Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
HIJACKING ATTACKS ON ANDROID DEVICES
1. HIJACKING ATTACKS ON
ANDROID DEVICES
By Marcus Niemietz
Chair for Network and Data Security
Ruhr-University Bochum, Germany
PHD, May 2012
2. • University
! Research assistant @NDS
•Web Application Security
! Penetration tests
! Security trainings
• Book author
! Clickjacking
• International speaker
@mniemietz
3. Introduction
Attacks and their Countermeasures
Visual Spoofing
UI Redressing
Chrome to Phone Attack
Tapjacking
Conclusion and Outlook
4. We will answer these two questions in this talk
Are there any UI redressing attacks for Web
browsers under Android devices?
Can we hijack a touch gesture on a display
without using a Web browser?
6. ABOUT ANDROID
Linux-based OS Developer: Open
Handset Alliance
For mobile devices
Led by Google
Smartphones
Initial release in
Tablet computers
September 2008
Television
Android 4.0.3 in
December 2011
12. VISUAL SPOOFING
Imitate the look and feel of a trusted website
Usally hosted on an attackers webserver
Example: Amazon.co.uk
Using the native implemented Web browser
15. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
16. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
17. VISUAL SPOOFING
Attackable adress bar with https:// support
Countermeasure (more or less)
Use short URLs like m.amazon.co.uk instead of
mobile-www.amazon.co.uk
19. UI redressing can be used to adjust the look as well
as the behavior of a web page
Clickjacking
Text injections via drag-and-drop operations,
Content extraction
Popup blocker bypasses, Event recycling
Strokejacking, SVG masking
➡ Desktop-based attacks for Web browsers where
primary focused in the past
26. UI REDRESSING
What an attacker can do with UI redressing
Stealing cookies
Stealing all the files of a folder
Stealing files from the intranet or internet
Sending status messages in your name
Showing elements in another context
Controlling your addon(s) on mobile devices
29. CHROME TO PHONE
Chrome extension(s)
One for your Google
Chrome browser, the other
for your Android device
Shares links, maps, selected
phone numbers, and text
between your computer and
phone Source: play.google.com
30. CHROME TO PHONE
Simple example
Mark the text, which should be transmitted
Two clicks: A right click on the selected text
and a left click on Chrome to Phone
31. CHROME TO PHONE
A Chrome extension is basically a compressed file
with pictures as well as HTML5, JavaScript, and
CSS code
Every extension has a unique identifier from
Google Play (former the Google Chrome Market)
You can use it in combination with
chrome-extension://
32. CHROME TO PHONE
Can attach content scripts to a Web page
JavaScript code
Access to the Document Object Model (DOM)
Can communicate with other components
JS runtimes have no access to each other
33. CHROME TO PHONE
Attacked by Krzysztof Kotowicz in Nov. 2011
Load ressources via an iframe or a pop-up
window
var popup= window.open(’chrome-extension://
aodbo...adc/popup.html’);
34. CHROME TO PHONE
1. Open a pop-up, which is able to receive some
parameters from the content scripts code
2. The content scripts code sends a URL to the pop-up
window
3. A link will be forwarded to the Android device
4. This link will be automatically opened in the Web
browser (depends on the settings)
35. CHROME TO PHONE
Weaknesses in point 2: Next to the content_script.js
is also a manifest.json
The manifest.json file adds the content_script.js
file automatically to every HTTP/HTTPS website
and tab
We can use a pop-under here for the listener
Awesome attack for cross-device scripting
38. BAD MOBILE APPS
Trendmicro discovered 17 mobile apps with over
700,000 downloads in Google Play (May 2012)
10 apps delivered annoying and obtrusive ads
6 apps that contain Plankton malware code
Application Name Brief Behavior Description
Sends out GPS location, SMS
Spy Phone PRO+
and call log
NBA SQUADRE PUZZLE Pushes applications and
GAME advertisements to user
Pushes applications and
Cricket World Cup and Teams
advertisements to user
39. TAPJACKING
David Richardson, 2010
Android trust model
An application is allowed to programmatically
open a dialog but not to interact with it
Toast view to show a quick little message
41. TAPJACKING
Jack Mannino published a proof of concept of a
tapjacking attack one year later
toast class
Use the default constant LENGTH_LONG to show
the view or text notification for a long period of
time
A to the target application look alike message
42.
43.
44. TAPJACKING
Code example for a tapjacking button
mButton = new Button(this);
mButton.getBackground().setAlpha(0); // like the CSS opacity property
mButton.setOnTouchListener(this); // needed for onTouch()
// Layout parameters with an overlay
WindowManager.LayoutParams params = new WindowManager ...
46. TAPJACKING
Protection mechanisms for applications available
Block touch gestures, which are received
whenever the view’s window is obscured
setFilterTouchesWhenObscured() or
alternatively the attribute
android:filterTouchesWhenObscured
We can attack the home screen
47.
48. TAPJACKING
Countermeasure
A defense application, which is always behind a
loaded application
We are able to block home screen attacks, too
More information soon
50. UI redressing and especially clickjacking attacks
are very dangerous
We have browsed-based and browserless UI
redressing attacks
There are protection mechanisms to provide a
certain degree of client-side security
There will be more attacks in the future
52. Paul Stone (Apr. 2010), http://www.contextis.com/
research/tools/clickjacking-tool/
Robert Hansen and Jeremiah Grossman (Dez. 2008),
http://www.sectheory.com/clickjacking.htm
Krzysztof Kotowicz (Nov. 2011), http://
blog.kotowicz.net/2011/11/html5-something-
wicked-this-way-comes.html
Michal Zalewski (Dez. 2011), The Tangled Web: A
Guide to Securing Modern Web Applications