Activity Spoofing and Its Defense in Android Smartphones

  • Brett Cooley
  • Haining Wang
  • Angelos Stavrou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8479)

Abstract

Smartphones have become ubiquitous in today’s digital world as a mobile platform allowing anytime access to email, social platforms, banking, and shopping. Many providers supply native applications as a method to access their services, allowing users to login directly through a downloadable app. In this paper, we first expose a security vulnerability in the Android framework that allows for third party apps to spoof native app activities, or screens. This can lead to a wide variety of security risks including the capture and silent exfiltration of login credentials and private data. We then compare current defense mechanisms, and introduce the concept of Trusted Activity Chains as a lightweight protection against common spoofing attacks. We develop a proof of concept implementation and evaluate its effectiveness and performance overhead.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Canalys. Press Release 2011/081. Android takes almost 50% share of worldwide smartphone market (August 1, 2011), http://www.canalys.com/newsroom/android-takes-almost-50-share-worldwide-smart-phone-market
  2. 2.
    Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L.F., Hong, J., Nunge, E.: Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In: Symposium On Usable Privacy and Security, pp. 88–99 (2007)Google Scholar
  3. 3.
    Abu-Nimeh, S., Nappa, D., Wang, X., Nair, S.: A Comparison of Machine Learning Techniques for Phishing Detection. In: APWG eCrime Researchers Summit, Pittsburgh, PA, pp. 60–69 (2007)Google Scholar
  4. 4.
    Bian, K., Park, J., Hsiao, M.S., Bélanger, F., Hiller, J.: Evaluation of Online Resources in Assisting Phishing Detection. In: 9th IEEE International Symposium on Applications and the Internet, Bellevue, WA, pp. 30–36 (2009)Google Scholar
  5. 5.
    Xiang, G., Hong, J., Rose, C.P., Cranor, L.F.: CANTINA+: A Feature-rich Machine Learning Framework for Detecting Phishing Web Sites. ACM Trans. on Inf. and Syst. Security 14(21) (2011)Google Scholar
  6. 6.
    Android Dev Guide. Tasks and Back Stack (August 28, 2011), http://developer.android.com/guide/topics/fundamentals/tasks-and-back-stack.html
  7. 7.
    Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing Inter-Application Communication in Android. In: ACM MobiSys, Washington, D.C., pp. 239–252 (2011)Google Scholar
  8. 8.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Brut.alll. Apktool (May 15, 2011), http://code.google.com/p/android-apktool
  10. 10.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A Study of Android Application Security. In: USENIX Security, San Francisco, CA (2011)Google Scholar
  11. 11.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D., et al.: Android Permissions Demystified. In: ACM Conference on Computer and Communication Security, Chicago, IL, pp. 627–638 (2011)Google Scholar
  12. 12.
    Farrel, S.: API Keys to the Kingdom. IEEE Internet Computing 13(5), 91–96 (2009)CrossRefGoogle Scholar
  13. 13.
    Facebook. Facebook Fact Sheet (March 31, 2012), http://newsroom.fb.com/content/default.aspx?NewsAreaId=22
  14. 14.
    Ives, B., Walsh, K.R., Schneider, H.: The Domino Effect of Password Reuse. C. ACM 47(4), 75–78 (2004)CrossRefGoogle Scholar
  15. 15.
    Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Real-time Privacy Monitoring on Smartphones. In: USENIX Operation Systems Design and Implementation, Vancouver, B.C (2010)Google Scholar
  16. 16.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: Trading privacy for application functionality on smartphones. In: 12th Workshop on Mobile Computing Systems and Applications, Phoenix, AZ, pp. 49–54 (2011)Google Scholar
  17. 17.
    Russello, G., Crispo, B., Fernandes, E., Zhuniarovich, Y.: YAASE: Yet Another Android Security Extension. In: 3rd Conference on Privacy, Security, Risk, and Trust (PASSAT), Boston, MA, pp. 1033–1040 (2011)Google Scholar
  18. 18.
    Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: Lightweight Provenance for Smartphone Operating Systems. In: USENIX Security, San Francisco, CA (2011)Google Scholar
  19. 19.
    Jakobsson, M., Leddy, W.: Spoof Killer (May 21, 2011), http://www.spoofkiller.com
  20. 20.
    Android API Reference. ActivityManager (Mar 13, 2012), http://developer.android.com/reference/android/app/ActivityManager.html
  21. 21.
    Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS), pp. 77–88. ACM (2005)Google Scholar
  22. 22.
    Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of 2005 Graphics Interface (GI), pp. 137–144. Canadian Human-Computer Communications Society (2005)Google Scholar
  23. 23.
    Schecter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), pp. 51–65 (2007)Google Scholar
  24. 24.
    Hassell, R.: Hacking Androids for Profit (August 31, 2011), http://conference.hitb.org/hitbsecconf2011kul/?page_id=1740
  25. 25.
    Felt, A.P., Wagner, D.: Phishing on Mobile Devices. In: Web 2.0 Security and Privacy, Oakland, CA (2011)Google Scholar
  26. 26.
    Hardy, N.: The Confused Deputy. ACM Operating Systems Review 22(4), 36–38 (1988)CrossRefGoogle Scholar
  27. 27.
    Liu, D., Cuervo, E., Pistol, V., Scudellari, R., Cox, L.: ScreenPass: Secure Password Entry on Touchscreen Devices. In: Proceedings of ACM MobiSys 2013, Taipei, Taiwan (June 2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Brett Cooley
    • 1
  • Haining Wang
    • 1
  • Angelos Stavrou
    • 2
  1. 1.The College of William and MaryWilliamsburgUSA
  2. 2.George Mason UniversityFairfaxUSA

Personalised recommendations