• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HIJACKING ATTACKS ON  ANDROID DEVICES
 

HIJACKING ATTACKS ON ANDROID DEVICES

on

  • 4,189 views

 

Statistics

Views

Total Views
4,189
Views on SlideShare
3,849
Embed Views
340

Actions

Likes
3
Downloads
110
Comments
0

11 Embeds 340

http://www.scoop.it 233
http://storify.com 43
http://yurychemerkin.wordpress.com 22
http://s-t-o.squarespace.com 13
http://yurychemerkin.posterous.com 10
http://yurychemerkin.tumblr.com 6
http://security-through-obscurity.blogspot.com 5
http://sto-strategy.com 5
http://securitythroughobscurity.blog.com 1
http://www.myspace.com 1
https://twitter.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HIJACKING ATTACKS ON  ANDROID DEVICES HIJACKING ATTACKS ON ANDROID DEVICES Presentation Transcript

    • HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
    • • University! Research assistant @NDS•Web Application Security! Penetration tests! Security trainings• Book author! Clickjacking• International speaker@mniemietz
    • IntroductionAttacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack TapjackingConclusion and Outlook
    • We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
    • Introduction
    • ABOUT ANDROIDLinux-based OS Developer: Open Handset AllianceFor mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
    • Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
    • Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.22.3.3 - 2.3.7 Other
    • ANDROID 2.3.3 ANDROID 4.0
    • Attacks and theirCountermeasures
    • Visual Spoofing
    • VISUAL SPOOFINGImitate the look and feel of a trusted websiteUsally hosted on an attackers webserverExample: Amazon.co.uk Using the native implemented Web browser
    • AMAZON: HOME AMAZON: SIGN IN
    • AMAZON: HOME AMAZON: SIGN IN
    • AT TA C K E R : H O M E AT TA C K E R : S I G N I N
    • AT TA C K E R : H O M E AT TA C K E R : S I G N I N
    • VISUAL SPOOFINGAttackable adress bar with https:// supportCountermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
    • UI Redressing
    • UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking➡ Desktop-based attacks for Web browsers where primary focused in the past
    • CLASSIC CLICKJACKING
    • CLASSIC CLICKJACKING<h1>Funny pictures</h1><img src="lol.gif"><button>Click me</button> <img src="lol.gif"><iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"></iframe>
    • UI REDRESSINGWhat an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
    • UI REDRESSINGCountermeasures Frame buster X-Frame-Options Firefox and NoScript
    • Chrome to Phone Attack
    • CHROME TO PHONEChrome extension(s)One for your GoogleChrome browser, the otherfor your Android deviceShares links, maps, selectedphone numbers, and textbetween your computer andphone Source: play.google.com
    • CHROME TO PHONESimple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
    • CHROME TO PHONEA Chrome extension is basically a compressed filewith pictures as well as HTML5, JavaScript, andCSS codeEvery extension has a unique identifier fromGoogle Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
    • CHROME TO PHONECan attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
    • CHROME TO PHONEAttacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
    • CHROME TO PHONE1. Open a pop-up, which is able to receive some parameters from the content scripts code2. The content scripts code sends a URL to the pop-up window3. A link will be forwarded to the Android device4. This link will be automatically opened in the Web browser (depends on the settings)
    • CHROME TO PHONEWeaknesses in point 2: Next to the content_script.jsis also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listenerAwesome attack for cross-device scripting
    • CHROME TO PHONE
    • Tapjacking
    • BAD MOBILE APPSTrendmicro discovered 17 mobile apps with over700,000 downloads in Google Play (May 2012)10 apps delivered annoying and obtrusive ads6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
    • TAPJACKINGDavid Richardson, 2010Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
    • RINGER VOLUME RINGER VOLUME - RESIZE
    • TAPJACKINGJack Mannino published a proof of concept of atapjacking attack one year latertoast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
    • TAPJACKING Code example for a tapjacking buttonmButton = new Button(this);mButton.getBackground().setAlpha(0); // like the CSS opacity propertymButton.setOnTouchListener(this); // needed for onTouch()// Layout parameters with an overlayWindowManager.LayoutParams params = new WindowManager ...
    • TAPJACKINGContact data manipulationNative browser utilizationTouch gestures loggingPredefined phone callsInstalling applications in the background
    • TAPJACKINGProtection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscuredWe can attack the home screen
    • TAPJACKINGCountermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
    • Conclusion and Outlook
    • UI redressing and especially clickjacking attacksare very dangerousWe have browsed-based and browserless UIredressing attacksThere are protection mechanisms to provide acertain degree of client-side securityThere will be more attacks in the future
    • REFERENCEShttp://developer.android.com/resources/dashboard/platform-versions.htmlFraming Attacks on Smart Phones and DumbRouters:Tap-jacking and Geo-localization Attacks,http://seclab.stanford.edu/websec/framebusting/tapjacking.pdfMarcus Niemietz (Apr. 2012), Clickjacking und UI-Redressing
    • Paul Stone (Apr. 2010), http://www.contextis.com/research/tools/clickjacking-tool/Robert Hansen and Jeremiah Grossman (Dez. 2008),http://www.sectheory.com/clickjacking.htmKrzysztof Kotowicz (Nov. 2011), http://blog.kotowicz.net/2011/11/html5-something-wicked-this-way-comes.htmlMichal Zalewski (Dez. 2011), The Tangled Web: AGuide to Securing Modern Web Applications
    • Thank you for your attention. Any questions?