Preventing and Detecting State Inference Attacks on Android

Possemato, Andrea; Nisi, Dario; Fratantonio, Yanick

doi:10.14722/ndss.2021.24479

Cited by 7 publications

(5 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This flag could prevent other apps from creating overlays on top of it. In countering UI inference, Possemato et al [62] successfully pinpointed 18 vulnerable Android APIs that may disclose state-related information, thereby mitigating the impact of dependent overlay attacks.…”

Section: Related Workmentioning

confidence: 99%

Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack

Zhou,

Wu,

Qian

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Overlay is a notable user interface feature in the Android system, which allows an app to draw over other apps' windows. While overlay enhances user experience and allows concurrent app interaction, it has been extensively abused for malicious purposes, such as "tapjacking", leading to so-called overlay attacks. In order to combat this threat, Google introduced a dedicated window flag SYSTEM_FLAG_HIDE_NON_SYSTEM_OVERLAY_WINDOWS to protect critical system apps' windows against overlay attacks. Unfortunately, the adequacy of such protection in the Android system remains unstudied, with a noticeable absence of clear usage guidelines.To bridge the gap, in this paper, we conduct the first systematic study on the unprotected windows of system apps against overlay attacks. We propose a comprehensive guideline and then design and develop a new tool named OverlayChecker to identify the missing protections in Android system apps. To verify the uncovered issues, we also design and create Proof-of-Concept apps. After applying OverlayChecker to 8 commercial Android systems on 4 recently released Android versions, we totally discovered 49 vulnerable system apps' windows. We reported our findings to the mobile vendors, including Google, Samsung, Vivo, Xiaomi, and Honor. At the time of writing, 15 of them have been confirmed. 5 CVEs have been assigned, and 3 of them are rated high severity. We also received bug bounty rewards from these mobile vendors.

show abstract

Section: Related Workmentioning

confidence: 99%

Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack

Zhou,

Wu,

Qian

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Researchers showed that real-world malware [30], [35], [54] employ state inference as the first stage in their attacks, either for phishing or to monitor and profile the user. Several research works have studied and documented techniques to reliably determine when an Android app is being executed [6], [11], [14], [16], [38], [40], [46], [47]. Possemato et al [38] grouped all existing vulnerabilities into two macro-categories: I) File system layer.…”

Section: Related Workmentioning

confidence: 99%

“…Several research works have studied and documented techniques to reliably determine when an Android app is being executed [6], [11], [14], [16], [38], [40], [46], [47]. Possemato et al [38] grouped all existing vulnerabilities into two macro-categories: I) File system layer. The proc file system (i.e., procfs) is a pseudo-file system that provides an interface to kernel data structures.…”

Section: Related Workmentioning

confidence: 99%

“…A vulnerability in some Service APIs can lead to the disclosure of sensitive information opening the door for state inference techniques. Many works [14], [38], [47] investigated these aspects showing many vulnerabilities of the Android components. For instance, Possemato et al [38] detected several vulnerabilities, among which one that allows an app to collect statistics of other apps through the getProcessMemoryInfo API of the ActivityManager without any special permission.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Android, Notify Me When It Is Time To Go Phishing

Ruggia,

Possemato,

Merlo

et al. 2023

2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)

Self Cite

View full text Add to dashboard Cite

A mobile banking app just started up, and the notification "App updated, click here to restart" appears. The graphic theme is the same as the bank. Can we trust it? What if we cannot even trust that tapping an app actually loads the original one? More generally, what if Android notifies an attacker when her victim has just launched the target app of her phishing campaign so that she could cast the hook at the perfect moment?In this paper, we abuse inotify APIs, a mechanism for monitoring file system events, to mount a state inferencebased phishing attack from a malicious app installed on the victim's smartphone. We also verified the novelty of our work analyzing 10,000 recent Android malware, and although we found some cases where malware uses inotify for their petty purposes, our attack seems to be publicly unknown.However, since Android constantly evolves year after year, we studied its feasibility over different Android versions and attacker's capabilities. By analyzing 4,863 of the most popular apps, the most disconcerting finding is that if the attacker knows the installation path of the target app, all Android apps are vulnerable, regardless of the system version. Getting the installation path of an app is a capability that is only protected by a normal permission, and to make matters worse, there are workarounds to get it even without such permission.Even if this capability is denied, we propose different attack models under which this attack is still possible; however, at the end of our work, we provide the remediation to eradicate once and for all these attacks. Through this work, we reported three vulnerabilities to Google. Two were acknowledged as bugs of moderate severity, while the last one was already known but not public.

show abstract

“…The HTTPS Everywhere initiative has surfaced as an exemplar of industry best practices in the contemporary landscape, where web security is essential. This initiative revolves around the universal adoption of HTTPS-the secure web protocol enabled by TLS/SSL-across entire websites rather than selective use (Possemato and Fratantonio, 2020). Every webpage becomes fortified with TLS/ SSL encryption, safeguarding users from online threats and ensuring no browser flags their browsing experience as unsafe.…”

mentioning

confidence: 99%

Automated Ruleset Generation for “HTTPS Everywhere”

Alharbi,

Kashyap,

Allehyani

2024

International Journal of Information Security and Privacy

View full text Add to dashboard Cite

This paper details the implementation of a Web crawler aimed at automating ruleset construction for “HTTPS Everywhere,” with a goal to convert HTTP URLs to secure HTTPS equivalents for enhanced communication security. Developed within a seven-month timeframe, the crawler faced challenges in verifying HTTPS support, varying based on SSL certificate existence and validity. Successful ruleset creation and testing in Firefox and Chrome, adhering to stylistic standards, demonstrated the potential for effective development. The paper explores improving productivity through alternative libraries like Scrapy and Scrapy Cloud. While certain goals, such as in-depth cryptocurrency analysis and web crawler background reading, were unmet due to time constraints, valuable insights were gained. The conclusion underscores the difficulties, successes, and promises of automating ruleset generation through web crawlers for “HTTPS Everywhere,” offering valuable recommendations for advancing web security.

show abstract

Preventing and Detecting State Inference Attacks on Android

Cited by 7 publications

References 13 publications

Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack

Beyond the Surface: Uncovering the Unprotected Components of Android Against Overlay Attack

Android, Notify Me When It Is Time To Go Phishing

Automated Ruleset Generation for “HTTPS Everywhere”

Contact Info

Product

Resources

About