uiredressing#a-acks#on# android#devices#
TRANSCRIPT
![Page 1: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/1.jpg)
UI Redressing A-acks on Android Devices
Marcus Niemietz Ruhr-‐University Bochum
![Page 2: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/2.jpg)
Horst Görtz InsAtute for IT-‐Security German Book
Clickjacking und UI-‐Redressing WebAppSec: Trainings, Pentests Speaker at Blue Hat, Black Hat, German OWASP Day, PHDays, ...
Twi-er: @mniemietz
![Page 3: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/3.jpg)
This talk is based on the paper UI Redressing A-acks on Android Devices
h-p://is.gd/g60ZUx
Authors Marcus Niemietz, Jörg Schwenk Horst Görtz InsAtute for IT-‐Security Ruhr-‐University Bochum, Germany
![Page 4: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/4.jpg)
1. IntroducAon 2. Related work 3. PorAng UI redressing to Android devices 4. New browserless a-acks 5. MiAgaAon techniques 6. Conclusion and outlook
![Page 5: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/5.jpg)
1. IntroducAon
![Page 6: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/6.jpg)
UI redressing is a known problem since 2002 Security problem has been overlooked unAl 2008 è Clickjacking
Clickjacking ⊂ UI redressing The subclass consists of a-acks like cursorjacking, filejacking, tabnabbing, and inter alia tapjacking
In essence, all of these a-acks need a Web browser to be executed
![Page 7: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/7.jpg)
Considering the given a-ack vectors on desktop-‐based Web browsers, we pose the following quesAon:
Can UI redressing a-acks be ported to smartphone-‐based systems?
![Page 8: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/8.jpg)
We focus on the Android operaAng system Source: Gartner (November 2011) SituaAon in November 2012: Android 72.4%, iOS 13.9%
0
37.500.000
75.000.000
112.500.000
150.000.000
3Q2010
3Q2011
Android Symbian iOS RIM Others
![Page 9: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/9.jpg)
We focus on the Android operaAng system Source: Android.com; 14-‐day period data-‐ February 1, 2012
0 15 30 45 60
2.1
2.2
2.3.3 - 2.3.7
Other
![Page 10: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/10.jpg)
A N D R O I D 4 . 0A N D R O I D 2 . 3 . 3
![Page 11: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/11.jpg)
This talk focuses on two points
1. A-acks and countermeasures for desktop-‐based Web browsers available for Android
2. A tapjacking a-ack technique which does not need a Web browser to execute
![Page 12: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/12.jpg)
2. Related work
![Page 13: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/13.jpg)
2.1. Desktop-‐based UI Redressing Techniques 2.2. Browserless UI Redressing A-acks
![Page 14: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/14.jpg)
2.1. Desktop-‐based UI Redressing Techniques
![Page 15: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/15.jpg)
Clickjacking Strokejacking Drag-‐and-‐drop operaAons Content extracAon Event-‐recycling SVG masking
![Page 16: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/16.jpg)
Classic clickjacking Likejacking and sharejacking Nested clickjacking, double clickjacking Cookiejacking, filejacking Eventjacking, classjacking Cursorjacking, tabnabbing CombinaAons with CSRF, XSS, and CSS
![Page 17: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/17.jpg)
![Page 18: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/18.jpg)
![Page 19: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/19.jpg)
![Page 20: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/20.jpg)
![Page 21: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/21.jpg)
![Page 22: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/22.jpg)
<h1>Funny pictures</h1>!<img src="lol.gif">!<button>Click me</button>!<img src="lol.gif">!<iframe style="position:absolute; z-index:1; !
!opacity:0.0; filter:alpha(opacity=0);!!left:-120px; top:95px;"!!width="300" height="200"!!src="http://www.bing.com">!
</iframe>!
![Page 23: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/23.jpg)
2.2. Browserless UI Redressing A-acks
![Page 24: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/24.jpg)
Is it possible to perform browser-‐like UI redressing a-acks on mobile devices without using a Web browser or, at the very least, without using it directly?
![Page 25: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/25.jpg)
David Richardson in 2010 about the Android trust model An applicaAon is allowed to programmaAcally open a dialog but not to interact with it
Idea Use a toast-‐view to show a quick li-le message to the user Basic idea: Be as unobtrusive as possible
![Page 26: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/26.jpg)
![Page 27: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/27.jpg)
Jack Mannino published a proof of concept of a tapjacking a-ack in 2011 Scaling the usually small noAficaAon message to the enAre display of the mobile device
Subsequent usage of the default constant LENGTH LONG!
![Page 28: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/28.jpg)
![Page 29: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/29.jpg)
Crucial point A touch gesture on such a message or noAficaAon will be passed through to the underlying applicaAon
Similar to Clickjacking
Idea Create a noAficaAon message, which looks like a normal applicaAon
![Page 30: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/30.jpg)
![Page 31: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/31.jpg)
3. PorAng UI redressing to Android devices
![Page 32: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/32.jpg)
Classic clickjacking, classjacking, strokejacking Requires a Web browser supporAng frames, CSS, JavaScript, and HTML5
Nested clickjacking, filejacking, tabnabbing, content extracAon, event-‐recycling, and SVG masking AddiAonal features in desktop-‐based Web browsers
![Page 33: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/33.jpg)
Nowadays, any Web browser one requires can be downloaded via Google Play
Not transferable a-acks Cursorjacking Cookiejacking Double clickjacking and pop-‐up-‐blocker bypasses
![Page 34: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/34.jpg)
4. New browserless a-acks
![Page 35: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/35.jpg)
In addiAon to the a-ack described by Jack Mannino we can do Contact data manipulaAon NaAve browser uAlizaAon Touch gestures logging Predefined phone calls Installing applicaAons in the background
![Page 36: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/36.jpg)
All of these a-acks are using the same technique 1. There is a visible a-acker's applicaAon in form of
a noAficaAon in the foreground 2. There is a target applicaAon in the background
![Page 37: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/37.jpg)
![Page 38: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/38.jpg)
There is a limited number of operaAons like opening the phone call applicaAon
SoluAon: Unauthorized home screen navigaAon a-ack SubstanAally extend the limited set of a-acks An a-acker needs more touch gestures of a vicAm
![Page 39: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/39.jpg)
5. MiAgaAon techniques
![Page 40: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/40.jpg)
5.1. Browser-‐Based UI Redressing 5.2. Tapjacking Defense Mechanisms
![Page 41: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/41.jpg)
5.1. Browser-‐Based UI Redressing
![Page 42: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/42.jpg)
Frame Buster Consists of a condiAonal statement and a counter-‐acAon !if (top.location != location) ! !
top.location = self.location;! BusAng frame busAng is possible
August Detlefsen et al. published the most a-ack-‐resistant countermeasure against busAng frame busAng techniques
![Page 43: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/43.jpg)
<style id="antiClickjack">! body{display:none !important;}!</style>!<script type="text/javascript">! if (self === top) {! var antiClickjack = document.! getElementById("antiClickjack");! antiClickjack.parentNode.! removeChild(antiClickjack);! } else {! top.location = self.location;! }!</script>!
![Page 44: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/44.jpg)
X-‐Frame-‐OpAons HTTP header developed by Microsom in 2008 Checks if a website should be loaded in a frame or not
DENY! SAMEORIGIN! ALLOW-FROM origin!
Restricted to modern browsers such as Firefox ≥3.6.9, Opera ≥10.5, and IE ≥8.
![Page 45: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/45.jpg)
Content Security Policy Old CSP: Aside from the framing protecAon, one can also
idenAfy other targets, such as prevenAng data injecAon a-acks or cross-‐site scripAng (frame-‐ancestors)
New CSP: Focus on sandboxing and source specificaAon of style sheets, script files and similar issues
![Page 46: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/46.jpg)
Browser Engine XFO oCSP nCSP Android – 4.0.3 WebKit ✓ ✗ ✗ Dolphin – 8.7.0 WebKit ✓ ✗ ✗ Firefox – 4.0.3 Gecko ✓ ✓ ✗ Opera Mini – 7.0 Presto ✓ ✗ ✗ Opera Mobile – 12.00 Presto ✓ ✗ ✗
![Page 47: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/47.jpg)
Alexa X-‐CSP X-‐WebKit-‐CSP TOP-‐100,000 3 1 TOP-‐500,000 9 1 TOP-‐1,000,000 18 1
![Page 48: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/48.jpg)
5.2. Tapjacking Defense Mechanisms
![Page 49: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/49.jpg)
Android touch filter Blocks touch gestures received whenever view's window is
obscured setFilterTouchesWhenObscured()
or, alternaAvely, with the a-ribute android:filterTouchesWhenObscured!
Not enabled by default and they are only available in Android versions higher than 2.2
![Page 50: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/50.jpg)
Tapjacking Security Layer (TSL) Should be implemented by the Android team into the
kernel in the near future It opens automaAcally once a user fires an applicaAon It is always in the background and remains opened unAl
the applicaAon in its forefront gets closed A touch gesture on the TSL will be blocked
![Page 51: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/51.jpg)
![Page 52: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/52.jpg)
6. Conclusion and outlook
![Page 53: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/53.jpg)
Most of the exisAng UI redressing a-acks can be used with very li-le effort
There are a lot of countermeasures: Frame Buster, XFO, and the CSP
We have introduced a browserless UI redressing a-ack and a new security layer against tapjacking a-acks
![Page 54: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/54.jpg)
We must recommend that vendors of security somware urgently implement our TLS
HTML5 and CSS3 drams are parAally implemented in Web browsers The field of a-acks will conAnuously expand Long-‐lasAng 'cat and mouse game‘
![Page 55: UIRedressing#A-acks#on# Android#Devices#](https://reader033.vdocument.in/reader033/viewer/2022052921/6290b082f302f7598d6cc0f2/html5/thumbnails/55.jpg)
Thank you for your a-enAon.
Any quesAons?