Abstract
In this paper, we perform a thorough study on the risks imposed by the globally accessible Android Clipboard. Based on the risk assessment, we formulate a series of attacks and categorize them into two groups, i.e., manipulation and stealing. Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection and command injection. Furthermore, it can also cause phishing attacks, including web phishing and app phishing. Data stealing happens when sensitive data copied into the clipboard is accessed by malicious applications. For each category of attack, we analyze a large number of candidate apps and show multiple case studies to demonstrate its feasibility. Also, our app analysis process is formulated to benefit future app development and vulnerability detection. After a comprehensive exposure of the risk, we briefly discuss some potential solutions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
About the Clipboard, http://msdn.microsoft.com/en-us/library/windows/desktop/ms649012v=vs.85.aspx
AndroGuard, http://code.google.com/p/androguard/
Android Malware Genome Project, http://www.malgenomeproject.org/
Android Scheme, http://developer.android.com/reference/org/apache/http/conn/scheme/Scheme.html
Android Terminal, https://play.google.com/store/apps/details?id=com.linxmap.androidterminal&hl=en
Clipboard Hijack Attack, http://whatis.techtarget.com/definition/clipboard-hijack-attack
Firefox Disallows javascript in its URL Bar, https://bugzilla.mozilla.org/show_bug.cgi?id=656433
Get It Done Task List, https://play.google.com/store/apps/details?id=com.marcucio.getitdone&hl=en
HttpOnly, https://www.owasp.org/index.php/HttpOnly
iOS SDK: Working with URL Schemes, http://mobile.tutsplus.com/tutorials/iphone/ios-sdk-working-with-url-schemes/
JSLint, http://www.jslint.com/
Marine Martial Arts MCRP 3-02B, https://play.google.com/store/apps/details?id=com.appopus.MCRP_3_02B&hl=en
Pasting a javascript: url from the omnibar removes the protocol, http://code.google.com/p/chromium/issues/detail?id=85232
Phishing, http://en.wikipedia.org/wiki/Phishing
Phishing Techniques, http://www.phishing.org/phishing-techniques/
PhoneGap: Easily create apps using the web technologies you know and love: HTML, CSS and JavaScript, http://phonegap.com
phpBB, https://www.phpbb.com/
RSA’s October Online Fraud Report, including summary of Phishing and Social Networking (2012), http://brianpennington.co.uk/2012/10/25/rsas-october-online-fraud-report-2012-including-summary-of-phishing-and-social-networking/
Same-origin policy, http://en.wikipedia.org/wiki/Same-origin_policy
Samsung Smart TV Now, https://play.google.com/store/apps/details?id=com.samsung.videocloud
Self-XSS Attack Explained, https://www.facebook.com/photo.php?v=956977232793
Self XSS protection bypass to paste and execute Javascript in the address-bar, https://code.google.com/p/chromium/issues/detail?id=123213
Statistics and Facts about Android, http://www.statista.com/topics/876/android/
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)
Android-Team. WebView Class Reference, http://developer.android.com/reference/android/webkit/WebView.html
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012)
Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical Report TR-2011-04, Technische Universität Darmstadt (April 2011)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS), San Diego, California, USA (February 2012)
Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: 22nd USENIX Security Symposium (USENIX Security 2013), USENIX (August 2013)
Chan, P.P.F., Hui, L.C.K., Yiu, S.M.: DroidChecker: analyzing Android applications for capability. In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (2012)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing Inter-Application Communication in Android (June 2011)
Davi, L., Dmitrienko, A., Sadeghi, A., Winandy, M.: Privilege Escalation Attacks on Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA (October 2010)
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference on Security Symposium (2011)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (2010)
Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard - on how usability trumps security in android password managers. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security Symposium (2011)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)
Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android System. In: Annual Computer Security Applications Conference, ACSAC (2011)
Martin, M., Lam, M.S.: Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In: USENIX-SS (2008)
Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically Rich Application-Centric Security in Android. In: Proceedings of the 2009 Annual Computer Security Applications Conference (2009)
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege Separation for Applications and Advertisers in Android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (2012)
Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: Separating Smartphone Advertising from Applications. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)
Smalley, S., Craig, R.: Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In: 20th Annual Network and Distributed System Security Symposium (NDSS 2013), San Diego, CA (February 2013)
Ter Louw, M., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Isolation Techniques for {XSS} Prevention. In: Web 2.0 Security and Privacy (May 2008)
Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In: ACM Conference on Computer and Communications Security (ACM CCS), Berlin, Germany (2013)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE (2008)
Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)
Zhang, X., Ahlawat, A., Du., W.: AFrame: Isolating Advertisements from Mobile Applications in Android. In: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC), New Orleans, Louisiana, USA (December 2013)
Zhou, Y., Jiang, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, X., Du, W. (2014). Attacks on Android Clipboard. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-08509-8_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08508-1
Online ISBN: 978-3-319-08509-8
eBook Packages: Computer ScienceComputer Science (R0)