See No Evil: Phishing for Permissions with False Transparency

Güliz Seray Tuncay*†, Jingyu Qian†, Carl A. Gunter†

*Google, †University of Illinois at Urbana-Champaign

2

Install-time Permissions < Android 6.0

2

Install-time Permissions < Android 6.0

lack of context

2

Install-time Permissions < Android 6.0

Runtime Permissions >= Android 6.0

lack of context

2

Install-time Permissions < Android 6.0

Runtime Permissions >= Android 6.0

lack of contextmore context

2

Install-time Permissions < Android 6.0

Runtime Permissions >= Android 6.0

lack of contextmore context

ask on first use from the foreground

2

Install-time Permissions < Android 6.0

Runtime Permissions >= Android 6.0

lack of contextmore context

ask on first use from the foreground

>75% of the market now uses runtime

permissions

3

Viber requesting

3

Viber requesting

3

Viber requesting

3

Viber requesting So far so good

4

4

4

4

Viber requesting?

4

No?!Viber requesting?

5

Viber requesting?

5

Viber requesting?

5

Viber requesting?

5

Viber requesting?

5

Viber requesting?

5

Viber requesting?False transparency attacks on runtime

permissions

Invisible background app requests permission!

5

Viber requesting?False transparency attacks on runtime

permissions

Invisible background app requests permission!

5

Viber requesting?False transparency attacks on runtime

permissions

Invisible background app requests permission!

Affects Android 6-11

5

False transparency attacks on runtime

permissions

Invisible background app requests permission!

What’s going on?

Affects Android 6-11

Breaking the security guarantees of runtime permissions

Contextual Guarantee

• Users will always be provided with context

Contextual Guarantee

• Users will always be provided with context

- Allow permission requests to be made only from the foreground

Contextual Guarantee

• Users will always be provided with context

- Allow permission requests to be made only from the foreground

Contextual Guarantee

Assumption: Context provided by the

FG app is legitimate

• Users will always be provided with context

- Allow permission requests to be made only from the foreground

Contextual Guarantee

APIs to move within the task stack!

- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()

Assumption: Context provided by the

FG app is legitimate

• Users will always be provided with context

- Allow permission requests to be made only from the foreground

Contextual Guarantee

APIs to move within the task stack!

transparency

+

- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()

Assumption: Context provided by the

FG app is legitimate

• Users will always be provided with context

- Allow permission requests to be made only from the foreground

Contextual Guarantee

APIs to move within the task stack!

transparency

+

- moveTaskToFront()- moveTaskToBack()- startActivity()- requestPermissions()

Assumption: Context provided by the

FG app is legitimate

8

Identity Guarantee

8

Identity Guarantee

• Users should be made aware of the identity of requesting app

8

Identity Guarantee

• Users should be made aware of the identity of requesting app

- Show app name in the permission dialog

8

Identity Guarantee

• Users should be made aware of the identity of requesting app

- Show app name in the permission dialog

Assumption:Uniquely identifying

app names

8

Identity Guarantee

App name

• Users should be made aware of the identity of requesting app

- Show app name in the permission dialog

- no rules!

Assumption:Uniquely identifying

app names

8

Identity Guarantee

App name

• Users should be made aware of the identity of requesting app

- Show app name in the permission dialog

- no rules!Viber

Assumption:Uniquely identifying

app names

8

Identity Guarantee

App name

• Users should be made aware of the identity of requesting app

- Show app name in the permission dialog

- no rules!

this app

Viber

Assumption:Uniquely identifying

app names

Background apps can request permissions with an illegitimate context

Background apps can request permissions with an illegitimate context

Apps can exploit users’ trust and request permissions impersonating other apps

Realizing the Attacks

Realizing the Attacks

Survey with 200 Amazon mTurk participants

• Is there any underlying susceptibility enabling FTAs?

Realizing the Attacks

Survey with 200 Amazon mTurk participants

• Is there any underlying susceptibility enabling FTAs?

• How to make FTAs realistic and more likely to succeed?

Realizing the Attacks

Survey with 200 Amazon mTurk participants

Susceptibility

Susceptibility

Susceptibility

Would you grant this permission?

Susceptibility

Would you grant this permission?

No26%

Yes74%

Susceptibility

Would you grant this permission?

No26%

Yes74%

1 user mentioned request looking fishy

Susceptibility

Susceptibility

Who’s requesting this permission?

Susceptibility

Who’s requesting this permission?

3%2%

2%2%

4%1%

3%

Google Maps84%

Realistic Attacks

Realistic Attacks (1)

Realistic Attacks (1)

WTH?

Users are more likely to deny permission requests with NO app in the foreground

Realistic Attacks (1)

Users are more likely to deny permission requests with NO app in the foreground

Request only when there’s an app in the foreground

Realistic Attacks (1)

Yeah okay.

Users are more likely to deny permission requests with NO app in the foreground

Request only when there’s an app in the foreground

Realistic Attacks (1)

Yeah okay.

Users are more likely to deny permission requests with NO app in the foreground

How: getRunningTasks()

Realistic Attacks (2)

Realistic Attacks (2)

WTH?

Users are more likely to deny if app requests irrelevant permissions

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

- Infer the foreground app

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

- Infer the foreground app- Only request permissions

required by this app

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

- Infer the foreground app- Only request permissions

required by this app

How: ProcHarvester

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

- Infer the foreground app- Only request permissions

required by this app

How: ProcHarvester

Request only the relevant permissions

Realistic Attacks (2)

Yeah okay.

Users are more likely to deny if app requests irrelevant permissions

- Infer the foreground app- Only request permissions

required by this app

How: ProcHarvester

- Adapted ProcHarvester to realistic attack scenarios

- 90% accuracy

Feasibility

Feasibility

20 lab participants

Feasibility

20 lab participants

Realistic setting with everyday tasks and popular apps:

Feasibility

20 lab participants

Realistic setting with everyday tasks and popular apps:

None of the participants noticed the attack!

Defense and Countermeasures

Defense and Countermeasures

Existing defenses

Defense and Countermeasures

Background app starts on Android 10

Existing defenses

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

Existing defenses

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

Existing defenses

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

Existing defenses

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

Existing defensesRecommendations:

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

Mandatory app transition effectsExisting defenses

Recommendations:

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

App name checks in:

Mandatory app transition effectsExisting defenses

Recommendations:

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

App name checks in:

Additional app identifiers in permission dialogs

Mandatory app transition effectsExisting defenses

Recommendations:

Non-trival solution

Defense and Countermeasures

Background app starts on Android 10

Attacks still work on Android 10 and 11

App name checks in:

Additional app identifiers in permission dialogs

Mandatory app transition effectsExisting defenses

Recommendations:

Non-trival solutionNo more transparent UI

Thank you!

See No Evil: Phishing for Permissions with False Transparency

Güliz Seray Tuncay*†, Jingyu Qian†, Carl A. Gunter†

*Google, †University of Illinois at Urbana-Champaign