Abstract
Android permission is a system of safeguards designed to restrict access to potentially sensitive data and privileged components. While third-party applications are restricted from accessing privileged resources without appropriate permissions, mobile browsers are treated by Android OS differently. Android mobile browsers are the privileged applications that have access to sensitive data based on the permissions implicitly granted to them. In this paper, we present a novel attack approach that allows a permission-less app to access sensitive data and privileged resources using mobile browsers as a proxy. We demonstrate the effectiveness of our proxy attack on 8 mobile browsers across 12 Android devices ranging from Android 8.1 to Android 13. Our findings show that all current versions of Android mobile browsers are susceptible to this attack. The findings of this study highlight the need for improved security measures in Android browsers to protect against privilege escalation and privacy leakage.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
CVE-2021-0954: https://www.cvedetails.com/cve/CVE-2021-0954/, CVE-2021-39692: https://www.cvedetails.com/cve/CVE-2021-39692/,.
- 3.
- 4.
- 5.
- 6.
References
Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise Android API protection mapping derivation and reasoning. In: Proceedings of the 2018 ACM SIGSAC CCS, pp. 1151–1164. ACM, New York (2018)
Aldoseri, A., Oswald, D.: Insecure://vulnerability analysis of URI scheme handling in Android mobile browsers. In: Proceedings of the Workshop on MADWeb (2022)
Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_15
Android: Permissions on Android (2022). https://developer.android.com/guide/topics/permissions/overview#system-components
Backes, M., Bugiel, S., Derr, E., Mcdaniel, P., Octeau, D., Weisgerber, S.: On demystifying the Android application framework: re-visiting Android permission specification analysis. In: USENIX Security Symposium (2016)
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the Android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931–948 (2015)
Block, K., Narain, S., Noubir, G.: An autonomic and permissionless Android covert channel. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 184–194 (2017)
Block, K., Noubir, G.: My magnetometer is telling you where I’ve been? A mobile device permissionless location attack. In: Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp. 260–270 (2018)
Calciati, P., Kuznetsov, K., Gorla, A., Zeller, A.: Automatically granted permissions in Android apps: an empirical study on their prevalence and on the potential threats for privacy. In: Proceedings of the 17th International Conference on MSR, pp. 114–124. ACM, New York (2020)
Contributors, M.: Navigator: devicememory property (2023). https://developer.mozilla.org/en-US/docs/Web/API/Navigator/deviceMemory
Egners, A., Meyer, U., Marschollek, B.: Messing with Android’s permission model. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 505–514. IEEE (2012)
Felt, A.P., Wagner, D.: Phishing on mobile devices. In: W2SP (2011)
Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3
Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1041–1057. IEEE (2017)
Garg, S., Baliyan, N.: Comparative analysis of Android and iOS from security viewpoint. Comput. Sci. Rev. 40, 100372 (2021)
Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17
GOOGLE: Permissions and APIs that Access Sensitive Information (2020). https://support.google.com/googleplay/android-developer/answer/9888170?hl=en &ref_topic=9877467
Google: Android developers reference (2022). https://developer.android.com/reference/android/R.attr#protectionLevel
Google: Android Security Bulletin-December 2021 (2022). https://source.android.com/docs/security/bulletin/2021-12-01#system
Google: Android Security Bulletin-March 2022 (2022). https://source.android.com/docs/security/bulletin/2022-03-01#framework
Google: Android Security Bulletin-September 2017 (2022). https://source.android.com/docs/security/bulletin/2017-09-01#2017-09-01-details
Google: Android Debug Bridge (ADB) (2023). https://developer.android.com/studio/command-line/adb
Google: Behavior changes: all apps (2023). https://developer.android.com/about/versions/12/behavior-changes-all#untrusted-touch-events
Google: Features and APIs Overview (2023). https://developer.android.com/about/versions/12/features#pixel-phishing-detection
Google: Tapjacking (2023). https://developer.android.com/topic/security/risks/tapjacking
GOOGLE: Use of the broad package (App) visibility (QUERY_ALL_PACKAGES) permission (2023). https://support.google.com/googleplay/android-developer/answer/10158779?hl=en
Google: View(Security) (2023). https://developer.android.com/reference/android/view/View#security
Hartzheim, A.: Technical analysis of duckduckgo privacy essentials (part 1) (2021). https://austinhartzheim.me/blog/2021/06/27/ddg-technical-analysis-part-1.html
Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on Android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29
Li, L., Bissyandé, T.F., Le Traon, Y., Klein, J.: Accessing inaccessible Android APIs: an empirical study. In: 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411–422 (2016)
Luo, T., Jin, X., Ananthanarayanan, A., Du, W.: Touchjacking attacks on web in Android, iOS, and Windows phone. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 227–243. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37119-6_15
Narain, S., Vo-Huu, T.D., Block, K., Noubir, G.: Inferring user routes and locations using zero-permission mobile sensors. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 397–413. IEEE (2016)
Niemietz, M., Schwenk, J.: UI Redressing Attacks on Android Devices. Black Hat Abu Dhabi (2012)
Olejnik, Ł, Acar, G., Castelluccia, C., Diaz, C.: The leaking battery: a privacy analysis of the HTML5 battery status API. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18
Possemato, A., Lanzi, A., Chung, S.P.H., Lee, W., Fratantonio, Y.: Clickshield: are you hiding something? Towards eradicating clickjacking on Android. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1120–1136 (2018)
Qiu, Y.: Tapjacking: an untapped threat in Android. Trend Micro, [H\(\lambda \)\(\varepsilon \)\(\kappa \)\(\tau \)\(\rho \)o\(\nu \)\(\iota \)\(\kappa \)ó] (2012). http://blog.trendmicro.com/trendlabs-security-intelligence/tapjacking-an-untapped-threat-inandroid/. [\(\Pi \)\(\rho \)ó\(\sigma \)\(\beta \)\(\alpha \)\(\sigma \)\(\eta \) 7 12 2016]
Reardon, D.: Measuring the prevalence of browser fingerprinting within browser extensions (2018)
Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–8 (2010)
Shao, Y., Chen, Q.A., Mao, Z.M., Ott, J., Qian, Z.: Kratos: discovering inconsistent security policy enforcement in the Android framework. In: NDSS (2016)
Statista: Mobile Android operating system market share by version worldwide from January 2018 to January 2023 (2023). https://www.statista.com/statistics/921152/mobile-android-version-share-worldwide/
Wang, S., et al.: Implication of animation on Android security. In: 2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS), pp. 1122–1132 (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Kar, A., Stakhanova, N. (2023). Exploiting Android Browser. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_8
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_8
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)