SlideShare une entreprise Scribd logo

HIJACKING ATTACKS ON ANDROID DEVICES

Positive Hack Days
Positive Hack Days
Technologie
1  sur  53
Télécharger pour lire hors ligne
HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
• University ! Research assistant @NDS •Web Application Security ! Penetration tests ! Security trainings • Book author ! Clickjacking • International speaker @mniemietz
Introduction Attacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack Tapjacking Conclusion and Outlook
We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
Introduction
ABOUT ANDROID Linux-based OS Developer: Open Handset Alliance For mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.2 2.3.3 - 2.3.7 Other
ANDROID 2.3.3 ANDROID 4.0
Attacks and their Countermeasures
Visual Spoofing
VISUAL SPOOFING Imitate the look and feel of a trusted website Usally hosted on an attackers webserver Example: Amazon.co.uk Using the native implemented Web browser
AMAZON: HOME AMAZON: SIGN IN
AMAZON: HOME AMAZON: SIGN IN
AT TA C K E R : H O M E AT TA C K E R : S I G N I N
AT TA C K E R : H O M E AT TA C K E R : S I G N I N
VISUAL SPOOFING Attackable adress bar with https:// support Countermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
UI Redressing
UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking ➡ Desktop-based attacks for Web browsers where primary focused in the past
CLASSIC CLICKJACKING
CLASSIC CLICKJACKING <h1>Funny pictures</h1> <img src="lol.gif"><button>Click me</button> <img src="lol.gif"> <iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"> </iframe>
UI REDRESSING What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
UI REDRESSING Countermeasures Frame buster X-Frame-Options Firefox and NoScript
Chrome to Phone Attack
CHROME TO PHONE Chrome extension(s) One for your Google Chrome browser, the other for your Android device Shares links, maps, selected phone numbers, and text between your computer and phone Source: play.google.com
CHROME TO PHONE Simple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
CHROME TO PHONE A Chrome extension is basically a compressed file with pictures as well as HTML5, JavaScript, and CSS code Every extension has a unique identifier from Google Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
CHROME TO PHONE Can attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
CHROME TO PHONE Attacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
CHROME TO PHONE 1. Open a pop-up, which is able to receive some parameters from the content scripts code 2. The content scripts code sends a URL to the pop-up window 3. A link will be forwarded to the Android device 4. This link will be automatically opened in the Web browser (depends on the settings)
CHROME TO PHONE Weaknesses in point 2: Next to the content_script.js is also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listener Awesome attack for cross-device scripting
CHROME TO PHONE
Tapjacking
BAD MOBILE APPS Trendmicro discovered 17 mobile apps with over 700,000 downloads in Google Play (May 2012) 10 apps delivered annoying and obtrusive ads 6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
TAPJACKING David Richardson, 2010 Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
RINGER VOLUME RINGER VOLUME - RESIZE
TAPJACKING Jack Mannino published a proof of concept of a tapjacking attack one year later toast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
TAPJACKING Code example for a tapjacking button mButton = new Button(this); mButton.getBackground().setAlpha(0); // like the CSS opacity property mButton.setOnTouchListener(this); // needed for onTouch() // Layout parameters with an overlay WindowManager.LayoutParams params = new WindowManager ...
TAPJACKING Contact data manipulation Native browser utilization Touch gestures logging Predefined phone calls Installing applications in the background
TAPJACKING Protection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscured We can attack the home screen
TAPJACKING Countermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
Conclusion and Outlook
UI redressing and especially clickjacking attacks are very dangerous We have browsed-based and browserless UI redressing attacks There are protection mechanisms to provide a certain degree of client-side security There will be more attacks in the future
REFERENCES http://developer.android.com/resources/dashboard/ platform-versions.html Framing Attacks on Smart Phones and Dumb Routers:Tap-jacking and Geo-localization Attacks, http://seclab.stanford.edu/websec/framebusting/ tapjacking.pdf Marcus Niemietz (Apr. 2012), Clickjacking und UI- Redressing
Paul Stone (Apr. 2010), http://www.contextis.com/ research/tools/clickjacking-tool/ Robert Hansen and Jeremiah Grossman (Dez. 2008), http://www.sectheory.com/clickjacking.htm Krzysztof Kotowicz (Nov. 2011), http:// blog.kotowicz.net/2011/11/html5-something- wicked-this-way-comes.html Michal Zalewski (Dez. 2011), The Tangled Web: A Guide to Securing Modern Web Applications
Thank you for your attention. Any questions?

Recommandé

pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issue
shekar M
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware survey
eSAT Journals
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
IRJET Journal
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 

Recommandé

pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issue
shekar M
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware survey
eSAT Journals
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
hackstuff
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection System
IRJET Journal
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
Kelwin Yang
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Java
amaankhan
 
Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Mehrnaz Amoon
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspective
Pietro F. Maggi
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
Hariharan Ganesan
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !
Edureka!
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
Ronen Mendezitsky
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
Benny Skogberg
 
Mobile Application Development with Android
Mobile Application Development with AndroidMobile Application Development with Android
Mobile Application Development with Android
IJAAS Team
 
Mind the gap
Mind the gapMind the gap
Mind the gap
Pietro F. Maggi
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
Anatoliy Tkachev
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android
Sudara Fernando
 
Android Minnebar
Android MinnebarAndroid Minnebar
Android Minnebar
Justin Grammens
 
AndroidOverview
AndroidOverviewAndroidOverview
AndroidOverview
stevenindands
 

Contenu connexe

Tendances

Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
Anatoliy Tkachev
 

Tendances (20)

2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android security
Android securityAndroid security
Android security
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Java
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android security - an enterprise perspective
Android security - an enterprise perspectiveAndroid security - an enterprise perspective
Android security - an enterprise perspective
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !Android 6.0 Marshmallow - Everything you need to know !
Android 6.0 Marshmallow - Everything you need to know !
 
Google Android Security 2014 Report
Google Android Security 2014 ReportGoogle Android Security 2014 Report
Google Android Security 2014 Report
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
 
Mobile Application Development with Android
Mobile Application Development with AndroidMobile Application Development with Android
Mobile Application Development with Android
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Avtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_englishAvtest 2012 02-android_anti-malware_report_english
Avtest 2012 02-android_anti-malware_report_english
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android
 

Similaire à HIJACKING ATTACKS ON ANDROID DEVICES

HTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the FutureHTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the Future
Motorola Mobility - MOTODEV
 

Similaire à HIJACKING ATTACKS ON ANDROID DEVICES (20)

Android Minnebar
Android MinnebarAndroid Minnebar
Android Minnebar
 
AndroidOverview
AndroidOverviewAndroidOverview
AndroidOverview
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
 
HTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the FutureHTML5 vs Native Android: Smart Enterprises for the Future
HTML5 vs Native Android: Smart Enterprises for the Future
 
Android overview 123
Android overview 123Android overview 123
Android overview 123
 
Android overview
Android overviewAndroid overview
Android overview
 
"double quotes"
"double quotes""double quotes"
"double quotes"
 
Android overview
Android overviewAndroid overview
Android overview
 
Android overview
Android overviewAndroid overview
Android overview
 
Android overview
Android overviewAndroid overview
Android overview
 
From Deepa's client
From Deepa's clientFrom Deepa's client
From Deepa's client
 
Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...Android Design Patterns in Mobile Application Development - Michalis Grigorop...
Android Design Patterns in Mobile Application Development - Michalis Grigorop...
 
School updated
School updatedSchool updated
School updated
 
Android and its applications
Android and its applicationsAndroid and its applications
Android and its applications
 
Android introduction
Android introductionAndroid introduction
Android introduction
 
Gene Presentation For Android
Gene Presentation For AndroidGene Presentation For Android
Gene Presentation For Android
 
Android report
Android reportAndroid report
Android report
 
Android 1
Android 1Android 1
Android 1
 
Android ppt
Android pptAndroid ppt
Android ppt
 

Plus de Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

Plus de Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

HIJACKING ATTACKS ON ANDROID DEVICES

  • 1. HIJACKING  ATTACKS  ON   ANDROID  DEVICES By Marcus Niemietz Chair for Network and Data Security Ruhr-University Bochum, Germany PHD, May 2012
  • 2. • University ! Research assistant @NDS •Web Application Security ! Penetration tests ! Security trainings • Book author ! Clickjacking • International speaker @mniemietz
  • 3. Introduction Attacks and their Countermeasures Visual Spoofing UI Redressing Chrome to Phone Attack Tapjacking Conclusion and Outlook
  • 4. We will answer these two questions in this talk Are there any UI redressing attacks for Web browsers under Android devices? Can we hijack a touch gesture on a display without using a Web browser?
  • 6. ABOUT ANDROID Linux-based OS Developer: Open Handset Alliance For mobile devices Led by Google Smartphones Initial release in Tablet computers September 2008 Television Android 4.0.3 in December 2011
  • 7. Worldwide smartphone sales Source: Gartner (November 2011) Android Symbian iOS RIM Others 150.000.000 112.500.000 75.000.000 37.500.000 3Q2010 0 3Q2011
  • 8. Distribution Source: Android.com; 14-day period data- February 1, 2012 0 15 30 45 60 2.1 2.2 2.3.3 - 2.3.7 Other
  • 9. ANDROID 2.3.3 ANDROID 4.0
  • 12. VISUAL SPOOFING Imitate the look and feel of a trusted website Usally hosted on an attackers webserver Example: Amazon.co.uk Using the native implemented Web browser
  • 13. AMAZON: HOME AMAZON: SIGN IN
  • 14. AMAZON: HOME AMAZON: SIGN IN
  • 15. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  • 16. AT TA C K E R : H O M E AT TA C K E R : S I G N I N
  • 17. VISUAL SPOOFING Attackable adress bar with https:// support Countermeasure (more or less) Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
  • 19. UI redressing can be used to adjust the look as well as the behavior of a web page Clickjacking Text injections via drag-and-drop operations, Content extraction Popup blocker bypasses, Event recycling Strokejacking, SVG masking ➡ Desktop-based attacks for Web browsers where primary focused in the past
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. CLASSIC CLICKJACKING <h1>Funny pictures</h1> <img src="lol.gif"><button>Click me</button> <img src="lol.gif"> <iframe style="position:absolute; z-index:1; opacity:0.0; filter:alpha(opacity=0); left:-120px; top:95px;" width="300" height="200" src="http://www.bing.com"> </iframe>
  • 26. UI REDRESSING What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or internet Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices
  • 27. UI REDRESSING Countermeasures Frame buster X-Frame-Options Firefox and NoScript
  • 28. Chrome to Phone Attack
  • 29. CHROME TO PHONE Chrome extension(s) One for your Google Chrome browser, the other for your Android device Shares links, maps, selected phone numbers, and text between your computer and phone Source: play.google.com
  • 30. CHROME TO PHONE Simple example Mark the text, which should be transmitted Two clicks: A right click on the selected text and a left click on Chrome to Phone
  • 31. CHROME TO PHONE A Chrome extension is basically a compressed file with pictures as well as HTML5, JavaScript, and CSS code Every extension has a unique identifier from Google Play (former the Google Chrome Market) You can use it in combination with chrome-extension://
  • 32. CHROME TO PHONE Can attach content scripts to a Web page JavaScript code Access to the Document Object Model (DOM) Can communicate with other components JS runtimes have no access to each other
  • 33. CHROME TO PHONE Attacked by Krzysztof Kotowicz in Nov. 2011 Load ressources via an iframe or a pop-up window var popup= window.open(’chrome-extension:// aodbo...adc/popup.html’);
  • 34. CHROME TO PHONE 1. Open a pop-up, which is able to receive some parameters from the content scripts code 2. The content scripts code sends a URL to the pop-up window 3. A link will be forwarded to the Android device 4. This link will be automatically opened in the Web browser (depends on the settings)
  • 35. CHROME TO PHONE Weaknesses in point 2: Next to the content_script.js is also a manifest.json The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab We can use a pop-under here for the listener Awesome attack for cross-device scripting
  • 38. BAD MOBILE APPS Trendmicro discovered 17 mobile apps with over 700,000 downloads in Google Play (May 2012) 10 apps delivered annoying and obtrusive ads 6 apps that contain Plankton malware code Application Name Brief Behavior Description Sends out GPS location, SMS Spy Phone PRO+ and call log NBA SQUADRE PUZZLE Pushes applications and GAME advertisements to user Pushes applications and Cricket World Cup and Teams advertisements to user
  • 39. TAPJACKING David Richardson, 2010 Android trust model An application is allowed to programmatically open a dialog but not to interact with it Toast view to show a quick little message
  • 40. RINGER VOLUME RINGER VOLUME - RESIZE
  • 41. TAPJACKING Jack Mannino published a proof of concept of a tapjacking attack one year later toast class Use the default constant LENGTH_LONG to show the view or text notification for a long period of time A to the target application look alike message
  • 42.
  • 43.
  • 44. TAPJACKING Code example for a tapjacking button mButton = new Button(this); mButton.getBackground().setAlpha(0); // like the CSS opacity property mButton.setOnTouchListener(this); // needed for onTouch() // Layout parameters with an overlay WindowManager.LayoutParams params = new WindowManager ...
  • 45. TAPJACKING Contact data manipulation Native browser utilization Touch gestures logging Predefined phone calls Installing applications in the background
  • 46. TAPJACKING Protection mechanisms for applications available Block touch gestures, which are received whenever the view’s window is obscured setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscured We can attack the home screen
  • 47.
  • 48. TAPJACKING Countermeasure A defense application, which is always behind a loaded application We are able to block home screen attacks, too More information soon
  • 49. Conclusion and Outlook
  • 50. UI redressing and especially clickjacking attacks are very dangerous We have browsed-based and browserless UI redressing attacks There are protection mechanisms to provide a certain degree of client-side security There will be more attacks in the future
  • 51. REFERENCES http://developer.android.com/resources/dashboard/ platform-versions.html Framing Attacks on Smart Phones and Dumb Routers:Tap-jacking and Geo-localization Attacks, http://seclab.stanford.edu/websec/framebusting/ tapjacking.pdf Marcus Niemietz (Apr. 2012), Clickjacking und UI- Redressing
  • 52. Paul Stone (Apr. 2010), http://www.contextis.com/ research/tools/clickjacking-tool/ Robert Hansen and Jeremiah Grossman (Dez. 2008), http://www.sectheory.com/clickjacking.htm Krzysztof Kotowicz (Nov. 2011), http:// blog.kotowicz.net/2011/11/html5-something- wicked-this-way-comes.html Michal Zalewski (Dez. 2011), The Tangled Web: A Guide to Securing Modern Web Applications
  • 53. Thank you for your attention. Any questions?