Security and privacy in smartphones

What the App is that? Deception and countermeasures in
the Andriod User Interface
Presented By: Vijay Soppadandi
Pursuing M.Sc in Applied CS
Semester: Fourth
ID number: 21363273
1
Institute of Informatics Georg-August-Universitaet Goettingen, Germany
Department of Security
Proffesor : Dr. Konrad Rieck
Advisor : Hugo Gascon
Term: Summer semester-2015
Course: Security and Privacy in Smartphones

Overview
-Importance Mobile Applications
-Mobile Application Security Issues and Threats
-Analyzing Malicious Applications
* GUI Confusion Attacks
* State Exploration Tools
-Detecting Malicious Applications using Static Analysis
-Defensive Mechanism
-Evaluation
-Conclusion
-References
2
Department of Security Course: Security and Privacy in Smartphones

Importance of Mobile Applications
* Part of everyday lives
* Sensitive information
* Usage is high
* Trust
3
Department of Security Course: Security and Privacy in SmartphonesImage source: http://goo.gl/rw0Rbf

Mobile Application Security Issues and Threats
• Some of previously know attacks
GUI mimic
phishing-style
click-jacking-style
• Some of noval based attacks
Non-escapble full screen
4
Department of Security Course: Security and Privacy in SmartphonesImage source: http://goo.gl/CCAfkH Referenced source: Wikipedia

Mobile Applications security
• Why do we care about security in mobile
applications?
• Why previous security techniques are not
enough?
Course: Security and Privacy in Smartphones
Department of Security

Analyzing Malicious Applications
• Analyze in detail the ways Android users confused into
misidentifying an app
* GUI confussion attacks
* State exploration tools
6
Department of Telematics Course: Security and Privacy in Smartphones

GUI confusion Attack
7
Category Attack vector
Drawn on top
UI-interception draw-over
Non-UI-interception draw-over
Toast message
App switch
StartActivity API
Screen pinning
MoveTastTo APIs
KillBackgroundProcesses API
Back / power button (passive)
Sit and wait (passive)
Fullscreen
Non-“immersive” fullscreen
“immersive” fullscreen
“inescapable” fullscreen
Enhancing techniques getRunning Tasks API
Reading the system log
Accessing proc file system
App repackaging
Table 1: [2] Attack vectors and enhancing techniques.
Referenced source
addView API
PRIORITY_PHONE flag
Click-jacking
Interesting exception
GUI mimic
Active and Passive
app
Drawn on top activity without permissions
Locks the specific app
REORDER_TASKS permissions
Other attack vectors used
User believe app switch occured, in fact, its
not
tabnabbing
SYSTEM_UI_FLAG_IM
MERSIVE
Techinque in detect how user
interacts with the system
GET_TASKS, name of the top Activity.
READ_LOGS
Retrive the list of app running by listing /proc
Process of modifying existing app

State exploration tools
• Study how a main GUI APIs used to mount GUI confusion attacks
• Drawn on top even if belongs to different apps
1) entirly covers the device´s screen.
2) No permission accesing close or navigation bar.
A) Study of the “startActivity API“.
8
Department of Telematics Course: Security and Privacy in SmartphonesReferenced source
Component type Active, Service, Content Provider, Broadcast Receiver
LaunchMode attribute Standard, SingleTop, singleTask, singleInstance
StartActivity flags MULTIPLE_TASK, NEW_TASK, CLEAR_TASK,
CLEAR_TOP_FRONT, SINGLE_TOP; TASK_ON_HOME
REORDER_TO_FRONT, PREVIOUS_IS_TOP
Table 2: [4] Component types, flags, and launchMode values tested by our tool

State exploration tools
 API exploration tools effectively helps to detect critical situaltions like “inescapble“ fullscreen
possibility.
B) Study of “inescapable“ fullscreen Windows
* Removing the SYSTEM_ERROR type.
9
TYPEs TOAST; SYSTEM_ERROR, PHONE,
PRIORITY_PHONE, SYSTEM_ALERT,
SYSTEM_OVERLAY
Layout flags IN_SCREEN; NO_LIMITS
System-UI Visibility flags HIDE_NAVIGATION, FULLSCREEN,
LAYOUT_FULLSCREEN, IMMERSIVE,
IMMERSIVE_STICKY
Table 3: [4] Window types and flags
Referenced source
SYSTEM_ERROR
+
NO_LIMITS
Covers entire
screen in 4.3
version
Patch is used to
address this
problem
SYSTEM_ERROR
+
System-UI Visibility flags uses
“Immersive“ to create
“inescapable“ fullscreen is
introduced in Android 4.4
version
Same parameters are
verified in 5.0
version

Detecting via Static Analysis
• A tool is developed to
explore how real world
apps use of attack
vectors and enhancing
techniques
* Guides to defense mechanism
* detect malicious usage of technique
• It flags an app as
potentially-malicious if
detects
• Detection process
10
Referenced source
First, checks which
permission the app
requires
Extracts and parses
the app`s bytecode
Identifies invocations
and applies the
backward program
slicing techniques
check values
Analyzer checks
weather particular
technique used by
given app
At final stage we
analyze the app´s
control flow

Detecting Malicious Applications using Static Analysis
11
Permissions name Bening1 set Bening2 set Malicious set App-locker set
GET_TASKS
READ_LOGS
KILL_BACKGROUND_PROCESSES
SYSTEM_ALERT_WINDOWS
REORDER_TASKS
32 6.4%
9 1.8%
3 0.6%
1 0.2%
0 0.0%
80 16.0%
35 7.0%
13 2.6%
34 6.8%
4 0.8%
217 17.2%
240 19.1%
13 1.0%
3 0.2%
2 0.2%
19 95.0%
13 65.0%
5 25.0%
10 50.0%
2 10.0%
Table 4 (a): Number of apps requesting permissions used by
GUI confusion attacks
Referenced source

Detecting Malicious Applications using Static Analysis
12
Technique Bening1 set Bening2 set Malicious set App-locker set
StartActivity API
KillBackgroundProcesses API
Fullscreen
moveToFront API
drawn over using addview API
custom toast message
53 10.4%
1 0.2%
0 0.0%
0 0.0%
0 0.0%
0 0.0%
135 27.0%
08 1.6%
22 4.4%
00 0.0%
09 1.8%
01 0.2%
751 59.6%
6 5.5%
0 0.0%
1 0.1%
0 0.0%
0 0.0%
20 100.0%
4 20.0%
1 05.0%
1 05.0%
3 15.0%
1 05.0%
getRunning Tasks API
Reading the system log
Accessing proc file system
23 4.6%
8 1.6%
3 0.6%
68 13.6%
18 3.6%
26 5.2%
147 11.7%
28 2.2%
43 3.4%
19 95.0%
8 40.0%
4 20.0%
Table 4 (b): Number of apps using each detected technique in
the analyzed data sets
Referenced source

Defensive Mechanism
• After completing defense approach with a system designed then inform users and leave the
final decision to them.
• Find root cause of our attacks and what compromises user security is that there is simply no
way for the user to know which application she is actually interacting.
• Android system need to establish a trusted path to inform the user without compromising UI
functionality.
• Particularly, our proposed modifications need to address three challenges
1) Understanding which app the user is actually interacting.
2) Understanding who is the real author of that app.
3) Showing this information to the user in an unobtrusive but reliable and
non-manipulable way.
13
Department of Security Course: Security and Privacy in SmartphonesReferenced source

Defensive Mechanism
1) Get to know with which app the user is actually interacting
* Navigation bar and the status bar are drawn separately by the system in specific
Windows
* Interaction with utility components can be safely
* Windows can be interrupted with multiple apps on top activity
* Some legalized apps which acts as an “always-visible” on top of the currently top app
* create an “always-visible” Windows a specific permission is necessary to create
* filterTouchesWhenObscured API helps to prevent user inputs when content from
other apps is present at the click location
14

Defensive Mechanism
2) Understanding who is the real author of that app
* every app contains its own unique identifier in to a message.
* Extended-Validation HTTPS infrastructure to validate it
* Windows can be interrupted with multiple apps on top activity
* Some legalized apps which acts as an “always-visible” on top of the currently top app
* multiple cloned apps of the same name makes difficult in identifying the trustworthy
app
* "Top Developer Badge" to help show users who are the best, and most trustworthy
apps.
15

Defensive Mechanism
3) Conveying trust information to the user
16
If Then
No domain specified in
the manifest
Resulting UI state Visualization Equivalent in browsers Visualization in browsers
Apps not associated Regular black navigation Regular HTTP pages no lock icon
With any organization bar
domain specified in the
manifest, successful
verification, no visible
Windows from other
apps
Sure interaction with Green lock and company HTTPS verified page Green lock, domain name, and
A verified app name (optionally) company name
manifest, successful
verification, visible
Windows from other
apps
Likely interaction with a Yellow half-open lock mixed HTTP and HTTPS Varies with browsers, a yellow
Verified app, but external Content warning signal is common
Elements are present
manifest, unknown
validity.
Incomplete verification Red warning page, self-signed or missing CA Usually, red warning page,
(networking issues) user allowed to proceed certificate user allowed to proceed
(other cases) Failed verification Red error page Failed verification Red error page
Table 5: Possible screen states and how they are visualized
Referenced source

Evaluation
17
Group 1:
Stock
Android
Group 2:
Defensive
activity
Subject not
aware of
attacks
Group 3:
Defensive
activity
Subjects
aware of
attacks
Total
subjects
113 102 132
Valid
subjects
99 93 116
TABLE 7: [4] Results of the experiments with Amazon Turk
• The effectivness of GUI confusion attacks
• How helpful our defense mechanism to the
users in finding malicious apps

Evaluation
18
B1 and B2 67(67.68%) 70(75.27%) 85(73.28%)
Astd 19(19.19%) 60(64.52%) 80(68.97%)
Afull 17(17.17%) 71(76.34%) 86(74.14%)
Astd and Aful 8(8.08%) 55(59.14%) 67(57.76%)
Astd and B1
and B2
4(4.04%) 51(54.84%) 73(62.93%)
Afull and B1
and B2
6(6.06%) 63(67.74%) 76(65.52%)
Astd and Afull
and B1 and B2
2(2.02%) 50(53.76%) 66(56.90%)
Table 8 : Percentages are computed with respect to the number of Valid Subjects
Subjects answers correctly to the tasks
Figure 1: shows security companion

Conclusion
• How Android user misleads
• Categorizing known attacks
• Studied about the tools in detail how GUI API can mount such attacks
• Developed two layer defense to prevent
• Developed static analysis tool to identify code
• Presented on-device defense system design to improve the ability of
the user to judge the impact of their actions
19

References
• Bianchi, Antonio, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna.
"What the App is That? Deception and Countermeasures in the Android User Interface." (2015).
• Mann, Mr Ian. Hacking the human: social engineering techniques and security countermeasures. Gower
Publishing, Ltd., 2012.
• “Owasp,”[Online]. Available: http://www.owasp.org/index.php/index.php/Static_Code_Analysis
“tutorialspoint,”[Online].Available:http://www.tutorialspoint.com/android/android_application_components.htm.
• M. Niemietz and J. Schwenk, “UI Redressing Attacks on Android Devices,” Black Hat Abu Dhabi, 2012.
• A. P. Felt and D. Wagner, “Phishing on mobile devices,” Web 2.0 Security and Privacy, 2011
• T. Luo, X. Jin, A. Ananthanarayanan, and W. Du, “Touchjacking Attacks on Web in Android, iOS, and Windows
Phone,” in Proceedings of the 5th International Conference on Foundations and Practice of Security (FPS). Berlin,
Heidelberg: Springer-Verlag, 2012, pp. 227–243.
• TrendLabs, “Tapjacking: An Untapped Threat in Android,” http://blog.trendmicro.com/trendlabs-security-
intelligence/tapjacki ng-an-untapped-threat-in-android/, December 2012.
• Q. A. Chen, Z. Qian, and Z. M. Mao, “Peeking into Your App Without Actually Seeing It: UI State Inference and
Novel Android Attacks,” in Proceedings of the 23rd USENIX Security Symposium. Berkeley, CA, USA: USENIX
Association, 2014, pp. 1037–1052.
 TrendLabs, “Bypassing Android Permissions: What You Need to Know,” http://blog.trendmicro.com/trendlabs-
security-intelligence/bypassing-android-permissions-what-you-need-to-know/, November 2012.
20

References
• S. Jana and V. Shmatikov, “Memento: Learning Secrets from Process Footprints,” in Proceedings of the IEEE
Symposium on Security and Privacy (SP), May 2012, pp. 143–157.
• S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song, “Juxtapp: A Scalable System for Detecting Code Reuse
Among Android Applications,” in Proceedings of the 9th International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment (DIMVA). Berlin, Heidelberg: Springer-Verlag, 2012, pp. 62–81.
• W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting Repackaged Smartphone Applications in Third-party Android
Marketplaces,” in Proceedings of the Second ACM Conference on Data and Application Security and Privacy
(CODASPY). New York, NY, USA: ACM, 2012, pp. 317–326.
• W. Zhou, X. Zhang, and X. Jiang, “AppInk: Watermarking Android Apps for Repackaging Deterrence,” in Proceedings
of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIA CCS). New York,
NY, USA: ACM, 2013, pp. 1–12
• M. Weiser, “Program slicing,” in Proceedings of the 5th international conference on Software engineering. IEEE
Press, 1981, pp. 439–449
• CA/Browser Forum, “Guidelines For The Issuance And Management Of Extended Validation Certiﬁcates,” https:
//cabforum.org/wp-content/uploads/Guidelines v1 4 3.pdf, 2013.
• Andriod stackexchange,”[Online].Available:http://android.stackexchange.com/questions/31830/what-is-a-top-
developer-in-google-play.
21

END
22
Department of Telematics Course: Security of Self-organizing Networks

Security and privacy in smartphones

More Related Content

What's hot

Similar to Security and privacy in smartphones

More from Mysa Vijay

Recently uploaded

Security and privacy in smartphones