part of everyday lives

* Sensitive information

* Usage is high

* Trust

3


Department of Security Course: Security and Privacy in Smartphones Image source: http://goo.gl/rw0Rbf

Mobile Application Security Issues and Threats

• Some of previously know attacks

GUI mimic

phishing-style

click-jacking-style

• Some of noval based attacks

Non-escapble full screen

4


Department of Security Course: Security and Privacy in Smartphones Image source: http://goo.gl/CCAfkH Referenced source: Wikipedia

Mobile Applications security

• Why do we care about security in mobile applications?

• Why previous security techniques are not enough?

Course: Security and Privacy in Smartphones


Department of Security

Analyzing Malicious Applications

• Analyze in detail the ways Android users confused into misidentifying an app

* GUI confussion attacks

* State exploration tools

6


Department of Telematics Course: Security and Privacy in Smartphones

GUI confusion Attack

7



Category Attack vector

Drawn on top

UI-interception draw-over

Non-UI-interception draw-over

Toast message

App switch

StartActivity API

Screen pinning

MoveTastTo APIs

KillBackgroundProcesses API

Back / power button (passive)

Sit and wait (passive)

Fullscreen

Non-“immersive” fullscreen

“immersive” fullscreen

“inescapable” fullscreen

Enhancing techniques getRunning Tasks API

Reading the system log

Accessing proc file system

App repackaging

Table 1: [2] Attack vectors and enhancing techniques.

Referenced source

addView API

PRIORITY_PHONE flagClick-jackingInteresting exception

GUI mimic

Active and Passive

app

Drawn on top activity without permissionsLocks the specific appREORDER_TASKS permissionsOther attack vectors used User believe app switch occured, in fact, its nottabnabbing

SYSTEM_UI_FLAG_IMMERSIVE

Techinque in detect how user

interacts with the system

GET_TASKS, name of the top Activity.READ_LOGS

Retrive the list of app running by listing /procProcess of modifying existing app

State exploration tools

• Study how a main GUI APIs used to mount GUI confusion attacks

• Drawn on top even if belongs to different apps

1) entirly covers the device´s screen.

2) No permission accesing close or navigation bar.

A) Study of the “startActivity API“.

8


Department of Telematics Course: Security and Privacy in Smartphones Referenced source

Component type Active, Service, Content Provider, Broadcast Receiver

LaunchMode attribute Standard, SingleTop, singleTask, singleInstance

StartActivity flags MULTIPLE_TASK, NEW_TASK, CLEAR_TASK,

CLEAR_TOP_FRONT, SINGLE_TOP; TASK_ON_HOME

REORDER_TO_FRONT, PREVIOUS_IS_TOP

Table 2: [4] Component types, flags, and launchMode values tested by our tool

State exploration tools API exploration tools effectively helps to detect critical situaltions like “inescapble“ fullscreen

possibility.

B) Study of “inescapable“ fullscreen Windows

* Removing the SYSTEM_ERROR type.

9



TYPEs TOAST; SYSTEM_ERROR, PHONE,

PRIORITY_PHONE, SYSTEM_ALERT,

SYSTEM_OVERLAY

Layout flags IN_SCREEN; NO_LIMITS

System-UI Visibility flags HIDE_NAVIGATION, FULLSCREEN,

LAYOUT_FULLSCREEN, IMMERSIVE,

IMMERSIVE_STICKY

Table 3: [4] Window types and flags

Referenced source

SYSTEM_ERROR

+

NO_LIMITS

Covers entire

screen in 4.3

version

Patch is used to

address this

problem

SYSTEM_ERROR

+

System-UI Visibility flags uses

“Immersive“ to create

“inescapable“ fullscreen is

introduced in Android 4.4

version

Same parameters are

verified in 5.0

version

Detecting via Static Analysis

• A tool is developed to explore how real world apps use of attack vectors and enhancing techniques

* Guides to defense mechanism

* detect malicious usage of technique

• It flags an app as potentially-malicious if detects

• Detection process

10


Department of Security Course: Security and Privacy in Smartphones Referenced source

First, checks which permission the app

requires

Extracts and parses the app`s bytecode

Identifies invocations and applies the

backward program slicing techniques

check values

Analyzer checks weather particular technique used by

given app

At final stage we analyze the app´s

control flow

Detecting Malicious Applications using Static Analysis

11



Permissions name Bening1 set Bening2 set Malicious set App-locker set

GET_TASKS

READ_LOGS

KILL_BACKGROUND_PROCESSES

SYSTEM_ALERT_WINDOWS

REORDER_TASKS

32 6.4%

9 1.8%

3 0.6%

1 0.2%

0 0.0%

80 16.0%

35 7.0%

13 2.6%

34 6.8%

4 0.8%

217 17.2%

240 19.1%

13 1.0%

3 0.2%

2 0.2%

19 95.0%

13 65.0%

5 25.0%

10 50.0%

2 10.0%

Table 4 (a): Number of apps requesting permissions used by GUI confusion attacks

Referenced source

Detecting Malicious Applications using Static Analysis

12



Technique Bening1 set Bening2 set Malicious set App-locker set

StartActivity API

KillBackgroundProcesses API

Fullscreen

moveToFront API

drawn over using addview API

custom toast message

53 10.4%

1 0.2%

0 0.0%

0 0.0%

0 0.0%

0 0.0%

135 27.0%

08 1.6%

22 4.4%

00 0.0%

09 1.8%

01 0.2%

751 59.6%

6 5.5%

0 0.0%

1 0.1%

0 0.0%

0 0.0%

20 100.0%

4 20.0%

1 05.0%

1 05.0%

3 15.0%

1 05.0%

getRunning Tasks API

Reading the system log

Accessing proc file system

23 4.6%

8 1.6%

3 0.6%

68 13.6%

18 3.6%

26 5.2%

147 11.7%

28 2.2%

43 3.4%

19 95.0%

8 40.0%

4 20.0%

Table 4 (b): Number of apps using each detected technique in the analyzed data sets

Referenced source

Defensive Mechanism

• After completing defense approach with a system designed then inform users and leave the final decision to them.

• Find root cause of our attacks and what compromises user security is that there is simply no way for the user to know which application she is actually interacting.

• Android system need to establish a trusted path to inform the user without compromising UI functionality.

• Particularly, our proposed modifications need to address three challenges

1) Understanding which app the user is actually interacting.

2) Understanding who is the real author of that app.

3) Showing this information to the user in an unobtrusive but reliable and non-manipulable way.

13



Defensive Mechanism

1) Get to know with which app the user is actually interacting

* Navigation bar and the status bar are drawn separately by the system in specific Windows

* Interaction with utility components can be safely

* Windows can be interrupted with multiple apps on top activity

* Some legalized apps which acts as an “always-visible” on top of the currently top app

* create an “always-visible” Windows a specific permission is necessary to create

* filterTouchesWhenObscured API helps to prevent user inputs when content from other apps is present at the click location

14



Defensive Mechanism

2) Understanding who is the real author of that app

* every app contains its own unique identifier in to a message.

* Extended-Validation HTTPS infrastructure to validate it

* Windows can be interrupted with multiple apps on top activity

* Some legalized apps which acts as an “always-visible” on top of the currently top app

* multiple cloned apps of the same name makes difficult in identifying the trustworthy app

* "Top Developer Badge" to help show users who are the best, and most trustworthy apps.

15



Defensive Mechanism 3) Conveying trust information to the user

16



If Then

No domain specified in

the manifest

Resulting UI state Visualization Equivalent in browsers Visualization in browsers

Apps not associated Regular black navigation Regular HTTP pages no lock icon

With any organization bar

domain specified in the

manifest, successful

verification, no visible

Windows from other

apps

Sure interaction with Green lock and company HTTPS verified page Green lock, domain name, and

A verified app name (optionally) company name


manifest, successful

verification, visible

Windows from other

apps

Likely interaction with a Yellow half-open lock mixed HTTP and HTTPS Varies with browsers, a yellow

Verified app, but external Content warning signal is common

Elements are present


manifest, unknown

validity.

Incomplete verification Red warning page, self-signed or missing CA Usually, red warning page,

(networking issues) user allowed to proceed certificate user allowed to proceed

(other cases) Failed verification Red error page Failed verification Red error page

Table 5: Possible screen states and how they are visualized

Referenced source

Evaluation

17



Group 1:

Stock

Android

Group 2:

Defensive

activity

Subject not

aware of

attacks

Group 3:

Defensive

activity

Subjects

aware of

attacks

Total

subjects

113 102 132

Valid

subjects

99 93 116

TABLE 7: [4] Results of the experiments with Amazon Turk

• The effectivness of GUI confusion attacks• How helpful our defense mechanism to the

users in finding malicious apps

Evaluation

18



B1 and B2 67(67.68%) 70(75.27%) 85(73.28%)

Astd 19(19.19%) 60(64.52%) 80(68.97%)

Afull 17(17.17%) 71(76.34%) 86(74.14%)

Astd and Aful 8(8.08%) 55(59.14%) 67(57.76%)

Astd and B1

and B2

4(4.04%) 51(54.84%) 73(62.93%)

Afull and B1

and B2

6(6.06%) 63(67.74%) 76(65.52%)

Astd and Afull

and B1 and B2

2(2.02%) 50(53.76%) 66(56.90%)

Table 8 : Percentages are computed with respect to the number of Valid SubjectsSubjects answers correctly to the tasks

Figure 1: shows security companion

Conclusion

• How Android user misleads

• Categorizing known attacks

• Studied about the tools in detail how GUI API can mount such attacks

• Developed two layer defense to prevent

• Developed static analysis tool to identify code

• Presented on-device defense system design to improve the ability of the user to judge the impact of their actions

19



References• Bianchi, Antonio, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna.

"What the App is That? Deception and Countermeasures in the Android User Interface." (2015).

• Mann, Mr Ian. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd., 2012.

• “Owasp,”[Online]. Available: http://www.owasp.org/index.php/index.php/Static_Code_Analysis

“tutorialspoint,”[Online].Available:http://www.tutorialspoint.com/android/android_application_components.htm.

• M. Niemietz and J. Schwenk, “UI Redressing Attacks on Android Devices,” Black Hat Abu Dhabi, 2012.

• A. P. Felt and D. Wagner, “Phishing on mobile devices,” Web 2.0 Security and Privacy, 2011

• T. Luo, X. Jin, A. Ananthanarayanan, and W. Du, “Touchjacking Attacks on Web in Android, iOS, and Windows Phone,” in Proceedings of the 5th International Conference on Foundations and Practice of Security (FPS). Berlin, Heidelberg: Springer-Verlag, 2012, pp. 227–243.

• TrendLabs, “Tapjacking: An Untapped Threat in Android,” http://blog.trendmicro.com/trendlabs-security-intelligence/tapjacki ng-an-untapped-threat-in-android/, December 2012.

• Q. A. Chen, Z. Qian, and Z. M. Mao, “Peeking into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks,” in Proceedings of the 23rd USENIX Security Symposium. Berkeley, CA, USA: USENIX

Association, 2014, pp. 1037–1052.

TrendLabs, “Bypassing Android Permissions: What You Need to Know,” http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-android-permissions-what-you-need-to-know/, November 2012.

20



References• S. Jana and V. Shmatikov, “Memento: Learning Secrets from Process Footprints,” in Proceedings of the IEEE

Symposium on Security and Privacy (SP), May 2012, pp. 143–157.

• S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song, “Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications,” in Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). Berlin, Heidelberg: Springer-Verlag, 2012, pp. 62–81.

• W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting Repackaged Smartphone Applications in Third-party Android Marketplaces,” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy (CODASPY). New York, NY, USA: ACM, 2012, pp. 317–326.

• W. Zhou, X. Zhang, and X. Jiang, “AppInk: Watermarking Android Apps for Repackaging Deterrence,” in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS). New York, NY, USA: ACM, 2013, pp. 1–12

• M. Weiser, “Program slicing,” in Proceedings of the 5th international conference on Software engineering. IEEE Press, 1981, pp. 439–449

• CA/Browser Forum, “Guidelines For The Issuance And Management Of Extended Validation Certificates,” https: //cabforum.org/wp-content/uploads/Guidelines v1 4 3.pdf, 2013.

• Andriod stackexchange,”[Online].Available:http://android.stackexchange.com/questions/31830/what-is-a-top-developer-in-google-play.

21



END

22


Department of Telematics Course: Security of Self-organizing Networks

Thanks for your attention

Security and privacy in smartphones

Technology

Transcript of Security and privacy in smartphones