Loading...
Please wait, while we are loading the content...
Similar Documents
Peeking into your app without actually seeing it: UI state inference and novel android attacks (2014)
| Content Provider | CiteSeerX |
|---|---|
| Author | Chen, Qi Alfred Qian, Zhiyun Mao, Z. Morley |
| Description | In Proc. USENIX Security The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. In this pa-per, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions. Our finding leads to a class of attacks which we name UI state inference attack. The underlying problem is that popular GUI frameworks by design can potentially reveal every UI state change through a newly-discovered public side channel — shared memory. In our evaluation, we show that for 6 out of 7 popular Android apps, the UI state in-ference accuracies are 80–90 % for the first candidate UI states, and over 93 % for the top 3 candidates. Even though the UI state does not reveal the exact pix-els, we show that it can serve as a powerful building block to enable more serious attacks. To demonstrate this, we design and fully implement several new attacks based on the UI state inference attack, including hijack-ing the UI state to steal sensitive user input (e.g., login credentials) and obtain sensitive camera images shot by the user (e.g., personal check photos for banking apps). We also discuss non-trivial challenges in eliminating the identified side channel, and suggest more secure alterna-tive system designs. 1 |
| File Format | |
| Language | English |
| Publisher Date | 2014-01-01 |
| Access Restriction | Open |
| Content Type | Text |
| Resource Type | Article |
