HIJACKING ATTACKS ON ANDROID DEVICES

HIJACKING ATTACKS ON ANDROID DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012

• University! Research assistant @NDS•Web Application Security! Penetration tests! Security trainings• Book author! Clickjacking• International speaker@mniemietz

IntroductionAttacks and their Countermeasures Visual Spooﬁng UI Redressing Chrome to Phone Attack TapjackingConclusion and Outlook

We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?

Introduction

ABOUT ANDROIDLinux-based OS Developer: Open Handset AllianceFor mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011

Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011

Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.22.3.3 - 2.3.7 Other

ANDROID 2.3.3 ANDROID 4.0

Attacks and theirCountermeasures

Visual Spooﬁng

VISUAL SPOOFINGImitate the look and feel of a trusted websiteUsally hosted on an attackers webserverExample: Amazon.co.uk Using the native implemented Web browser

AMAZON: HOME AMAZON: SIGN IN

AT TA C K E R : H O M E AT TA C K E R : S I G N I N

VISUAL SPOOFINGAttackable adress bar with https:// supportCountermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk

UI Redressing

UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking➡ Desktop-based attacks for Web browsers where primary focused in the past

CLASSIC CLICKJACKING

CLASSIC CLICKJACKING<h1>Funny pictures</h1><img src="lol.gif"><button>Click me</button> <img src="lol.gif"><iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"></iframe>

UI REDRESSINGWhat an attacker can do with UI redressing Stealing cookies Stealing all the ﬁles of a folder Stealing ﬁles from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices

UI REDRESSINGCountermeasures Frame buster X-Frame-Options Firefox and NoScript

Chrome to Phone Attack

CHROME TO PHONEChrome extension(s)One for your GoogleChrome browser, the otherfor your Android deviceShares links, maps, selectedphone numbers, and textbetween your computer andphone Source: play.google.com

CHROME TO PHONESimple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone

CHROME TO PHONEA Chrome extension is basically a compressed ﬁlewith pictures as well as HTML5, JavaScript, andCSS codeEvery extension has a unique identiﬁer fromGoogle Play (former the Google Chrome Market) You can use it in combination with chrome-extension://

CHROME TO PHONECan attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other

CHROME TO PHONEAttacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);

CHROME TO PHONE1. Open a pop-up, which is able to receive some parameters from the content scripts code2. The content scripts code sends a URL to the pop-up window3. A link will be forwarded to the Android device4. This link will be automatically opened in the Web browser (depends on the settings)

CHROME TO PHONEWeaknesses in point 2: Next to the content_script.jsis also a manifest.json The manifest.json ﬁle adds the content_script.js ﬁle automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listenerAwesome attack for cross-device scripting

CHROME TO PHONE

Tapjacking

BAD MOBILE APPSTrendmicro discovered 17 mobile apps with over700,000 downloads in Google Play (May 2012)10 apps delivered annoying and obtrusive ads6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user

TAPJACKINGDavid Richardson, 2010Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message

RINGER VOLUME RINGER VOLUME - RESIZE

TAPJACKINGJack Mannino published a proof of concept of atapjacking attack one year latertoast class Use the default constant LENGTH_LONG to show the view or text notiﬁcation for a long period of time A to the target application look alike message

TAPJACKING Code example for a tapjacking buttonmButton = new Button(this);mButton.getBackground().setAlpha(0); // like the CSS opacity propertymButton.setOnTouchListener(this); // needed for onTouch()// Layout parameters with an overlayWindowManager.LayoutParams params = new WindowManager ...

TAPJACKINGContact data manipulationNative browser utilizationTouch gestures loggingPredeﬁned phone callsInstalling applications in the background

TAPJACKINGProtection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscuredWe can attack the home screen

TAPJACKINGCountermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon

Conclusion and Outlook

UI redressing and especially clickjacking attacksare very dangerousWe have browsed-based and browserless UIredressing attacksThere are protection mechanisms to provide acertain degree of client-side securityThere will be more attacks in the future

REFERENCEShttp://developer.android.com/resources/dashboard/platform-versions.htmlFraming Attacks on Smart Phones and DumbRouters:Tap-jacking and Geo-localization Attacks,http://seclab.stanford.edu/websec/framebusting/tapjacking.pdfMarcus Niemietz (Apr. 2012), Clickjacking und UI-Redressing

Paul Stone (Apr. 2010), http://www.contextis.com/research/tools/clickjacking-tool/Robert Hansen and Jeremiah Grossman (Dez. 2008),http://www.sectheory.com/clickjacking.htmKrzysztof Kotowicz (Nov. 2011), http://blog.kotowicz.net/2011/11/html5-something-wicked-this-way-comes.htmlMichal Zalewski (Dez. 2011), The Tangled Web: AGuide to Securing Modern Web Applications

Thank you for your attention. Any questions?

http://www.scoop.it	232
http://storify.com	43
http://yurychemerkin.wordpress.com	18
http://s-t-o.squarespace.com	13
http://yurychemerkin.posterous.com	10
http://yurychemerkin.tumblr.com	6
http://security-through-obscurity.blogspot.com	5
http://sto-strategy.com	5
http://securitythroughobscurity.blog.com	1
http://www.myspace.com	1

HIJACKING ATTACKS ON ANDROID DEVICES

by Positive Hack Days on Jun 19, 2012

Accessibility

Categories

Upload Details

Usage Rights

10 Embeds 334

Statistics

HIJACKING ATTACKS ON ANDROID DEVICES Presentation Transcript