HIJACKING ATTACKS ON ANDROID DEVICES

4,221 views
3,997 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,221
On SlideShare
0
From Embeds
0
Number of Embeds
346
Actions
Shares
0
Downloads
129
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

HIJACKING ATTACKS ON ANDROID DEVICES

  1. 1. HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
  2. 2. • University! Research assistant @NDS•Web Application Security! Penetration tests! Security trainings• Book author! Clickjacking• International speaker@mniemietz
  3. 3. IntroductionAttacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack TapjackingConclusion and Outlook
  4. 4. We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
  5. 5. Introduction
  6. 6. ABOUT ANDROIDLinux-based OS Developer: Open Handset AllianceFor mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
  7. 7. Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
  8. 8. Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.22.3.3 - 2.3.7 Other
  9. 9. ANDROID 2.3.3 ANDROID 4.0
  10. 10. Attacks and theirCountermeasures
  11. 11. Visual Spoofing
  12. 12. VISUAL SPOOFINGImitate the look and feel of a trusted websiteUsally hosted on an attackers webserverExample: Amazon.co.uk Using the native implemented Web browser
  13. 13. AMAZON: HOME AMAZON: SIGN IN
  14. 14. AMAZON: HOME AMAZON: SIGN IN
  15. 15. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  16. 16. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  17. 17. VISUAL SPOOFINGAttackable adress bar with https:// supportCountermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
  18. 18. UI Redressing
  19. 19. UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking➡ Desktop-based attacks for Web browsers where primary focused in the past
  20. 20. CLASSIC CLICKJACKING
  21. 21. CLASSIC CLICKJACKING<h1>Funny pictures</h1><img src="lol.gif"><button>Click me</button> <img src="lol.gif"><iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"></iframe>
  22. 22. UI REDRESSINGWhat an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
  23. 23. UI REDRESSINGCountermeasures Frame buster X-Frame-Options Firefox and NoScript
  24. 24. Chrome to Phone Attack
  25. 25. CHROME TO PHONEChrome extension(s)One for your GoogleChrome browser, the otherfor your Android deviceShares links, maps, selectedphone numbers, and textbetween your computer andphone Source: play.google.com
  26. 26. CHROME TO PHONESimple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
  27. 27. CHROME TO PHONEA Chrome extension is basically a compressed filewith pictures as well as HTML5, JavaScript, andCSS codeEvery extension has a unique identifier fromGoogle Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
  28. 28. CHROME TO PHONECan attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
  29. 29. CHROME TO PHONEAttacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
  30. 30. CHROME TO PHONE1. Open a pop-up, which is able to receive some parameters from the content scripts code2. The content scripts code sends a URL to the pop-up window3. A link will be forwarded to the Android device4. This link will be automatically opened in the Web browser (depends on the settings)
  31. 31. CHROME TO PHONEWeaknesses in point 2: Next to the content_script.jsis also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listenerAwesome attack for cross-device scripting
  32. 32. CHROME TO PHONE
  33. 33. Tapjacking
  34. 34. BAD MOBILE APPSTrendmicro discovered 17 mobile apps with over700,000 downloads in Google Play (May 2012)10 apps delivered annoying and obtrusive ads6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
  35. 35. TAPJACKINGDavid Richardson, 2010Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
  36. 36. RINGER VOLUME RINGER VOLUME - RESIZE
  37. 37. TAPJACKINGJack Mannino published a proof of concept of atapjacking attack one year latertoast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
  38. 38. TAPJACKING Code example for a tapjacking buttonmButton = new Button(this);mButton.getBackground().setAlpha(0); // like the CSS opacity propertymButton.setOnTouchListener(this); // needed for onTouch()// Layout parameters with an overlayWindowManager.LayoutParams params = new WindowManager ...
  39. 39. TAPJACKINGContact data manipulationNative browser utilizationTouch gestures loggingPredefined phone callsInstalling applications in the background
  40. 40. TAPJACKINGProtection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscuredWe can attack the home screen
  41. 41. TAPJACKINGCountermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
  42. 42. Conclusion and Outlook
  43. 43. UI redressing and especially clickjacking attacksare very dangerousWe have browsed-based and browserless UIredressing attacksThere are protection mechanisms to provide acertain degree of client-side securityThere will be more attacks in the future
  44. 44. REFERENCEShttp://developer.android.com/resources/dashboard/platform-versions.htmlFraming Attacks on Smart Phones and DumbRouters:Tap-jacking and Geo-localization Attacks,http://seclab.stanford.edu/websec/framebusting/tapjacking.pdfMarcus Niemietz (Apr. 2012), Clickjacking und UI-Redressing
  45. 45. Paul Stone (Apr. 2010), http://www.contextis.com/research/tools/clickjacking-tool/Robert Hansen and Jeremiah Grossman (Dez. 2008),http://www.sectheory.com/clickjacking.htmKrzysztof Kotowicz (Nov. 2011), http://blog.kotowicz.net/2011/11/html5-something-wicked-this-way-comes.htmlMichal Zalewski (Dez. 2011), The Tangled Web: AGuide to Securing Modern Web Applications
  46. 46. Thank you for your attention. Any questions?

×