Skip to main content
SpringerLink
Log in

Attacks on Android Clipboard

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8550))

Abstract

In this paper, we perform a thorough study on the risks imposed by the globally accessible Android Clipboard. Based on the risk assessment, we formulate a series of attacks and categorize them into two groups, i.e., manipulation and stealing. Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection and command injection. Furthermore, it can also cause phishing attacks, including web phishing and app phishing. Data stealing happens when sensitive data copied into the clipboard is accessed by malicious applications. For each category of attack, we analyze a large number of candidate apps and show multiple case studies to demonstrate its feasibility. Also, our app analysis process is formulated to benefit future app development and vulnerability detection. After a comprehensive exposure of the risk, we briefly discuss some potential solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. About the Clipboard, http://msdn.microsoft.com/en-us/library/windows/desktop/ms649012v=vs.85.aspx

  2. AndroGuard, http://code.google.com/p/androguard/

  3. Android Malware Genome Project, http://www.malgenomeproject.org/

  4. Android Scheme, http://developer.android.com/reference/org/apache/http/conn/scheme/Scheme.html

  5. Android Terminal, https://play.google.com/store/apps/details?id=com.linxmap.androidterminal&hl=en

  6. Clipboard Hijack Attack, http://whatis.techtarget.com/definition/clipboard-hijack-attack

  7. Firefox Disallows javascript in its URL Bar, https://bugzilla.mozilla.org/show_bug.cgi?id=656433

  8. Get It Done Task List, https://play.google.com/store/apps/details?id=com.marcucio.getitdone&hl=en

  9. HttpOnly, https://www.owasp.org/index.php/HttpOnly

  10. iOS SDK: Working with URL Schemes, http://mobile.tutsplus.com/tutorials/iphone/ios-sdk-working-with-url-schemes/

  11. JSLint, http://www.jslint.com/

  12. JSure, https://github.com/berke/jsure

  13. Marine Martial Arts MCRP 3-02B, https://play.google.com/store/apps/details?id=com.appopus.MCRP_3_02B&hl=en

  14. Pasting a javascript: url from the omnibar removes the protocol, http://code.google.com/p/chromium/issues/detail?id=85232

  15. Phishing, http://en.wikipedia.org/wiki/Phishing

  16. Phishing Techniques, http://www.phishing.org/phishing-techniques/

  17. PhoneGap: Easily create apps using the web technologies you know and love: HTML, CSS and JavaScript, http://phonegap.com

  18. phpBB, https://www.phpbb.com/

  19. RSA’s October Online Fraud Report, including summary of Phishing and Social Networking (2012), http://brianpennington.co.uk/2012/10/25/rsas-october-online-fraud-report-2012-including-summary-of-phishing-and-social-networking/

  20. Same-origin policy, http://en.wikipedia.org/wiki/Same-origin_policy

  21. Samsung Smart TV Now, https://play.google.com/store/apps/details?id=com.samsung.videocloud

  22. Self-XSS Attack Explained, https://www.facebook.com/photo.php?v=956977232793

  23. Self XSS protection bypass to paste and execute Javascript in the address-bar, https://code.google.com/p/chromium/issues/detail?id=123213

  24. Statistics and Facts about Android, http://www.statista.com/topics/876/android/

  25. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  26. Android-Team. WebView Class Reference, http://developer.android.com/reference/android/webkit/WebView.html

  27. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  28. Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23–43. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  29. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R.: Xmandroid: A new android evolution to mitigate privilege escalation attacks. Technical Report TR-2011-04, Technische Universität Darmstadt (April 2011)

    Google Scholar 

  30. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (NDSS), San Diego, California, USA (February 2012)

    Google Scholar 

  31. Bugiel, S., Heuser, S., Sadeghi, A.R.: Flexible and fine-grained mandatory access control on android for diverse security and privacy policies. In: 22nd USENIX Security Symposium (USENIX Security 2013), USENIX (August 2013)

    Google Scholar 

  32. Chan, P.P.F., Hui, L.C.K., Yiu, S.M.: DroidChecker: analyzing Android applications for capability. In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (2012)

    Google Scholar 

  33. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing Inter-Application Communication in Android (June 2011)

    Google Scholar 

  34. Davi, L., Dmitrienko, A., Sadeghi, A., Winandy, M.: Privilege Escalation Attacks on Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, Chicago, IL, USA (October 2010)

    Google Scholar 

  35. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference on Security Symposium (2011)

    Google Scholar 

  36. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (2010)

    Google Scholar 

  37. Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard - on how usability trumps security in android password managers. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  38. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  39. Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX Conference on Security Symposium (2011)

    Google Scholar 

  40. Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: Proceedings of the 19th Annual Network & Distributed System Security Symposium (2012)

    Google Scholar 

  41. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  42. Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  43. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android System. In: Annual Computer Security Applications Conference, ACSAC (2011)

    Google Scholar 

  44. Martin, M., Lam, M.S.: Automatic Generation of XSS and SQL Injection Attacks with Goal-Directed Model Checking. In: USENIX-SS (2008)

    Google Scholar 

  45. Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010)

    Google Scholar 

  46. Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically Rich Application-Centric Security in Android. In: Proceedings of the 2009 Annual Computer Security Applications Conference (2009)

    Google Scholar 

  47. Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege Separation for Applications and Advertisers in Android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (2012)

    Google Scholar 

  48. Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: Separating Smartphone Advertising from Applications. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)

    Google Scholar 

  49. Smalley, S., Craig, R.: Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In: 20th Annual Network and Distributed System Security Symposium (NDSS 2013), San Diego, CA (February 2013)

    Google Scholar 

  50. Ter Louw, M., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Isolation Techniques for {XSS} Prevention. In: Web 2.0 Security and Privacy (May 2008)

    Google Scholar 

  51. Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation. In: ACM Conference on Computer and Communications Security (ACM CCS), Berlin, Germany (2013)

    Google Scholar 

  52. Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE (2008)

    Google Scholar 

  53. Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)

    Google Scholar 

  54. Zhang, X., Ahlawat, A., Du., W.: AFrame: Isolating Advertisements from Mobile Applications in Android. In: Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC), New Orleans, Louisiana, USA (December 2013)

    Google Scholar 

  55. Zhou, Y., Jiang, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: Proceedings of the 20th Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dept. of Electrical Engineering & Computer Science, Syracuse University, Syracuse, New York, USA

    Xiao Zhang & Wenliang Du

Authors
  1. Xiao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wenliang Du
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Castle Point on Hudson, Stevens Institute of Technology, 07030, Hoboken, NJ, USA

    Sven Dietrich

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Zhang, X., Du, W. (2014). Attacks on Android Clipboard. In: Dietrich, S. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014. Lecture Notes in Computer Science, vol 8550. Springer, Cham. https://doi.org/10.1007/978-3-319-08509-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08509-8_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08508-1

  • Online ISBN: 978-3-319-08509-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation