HIJACKING ATTACKS ON ANDROID DEVICES
By Marcus NiemietzChair for Network and Data SecurityRuhr-University Bochum, Germany
PHD, May 2012
• University! Research assistant @NDS•Web Application Security! Penetration tests! Security trainings• Book author! Clickjacking• International speaker
@mniemietz
Introduction
Attacks and their Countermeasures
Visual Spoofing
UI Redressing
Chrome to Phone Attack
Tapjacking
Conclusion and Outlook
We will answer these two questions in this talk
Are there any UI redressing attacks for Web browsers under Android devices?
Can we hijack a touch gesture on a display without using a Web browser?
Introduction
Linux-based OS
For mobile devices
Smartphones
Tablet computers
Television
Developer: Open Handset Alliance
Led by Google
Initial release in September 2008
Android 4.0.3 in December 2011
ABOUT ANDROID
0
37.500.000
75.000.000
112.500.000
150.000.000
3Q2010
3Q2011
Android Symbian iOS RIM Others
Worldwide smartphone salesSource: Gartner (November 2011)
0 15 30 45 60
DistributionSource: Android.com; 14-day period data- February 1, 2012
2.1
2.2
2.3.3 - 2.3.7
Other
A N D R O I D 4 . 0A N D R O I D 2 . 3 . 3
Attacks and their Countermeasures
Visual Spoofing
VISUAL SPOOFING
Imitate the look and feel of a trusted website
Usally hosted on an attackers webserver
Example: Amazon.co.uk
Using the native implemented Web browser
A M A Z O N : S I G N I NA M A Z O N : H O M E
A M A Z O N : S I G N I NA M A Z O N : H O M E
AT TA C K E R : S I G N I NAT TA C K E R : H O M E
AT TA C K E R : S I G N I NAT TA C K E R : H O M E
VISUAL SPOOFING
Attackable adress bar with https:// support
Countermeasure (more or less)
Use short URLs like m.amazon.co.uk instead of mobile-www.amazon.co.uk
UI Redressing
UI redressing can be used to adjust the look as well as the behavior of a web page
Clickjacking
Text injections via drag-and-drop operations,
Content extraction
Popup blocker bypasses, Event recycling
Strokejacking, SVG masking
➡ Desktop-based attacks for Web browsers where primary focused in the past
CLASSIC CLICKJACKING
CLASSIC CLICKJACKING
<h1>Funny pictures</h1>
<img src="lol.gif"><button>Click me</button>
<img src="lol.gif">
<iframe style="position:absolute; z-index:1;
opacity:0.0; filter:alpha(opacity=0);
left:-120px; top:95px;"
width="300" height="200" src="http://www.bing.com">
</iframe>
UI REDRESSING
What an attacker can do with UI redressing
Stealing cookies
Stealing all the files of a folder
Stealing files from the intranet or internet
Sending status messages in your name
Showing elements in another context
Controlling your addon(s) on mobile devices
UI REDRESSING
Countermeasures
Frame buster
X-Frame-Options
Firefox and NoScript
Chrome to PhoneAttack
CHROME TO PHONE
Chrome extension(s)
One for your Google Chrome browser, the other for your Android device
Shares links, maps, selected phone numbers, and text between your computer and phone Source: play.google.com
CHROME TO PHONE
Simple example
Mark the text, which should be transmitted
Two clicks: A right click on the selected text and a left click on Chrome to Phone
A Chrome extension is basically a compressed file with pictures as well as HTML5, JavaScript, and CSS code
Every extension has a unique identifier from Google Play (former the Google Chrome Market)
You can use it in combination withchrome-extension://
CHROME TO PHONE
Can attach content scripts to a Web page
JavaScript code
Access to the Document Object Model (DOM)
Can communicate with other components
JS runtimes have no access to each other
CHROME TO PHONE
Attacked by Krzysztof Kotowicz in Nov. 2011
Load ressources via an iframe or a pop-up window
var popup= window.open(’chrome-extension://aodbo...adc/popup.html’);
CHROME TO PHONE
1. Open a pop-up, which is able to receive some parameters from the content scripts code
2. The content scripts code sends a URL to the pop-up window
3. A link will be forwarded to the Android device
4. This link will be automatically opened in the Web browser (depends on the settings)
CHROME TO PHONE
Weaknesses in point 2: Next to the content_script.js is also a manifest.json
The manifest.json file adds the content_script.js file automatically to every HTTP/HTTPS website and tab
We can use a pop-under here for the listener
Awesome attack for cross-device scripting
CHROME TO PHONE
CHROME TO PHONE
Tapjacking
BAD MOBILE APPS
Trendmicro discovered 17 mobile apps with over 700,000 downloads in Google Play (May 2012)
10 apps delivered annoying and obtrusive ads
6 apps that contain Plankton malware codeApplication Name Brief Behavior Description
Spy Phone PRO+Sends out GPS location, SMS and call log
NBA SQUADRE PUZZLE GAME
Pushes applications and advertisements to user
Cricket World Cup and TeamsPushes applications and advertisements to user
TAPJACKING
David Richardson, 2010
Android trust model
An application is allowed to programmatically open a dialog but not to interact with it
Toast view to show a quick little message
R I N G E R V O L U M E - R E S I Z ER I N G E R V O L U M E
TAPJACKING
Jack Mannino published a proof of concept of a tapjacking attack one year later
toast class
Use the default constant LENGTH_LONG to show the view or text notification for a long period of time
A to the target application look alike message
TAPJACKING
Code example for a tapjacking button
mButton = new Button(this);
mButton.getBackground().setAlpha(0); // like the CSS opacity property
mButton.setOnTouchListener(this); // needed for onTouch()
// Layout parameters with an overlay
WindowManager.LayoutParams params = new WindowManager ...
TAPJACKING
Contact data manipulation
Native browser utilization
Touch gestures logging
Predefined phone calls
Installing applications in the background
TAPJACKING
Protection mechanisms for applications available
Block touch gestures, which are received whenever the view’s window is obscured
setFilterTouchesWhenObscured() or alternatively the attribute android:filterTouchesWhenObscured
We can attack the home screen
TAPJACKING
Countermeasure
A defense application, which is always behind a loaded application
We are able to block home screen attacks, too
More information soon
Conclusion andOutlook
UI redressing and especially clickjacking attacks are very dangerous
We have browsed-based and browserless UI redressing attacks
There are protection mechanisms to provide a certain degree of client-side security
There will be more attacks in the future
REFERENCES
http://developer.android.com/resources/dashboard/platform-versions.html
Framing Attacks on Smart Phones and Dumb Routers:Tap-jacking and Geo-localization Attacks, http://seclab.stanford.edu/websec/framebusting/tapjacking.pdf
Marcus Niemietz (Apr. 2012), Clickjacking und UI-Redressing
Paul Stone (Apr. 2010), http://www.contextis.com/research/tools/clickjacking-tool/
Robert Hansen and Jeremiah Grossman (Dez. 2008), http://www.sectheory.com/clickjacking.htm
Krzysztof Kotowicz (Nov. 2011), http://blog.kotowicz.net/2011/11/html5-something-wicked-this-way-comes.html
Michal Zalewski (Dez. 2011), The Tangled Web: A Guide to Securing Modern Web Applications
Thank you for your attention.
Any questions?