Untitled

Bellion, Wendy; Ryan, Thomas

doi:10.2307/3491459

Cited by 1 publication

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the performance of iptables is known to degrade as the number of rules increases, studies have shown that it is able to simultaneously support hundreds of apps [23], which is more than enough for most Android users. In addition, when adopting alternatives to iptables such as nf-HiPAC [24] or IP Sets [25], our design is able to mediate thousands of apps simultaneously. Note that this protection mechanism addresses not only the security risks in the screenshot apps, but also those that come with sync and backup, USB tethering apps and any other apps built upon the ADB workaround or insecure use of the local socket channel.…”

Section: Mitigation and Suggestionsmentioning

confidence: 99%

Screenmilker: How to Milk Your Android Screen for Secrets

Lin¹,

Zhou

2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

With the rapid increase in Android device popularity, the capabilities that the diverse user base demands from Android have significantly exceeded its original design. As a result, people have to seek ways to obtain the permissions not directly offered to ordinary users. A typical way to do that is using the Android Debug Bridge (ADB), a developer tool that has been granted permissions to use critical system resources. Apps adopting this solution have combined tens of millions of downloads on Google Play. However, we found that such ADB-level capabilities are not well guarded by Android. A prominent example we investigated is the apps that perform programmatic screenshots, a much-needed capability Android fails to support. We found that all such apps in the market inadvertently expose this ADB capability to any party with the INTERNET permission on the same device. With this exposure, a malicious app can be built to stealthily and intelligently collect sensitive user data through screenshots. To understand the threat, we built Screenmilker, an app that can detect the right moment to monitor the screen and pick up a user's password when she is typing in real time. We show that this can be done efficiently by leveraging the unique design of smartphone user interfaces and its public resources. Such an understanding also informs Android developers how to protect this screenshot capability, should they consider providing an interface to let third-party developers use it in the future, and more generally the security risks of the ADB workaround, a standard technique gaining popularity in app development. Based on the understanding, we present a mitigation mechanism that controls the exposure of the ADB capabilities only to authorized apps. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Mitigation and Suggestionsmentioning

confidence: 99%