see no evil: phishing for permissions with false transparency · see no evil: phishing for...
TRANSCRIPT
See No Evil: Phishing for Permissions with False Transparency
Güliz Seray Tuncay*†, Jingyu Qian†, Carl A. Gunter†
*Google, †University of Illinois at Urbana-Champaign
2
Install-time Permissions < Android 6.0
2
Install-time Permissions < Android 6.0
lack of context
2
Install-time Permissions < Android 6.0
Runtime Permissions >= Android 6.0
lack of context
2
Install-time Permissions < Android 6.0
Runtime Permissions >= Android 6.0
lack of contextmore context
2
Install-time Permissions < Android 6.0
Runtime Permissions >= Android 6.0
lack of contextmore context
ask on first use from the foreground
2
Install-time Permissions < Android 6.0
Runtime Permissions >= Android 6.0
lack of contextmore context
ask on first use from the foreground
>75% of the market now uses runtime
permissions
3
Viber requesting
3
Viber requesting
3
Viber requesting
3
Viber requesting So far so good
4
4
4
4
Viber requesting?
4
No?!Viber requesting?
5
Viber requesting?
5
Viber requesting?
5
Viber requesting?
5
Viber requesting?
5
Viber requesting?
5
Viber requesting?False transparency attacks on runtime
permissions
Invisible background app requests permission!
5
Viber requesting?False transparency attacks on runtime
permissions
Invisible background app requests permission!
5
Viber requesting?False transparency attacks on runtime
permissions
Invisible background app requests permission!
Affects Android 6-11
5
False transparency attacks on runtime
permissions
Invisible background app requests permission!
What’s going on?
Affects Android 6-11
Breaking the security guarantees of runtime permissions
Contextual Guarantee
• Users will always be provided with context
Contextual Guarantee
• Users will always be provided with context
- Allow permission requests to be made only from the foreground
Contextual Guarantee
• Users will always be provided with context
- Allow permission requests to be made only from the foreground
Contextual Guarantee
Assumption: Context provided by the
FG app is legitimate
• Users will always be provided with context
- Allow permission requests to be made only from the foreground
Contextual Guarantee
APIs to move within the task stack!
- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()
Assumption: Context provided by the
FG app is legitimate
• Users will always be provided with context
- Allow permission requests to be made only from the foreground
Contextual Guarantee
APIs to move within the task stack!
transparency
+
- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()
Assumption: Context provided by the
FG app is legitimate
• Users will always be provided with context
- Allow permission requests to be made only from the foreground
Contextual Guarantee
APIs to move within the task stack!
transparency
+
- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()
Assumption: Context provided by the
FG app is legitimate
8
Identity Guarantee
8
Identity Guarantee
• Users should be made aware of the identity of requesting app
8
Identity Guarantee
• Users should be made aware of the identity of requesting app
- Show app name in the permission dialog
8
Identity Guarantee
• Users should be made aware of the identity of requesting app
- Show app name in the permission dialog
Assumption:Uniquely identifying
app names
8
Identity Guarantee
App name
• Users should be made aware of the identity of requesting app
- Show app name in the permission dialog
- no rules!
Assumption:Uniquely identifying
app names
8
Identity Guarantee
App name
• Users should be made aware of the identity of requesting app
- Show app name in the permission dialog
- no rules!Viber
Assumption:Uniquely identifying
app names
8
Identity Guarantee
App name
• Users should be made aware of the identity of requesting app
- Show app name in the permission dialog
- no rules!
this app
Viber
Assumption:Uniquely identifying
app names
Background apps can request permissions with an illegitimate context
Background apps can request permissions with an illegitimate context
Apps can exploit users’ trust and request permissions impersonating other apps
Realizing the Attacks
Realizing the Attacks
Survey with 200 Amazon mTurk participants
• Is there any underlying susceptibility enabling FTAs?
Realizing the Attacks
Survey with 200 Amazon mTurk participants
• Is there any underlying susceptibility enabling FTAs?
• How to make FTAs realistic and more likely to succeed?
Realizing the Attacks
Survey with 200 Amazon mTurk participants
Susceptibility
Susceptibility
Susceptibility
Would you grant this permission?
Susceptibility
Would you grant this permission?
No26%
Yes74%
Susceptibility
Would you grant this permission?
No26%
Yes74%
1 user mentioned request looking fishy
Susceptibility
Susceptibility
Who’s requesting this permission?
Susceptibility
Who’s requesting this permission?
3%2%
2%2%
4%1%
3%
Google Maps84%
Realistic Attacks
Realistic Attacks (1)
Realistic Attacks (1)
WTH?
Users are more likely to deny permission requests with NO app in the foreground
Realistic Attacks (1)
Users are more likely to deny permission requests with NO app in the foreground
Request only when there’s an app in the foreground
Realistic Attacks (1)
Yeah okay.
Users are more likely to deny permission requests with NO app in the foreground
Request only when there’s an app in the foreground
Realistic Attacks (1)
Yeah okay.
Users are more likely to deny permission requests with NO app in the foreground
How: getRunningTasks()
Realistic Attacks (2)
Realistic Attacks (2)
WTH?
Users are more likely to deny if app requests irrelevant permissions
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
- Infer the foreground app
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
- Infer the foreground app- Only request permissions
required by this app
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
- Infer the foreground app- Only request permissions
required by this app
How: ProcHarvester
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
- Infer the foreground app- Only request permissions
required by this app
How: ProcHarvester
Request only the relevant permissions
Realistic Attacks (2)
Yeah okay.
Users are more likely to deny if app requests irrelevant permissions
- Infer the foreground app- Only request permissions
required by this app
How: ProcHarvester
- Adapted ProcHarvester to realistic attack scenarios
- 90% accuracy
Feasibility
Feasibility
20 lab participants
Feasibility
20 lab participants
Realistic setting with everyday tasks and popular apps:
Feasibility
20 lab participants
Realistic setting with everyday tasks and popular apps:
None of the participants noticed the attack!
Defense and Countermeasures
Defense and Countermeasures
Existing defenses
Defense and Countermeasures
Background app starts on Android 10
Existing defenses
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
Existing defenses
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
Existing defenses
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
Existing defenses
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
Existing defensesRecommendations:
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
Mandatory app transition effectsExisting defenses
Recommendations:
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
App name checks in:
Mandatory app transition effectsExisting defenses
Recommendations:
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
App name checks in:
Additional app identifiers in permission dialogs
Mandatory app transition effectsExisting defenses
Recommendations:
Non-trival solution
Defense and Countermeasures
Background app starts on Android 10
Attacks still work on Android 10 and 11
App name checks in:
Additional app identifiers in permission dialogs
Mandatory app transition effectsExisting defenses
Recommendations:
Non-trival solutionNo more transparent UI
Thank you!
See No Evil: Phishing for Permissions with False Transparency
Güliz Seray Tuncay*†, Jingyu Qian†, Carl A. Gunter†
*Google, †University of Illinois at Urbana-Champaign