research-article

Public Access

ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android

Authors:

Andrea Possemato,

Simon Pak Ho Chung,

Yanick FratantonioAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1120 - 1136

https://doi.org/10.1145/3243734.3243785

Published: 15 October 2018 Publication History

Abstract

In the context of mobile-based user-interface (UI) attacks, the common belief is that clickjacking is a solved problem. On the contrary, this paper shows that clickjacking is still an open problem for mobile devices. In fact, all known academic and industry solutions are either not effective or not applicable in the real-world for backward compatibility reasons. This work shows that, as a consequence, even popular and sensitive apps like Google Play Store remain, to date, completely unprotected from clickjacking attacks. After gathering insights into how apps use the user interface, this work performs a systematic exploration of the design space for an effective and practical protection against clickjacking attacks. We then use this exploration to guide the design of ClickShield, a new defensive mechanism. To address backward compatibility issues, our design allows for overlays to cover the screen, and we employ image analysis techniques to determine whether the user could be confused. We have implemented a prototype and we have tested it against ClickBench, a newly developed benchmark specifically tailored to stress-test clickjacking protection solutions. This dataset is constituted by 104 test cases, and it includes real-world and simulated benign and malicious examples that evaluate the system across a wide range of legitimate and attack scenarios. The results show that our system is able to address backward compatibility concerns, to detect all known attacks (including a never-seen-before real-world malware that was published after we have developed our solution), and it introduces a negligible overhead.

Supplementary Material

MP4 File (p1120-possemato.mp4)

Download
386.68 MB

References

[1]

Yair Amit. 2016. 95.4 Percent of All Android Devices Are Susceptible to Accessibility Clickjacking Exploits. https://www.skycure.com/blog/95--4-android-devices-susceptible-accessibility-clickjacking-exploits/.

[2]

Yair Amit. 2016. "Accessibility Clickjacking" -- The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. https://www.skycure.com/blog/accessibility-clickjacking/.

[3]

Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie. 2017. UiRef: analysis of sensitive user inputs in Android applications. In WISEC.

Digital Library

[4]

Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. 2015. What the App is That? Deception and Countermeasures in the Android User Interface. In Proc. of the IEEE Symposium on Security and Privacy.

Digital Library

[5]

Nicholas Carlini and David A. Wagner. 2017. Towards Evaluating the Robustness of Neural Networks. In IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA.

[6]

Qi Alfred Chen, Zhiyun Qian, and Z Morley Mao. 2014. Peeking Into Your App Without Actually Seeing It: UI State Inference and Novel Android Attacks. In Proc. of the USENIX Security Symposium.

Digital Library

[7]

F-Droid. 2018. Free and Open Source (FOSS) software on the Android platform. https://f-droid.org/en/

[8]

Adrienne Porter Felt and David Wagner. 2011. Phishing on Mobile Devices. In Proc. of IEEE Workshop on Web 2.0 Security & Privacy (W2SP).

[9]

Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. 2016. Android UI Deception Revisited: Attacks and Defenses. In Proc. of Financial Cryptography and Data Security (FC).

[10]

Yanick Fratantonio, Chenxiong Qian, Pak Chung, and Wenke Lee. 2017. Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).

[11]

geeksonsecurity. 2018. Android Overlay Protector. https://geeksonsecurity.github.io/overlay-protector-website/.

[12]

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In USENIX Security Symposium.

Digital Library

[13]

Google Inc. 2018. Documentation for the FLAG_WINDOW_IS_OBSCURED flag. https://developer.android.com/reference/android/view/MotionEvent.html#FLAG_WINDOW_IS_OBSCURED

[14]

Luka Malisa, Kari Kostiainen, and Srdjan Capkun. 2015. Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception. In Cryptology ePrint Archive, Report 2015/709.

[15]

Amar Menezes. 2018. Privilege Escalation via adbd Misconfiguration. https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-android-adbd-privilege-escalation-advisory-2018-01--17.pdf .

[16]

Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiaofeng Wang. 2015. UIPicker: User-Input Privacy Identification in Mobile Applications. In USENIX Security Symposium.

Digital Library

[17]

Marcus Niemietz and Jörg Schwenk. 2012. UI Redressing Attacks on Android devices. Black Hat Abu Dhabi (2012).

[18]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, and Ananthram Swami. 2017. Practical Black-Box Attacks Against Machine Learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17).

Digital Library

[19]

Chuangang Ren, Peng Liu, and Sencun Zhu. 2017. WindowGuard: Systematic Protection of GUI Security in Android. In Proc. of the Annual Symposium on Network and Distributed System Security (NDSS).

[20]

Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, and Peng Liu. 2015. Towards Discovering and Understanding Task Hijacking in Android. In Proc. of USENIX Security Symposium.

Digital Library

[21]

Talia Ringer, Dan Grossman, and Franziska Roesner. 2016. AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems. In Proc. of the Conference on Computer and Communications Security (CCS).

Digital Library

[22]

Franziska Roesner, Tadayoshi Kohno, Alexander Moshchuk, Bryan Parno, Helen J Wang, and Crispin Cowan. 2012. User-driven Access Control: Rethinking Per- mission Granting in Modern Operating Systems. In Proc. of the IEEE Symposium on Security and Privacy.

Digital Library

[23]

Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh. 2010. Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks. In Proc. of the USENIX Conference on Offensive Technologies.

Digital Library

[24]

Tara Seals. 2016. Autorooting, Overlay Malware Are Rising Android Threats. http://www.infosecurity-magazine.com/news/autorooting-overlay-malware-are/.

[25]

SFYLABS. {n. d.}. Client Side Detection (CSD). https://clientsidedetection.com.

[26]

Tom Spring. 2016. SCOURGE OF ANDROID OVERLAY MALWARE ON RISE. https://threatpost.com/scourge-of-android-overlay-malware-on-rise/117720/.

[27]

Cameron Summerson. 2017. How to Fix the "Screen Overlay Detected" Error on Android. https://www.howtogeek.com/271519/how-to-fix-the-screen-overlay-detected-error-on-android/

[28]

Urbandroid Team. 2018. Twilight App. https://play.google.com/store/apps/details?id=com.urbandroid.lux&hl=en.

[29]

Longfei Wu, Benjamin Brandt, Xiaojiang Du, and Bo Ji. 2016. Analysis of click-jacking attacks and an effective defense scheme for Android devices. 2016 IEEE Conference on Communications and Network Security (CNS) (2016), 55--63.

[30]

Martin Zhang. 2016. Android ransomware variant uses clickjacking to become device administrator. http://www.symantec.com/connect/blogs/android-ransomware-variant-uses-clickjacking-become-device-administrator.

[31]

Wu Zhou, Linhai Song, Jens Monrad, Junyuan Zeng, and Jimmy Su. 2016. The Latest Android Overlay Malware Spreading via SMS Phishing in Europe. https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html.

Cited By

Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2361519(1-24)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Shuang HZhao LLie D(2023)vWitness: Certifying Web Page Interactions with Computer Vision2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00048(431-444)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00048
Kar AStakhanova N(2023)Exploiting Android BrowserCryptology and Network Security10.1007/978-981-99-7563-1_8(162-185)Online publication date: 31-Oct-2023
https://doi.org/10.1007/978-981-99-7563-1_8
Show More Cited By

Index Terms

ClickShield: Are You Hiding Something? Towards Eradicating Clickjacking on Android
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

SCLib: A Practical and Lightweight Defense against Component Hijacking in Android Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Cross-app collaboration via inter-component communication is a fundamental mechanism on Android. Although it brings the benefits such as functionality reuse and data sharing, a threat called component hijacking is also introduced. By hijacking a ...
VenomAttack: automated and adaptive activity hijacking in Android
Abstract
Activity hijacking is one of the most powerful attacks in Android. Though promising, all the prior activity hijacking attacks suffer from some limitations and have limited attack capabilities. They no longer pose security threats in recent Android ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DARPA

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
1,317
Total Downloads

Downloads (Last 12 months)153
Downloads (Last 6 weeks)26

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Farzand HAbraham MBrewster SKhamis MMarky K(2024)A Systematic Deconstruction of Human-Centric Privacy & Security Threats on Mobile PhonesInternational Journal of Human–Computer Interaction10.1080/10447318.2024.2361519(1-24)Online publication date: 12-Jun-2024
https://doi.org/10.1080/10447318.2024.2361519
Shuang HZhao LLie D(2023)vWitness: Certifying Web Page Interactions with Computer Vision2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00048(431-444)Online publication date: Jun-2023
https://doi.org/10.1109/DSN58367.2023.00048
Kar AStakhanova N(2023)Exploiting Android BrowserCryptology and Network Security10.1007/978-981-99-7563-1_8(162-185)Online publication date: 31-Oct-2023
https://doi.org/10.1007/978-981-99-7563-1_8
Liu BLiu LZhang J(2022)Detection and Analysis Ads Through the Mini-ProgramsInternational Journal of Interdisciplinary Telecommunications and Networking10.4018/IJITN.30970014:1(1-13)Online publication date: 30-Sep-2022
https://dl.acm.org/doi/10.4018/IJITN.309700
Mehralian FSalehnamadi NHuq SMalek S(2022)Too Much Accessibility is Harmful! Automated Detection and Analysis of Overly Accessible Elements in Mobile AppsProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3560424(1-13)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3560424
Kim JKim JWi SKim YSon SBulusu NAryafar EBalasubramanian ASong J(2022)HearMeOutProceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services10.1145/3498361.3538939(422-435)Online publication date: 27-Jun-2022
https://dl.acm.org/doi/10.1145/3498361.3538939
Bove DSuga YSakurai KDing XSako K(2022)SoKProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517417(616-629)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517417
Schwenk JSchwenk J(2022)Web Security and Single Sign-On ProtocolsGuide to Internet Cryptography10.1007/978-3-031-19439-9_20(467-503)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_20
Kim BCho YKim SKim HWoo S(2021)A Security Analysis of Blockchain-Based Did ServicesIEEE Access10.1109/ACCESS.2021.30548879(22894-22913)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3054887
Sahani RRandhawa S(2021)Clickjacking: Beware of ClickingWireless Personal Communications10.1007/s11277-021-08852-yOnline publication date: 1-Sep-2021
https://doi.org/10.1007/s11277-021-08852-y
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents