SlideShare a Scribd company logo

Hijacking Attacks on Android

Positive Hack Days
Positive Hack Days
Technology
1 of 53
Download to read offline
HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
• University ! Research assistant @NDS •Web Application Security ! Penetration tests ! Security trainings • Book author ! Clickjacking • International speaker @mniemietz
Introduction Attacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack Tapjacking Conclusion and Outlook
We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
Introduction
ABOUT ANDROID Linux-based OS Developer: Open Handset Alliance For mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.2 2.3.3 - 2.3.7 Other
ANDROID 2.3.3 ANDROID 4.0
Attacks and their Countermeasures
Visual Spoofing
VISUAL SPOOFING Imitate the look and feel of a trusted website Usally hosted on an attackers webserver Example: Amazon.co.uk Using the native implemented Web browser
AMAZON: HOME AMAZON: SIGN IN
AMAZON: HOME AMAZON: SIGN IN
AT TA C K E R : H O M E AT TA C K E R : S I G N I N
AT TA C K E R : H O M E AT TA C K E R : S I G N I N
VISUAL SPOOFING Attackable adress bar with https:// support Countermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
UI Redressing
UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking ➡ Desktop-based attacks for Web browsers where primary focused in the past
CLASSIC CLICKJACKING
CLASSIC CLICKJACKING <h1>Funny pictures</h1> <img src="lol.gif"><button>Click me</button> <img src="lol.gif"> <iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"> </iframe>
UI REDRESSING What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
UI REDRESSING Countermeasures Frame buster X-Frame-Options Firefox and NoScript
Chrome to Phone Attack
CHROME TO PHONE Chrome extension(s) One for your Google Chrome browser, the other for your Android device Shares links, maps, selected phone numbers, and text between your computer and phone Source: play.google.com
CHROME TO PHONE Simple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
CHROME TO PHONE A Chrome extension is basically a compressed file with pictures as well as HTML5, JavaScript, and CSS code Every extension has a unique identifier from Google Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
CHROME TO PHONE Can attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
CHROME TO PHONE Attacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
CHROME TO PHONE 1. Open a pop-up, which is able to receive some parameters from the content scripts code 2. The content scripts code sends a URL to the pop-up window 3. A link will be forwarded to the Android device 4. This link will be automatically opened in the Web browser (depends on the settings)
CHROME TO PHONE Weaknesses in point 2: Next to the content_script.js is also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listener Awesome attack for cross-device scripting
CHROME TO PHONE
Tapjacking
BAD MOBILE APPS Trendmicro discovered 17 mobile apps with over 700,000 downloads in Google Play (May 2012) 10 apps delivered annoying and obtrusive ads 6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
TAPJACKING David Richardson, 2010 Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
RINGER VOLUME RINGER VOLUME - RESIZE
TAPJACKING Jack Mannino published a proof of concept of a tapjacking attack one year later toast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
TAPJACKING Code example for a tapjacking button mButton = new Button(this); mButton.getBackground().setAlpha(0); // like the CSS opacity property mButton.setOnTouchListener(this); // needed for onTouch() // Layout parameters with an overlay WindowManager.LayoutParams params = new WindowManager ...
TAPJACKING Contact data manipulation Native browser utilization Touch gestures logging Predefined phone calls Installing applications in the background
TAPJACKING Protection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscured We can attack the home screen
TAPJACKING Countermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
Conclusion and Outlook
UI redressing and especially clickjacking attacks are very dangerous We have browsed-based and browserless UI redressing attacks There are protection mechanisms to provide a certain degree of client-side security There will be more attacks in the future
REFERENCES http://developer.android.com/resources/dashboard/ platform-versions.html Framing Attacks on Smart Phones and Dumb Routers:Tap-jacking and Geo-localization Attacks, http://seclab.stanford.edu/websec/framebusting/ tapjacking.pdf Marcus Niemietz (Apr. 2012), Clickjacking und UI- Redressing
Paul Stone (Apr. 2010), http://www.contextis.com/ research/tools/clickjacking-tool/ Robert Hansen and Jeremiah Grossman (Dez. 2008), http://www.sectheory.com/clickjacking.htm Krzysztof Kotowicz (Nov. 2011), http:// blog.kotowicz.net/2011/11/html5-something- wicked-this-way-comes.html Michal Zalewski (Dez. 2011), The Tangled Web: A Guide to Securing Modern Web Applications
Thank you for your attention. Any questions?

Recommended

pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issueshekar M
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 

Recommended

pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issueshekar M
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspectivePietro F. Maggi
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Edureka!
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 ReportRonen Mendezitsky
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentBenny Skogberg
 
Mobile Application Development with Android
Mobile Application Development with AndroidMobile Application Development with Android
Mobile Application Development with AndroidIJAAS Team
 
Mind the gap
Mind the gapMind the gap
Mind the gapPietro F. Maggi
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAnatoliy Tkachev
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Sudara Fernando
 
Android Minnebar
Android MinnebarAndroid Minnebar
Android MinnebarJustin Grammens
 
AndroidOverview
AndroidOverviewAndroidOverview
AndroidOverviewstevenindands
 

More Related Content

What's hot

2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspectivePietro F. Maggi
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Edureka!
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 ReportRonen Mendezitsky
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentBenny Skogberg
 
Mobile Application Development with Android
Mobile Application Development with AndroidMobile Application Development with Android
Mobile Application Development with AndroidIJAAS Team
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAnatoliy Tkachev
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Sudara Fernando
 

What's hot (20)

2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android security
Android securityAndroid security
Android security
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Java
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspective
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
 
Mobile Application Development with Android
Mobile Application Development with AndroidMobile Application Development with Android
Mobile Application Development with Android
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android
 

Similar to Hijacking Attacks on Android

600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systemsDivya Raval
 
HTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the FutureHTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the FutureMotorola Mobility - MOTODEV
 
Android overview 123
Android overview 123Android overview 123
Android overview 123Bhavanislide1
 
Android overview
Android overviewAndroid overview
Android overviewbhavani p
 
From Deepa's client
From Deepa's clientFrom Deepa's client
From Deepa's clientDeepa Bman
 
Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...Michail Grigoropoulos
 
Android and its applications
Android and its applicationsAndroid and its applications
Android and its applicationsSoba Arjun
 
Android introduction
Android introductionAndroid introduction
Android introductionReena Nachare
 
Gene Presentation For Android
Gene Presentation For AndroidGene Presentation For Android
Gene Presentation For AndroidGene Leybzon
 

Similar to Hijacking Attacks on Android (20)

Android Minnebar
Android MinnebarAndroid Minnebar
Android Minnebar
 
AndroidOverview
AndroidOverviewAndroidOverview
AndroidOverview
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
 
HTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the FutureHTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the Future
 
Android overview 123
Android overview 123Android overview 123
Android overview 123
 
Android overview
Android overviewAndroid overview
Android overview
 
"double quotes"
"double quotes""double quotes"
"double quotes"
 
Android overview
Android overviewAndroid overview
Android overview
 
Android overview
Android overviewAndroid overview
Android overview
 
Android overview
Android overviewAndroid overview
Android overview
 
From Deepa's client
From Deepa's clientFrom Deepa's client
From Deepa's client
 
Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...
 
School updated
School updatedSchool updated
School updated
 
Android and its applications
Android and its applicationsAndroid and its applications
Android and its applications
 
Android introduction
Android introductionAndroid introduction
Android introduction
 
Gene Presentation For Android
Gene Presentation For AndroidGene Presentation For Android
Gene Presentation For Android
 
Android report
Android reportAndroid report
Android report
 
Android 1
Android 1Android 1
Android 1
 
Android ppt
Android pptAndroid ppt
Android ppt
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Hijacking Attacks on Android

  • 1. HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
  • 2. • University ! Research assistant @NDS •Web Application Security ! Penetration tests ! Security trainings • Book author ! Clickjacking • International speaker @mniemietz
  • 3. Introduction Attacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack Tapjacking Conclusion and Outlook
  • 4. We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
  • 6. ABOUT ANDROID Linux-based OS Developer: Open Handset Alliance For mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
  • 7. Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
  • 8. Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.2 2.3.3 - 2.3.7 Other
  • 9. ANDROID 2.3.3 ANDROID 4.0
  • 12. VISUAL SPOOFING Imitate the look and feel of a trusted website Usally hosted on an attackers webserver Example: Amazon.co.uk Using the native implemented Web browser
  • 13. AMAZON: HOME AMAZON: SIGN IN
  • 14. AMAZON: HOME AMAZON: SIGN IN
  • 15. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  • 16. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  • 17. VISUAL SPOOFING Attackable adress bar with https:// support Countermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
  • 19. UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking ➡ Desktop-based attacks for Web browsers where primary focused in the past
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. CLASSIC CLICKJACKING <h1>Funny pictures</h1> <img src="lol.gif"><button>Click me</button> <img src="lol.gif"> <iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"> </iframe>
  • 26. UI REDRESSING What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
  • 27. UI REDRESSING Countermeasures Frame buster X-Frame-Options Firefox and NoScript
  • 28. Chrome to Phone Attack
  • 29. CHROME TO PHONE Chrome extension(s) One for your Google Chrome browser, the other for your Android device Shares links, maps, selected phone numbers, and text between your computer and phone Source: play.google.com
  • 30. CHROME TO PHONE Simple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
  • 31. CHROME TO PHONE A Chrome extension is basically a compressed file with pictures as well as HTML5, JavaScript, and CSS code Every extension has a unique identifier from Google Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
  • 32. CHROME TO PHONE Can attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
  • 33. CHROME TO PHONE Attacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
  • 34. CHROME TO PHONE 1. Open a pop-up, which is able to receive some parameters from the content scripts code 2. The content scripts code sends a URL to the pop-up window 3. A link will be forwarded to the Android device 4. This link will be automatically opened in the Web browser (depends on the settings)
  • 35. CHROME TO PHONE Weaknesses in point 2: Next to the content_script.js is also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listener Awesome attack for cross-device scripting
  • 38. BAD MOBILE APPS Trendmicro discovered 17 mobile apps with over 700,000 downloads in Google Play (May 2012) 10 apps delivered annoying and obtrusive ads 6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
  • 39. TAPJACKING David Richardson, 2010 Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
  • 40. RINGER VOLUME RINGER VOLUME - RESIZE
  • 41. TAPJACKING Jack Mannino published a proof of concept of a tapjacking attack one year later toast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
  • 42.
  • 43.
  • 44. TAPJACKING Code example for a tapjacking button mButton = new Button(this); mButton.getBackground().setAlpha(0); // like the CSS opacity property mButton.setOnTouchListener(this); // needed for onTouch() // Layout parameters with an overlay WindowManager.LayoutParams params = new WindowManager ...
  • 45. TAPJACKING Contact data manipulation Native browser utilization Touch gestures logging Predefined phone calls Installing applications in the background
  • 46. TAPJACKING Protection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscured We can attack the home screen
  • 47.
  • 48. TAPJACKING Countermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
  • 49. Conclusion and Outlook
  • 50. UI redressing and especially clickjacking attacks are very dangerous We have browsed-based and browserless UI redressing attacks There are protection mechanisms to provide a certain degree of client-side security There will be more attacks in the future
  • 51. REFERENCES http://developer.android.com/resources/dashboard/ platform-versions.html Framing Attacks on Smart Phones and Dumb Routers:Tap-jacking and Geo-localization Attacks, http://seclab.stanford.edu/websec/framebusting/ tapjacking.pdf Marcus Niemietz (Apr. 2012), Clickjacking und UI- Redressing
  • 52. Paul Stone (Apr. 2010), http://www.contextis.com/ research/tools/clickjacking-tool/ Robert Hansen and Jeremiah Grossman (Dez. 2008), http://www.sectheory.com/clickjacking.htm Krzysztof Kotowicz (Nov. 2011), http:// blog.kotowicz.net/2011/11/html5-something- wicked-this-way-comes.html Michal Zalewski (Dez. 2011), The Tangled Web: A Guide to Securing Modern Web Applications
  • 53. Thank you for your attention. Any questions?