200 likes | 214 Views
Phishing Attacks on Modern Android. [Aonzo-CCS18] Aonzo, Simone, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio "Phishing Attacks on Modern Android" In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security pp. 1788-1801, Toronto, Canada, 2018.
E N D
Phishing Attacks on Modern Android [Aonzo-CCS18] Aonzo, Simone, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio "Phishing Attacks on Modern Android" In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security pp. 1788-1801, Toronto, Canada, 2018
Introduction • Mobile devices becoming more significant • More than half worldwide website traffic has been generated via mobile devices • Improve user experience Native Android • To authenticate the mobile back-end, the users need to insert their credentials • The need for a more convenient and easy method of handling credentials. • To meet the needs of this demand new features
Background • APKs • Google Play store • Package names - Constraints • Sandboxed execution • Intent system
Mobile password managers • Initially developed for the web • Password managers available for mobile devices. • Developed as apps • Android apps sandboxing mechanisms
Android Password Manager Implementation • 3 mechanisms that act as necessary blocks to allow for their implementation • Accessibility Service(a11y for short) • allows apps to be “accessible” to users with disabilities, • allows apps to interact with other apps • Vulnerable to attacks
Android Password Manager Implementation • Autofill Framework • implemented by Google • a new component of the Android Framework specifically developed to allow password managers to suggest and autofill credentials to mobile apps
Android Password Manager Implementation OpenYOLO – • for storing and updating credentials for mobile apps. • Developed by Google and Dashlane • follows a different paradigm: requires modifications of each “client” and “server” app • All 3 mechanisms are affected by design and implementation issues
The mapping problem • Bridging mobile world with the web world • The app package name as the main abstraction to identify an app. • How would Password managers map package names to associated websites?
Vulnerable Mappings Characteristics Types of mappings Secure mapping Static one-to-one mapping Static many-to-one mapping Crowdsourced mapping Heuristic-based mapping No mapping • Domain names are trusted • No authentication of package names • No authority on “sub-packages
Password managers An investigation into some of the most popular password manager apps
Instant Apps for UI control • Implemented by Google • Allow users to try an app without fully installing the app • Instant apps provide an attacker the ability to gain full control over the device UI, without the need of installing an application.
PRACTICAL PHISHING ATTACKS End-to-end proof-of-concept attack
A SECURE-BY-DESIGN API • The getVerfiedDomainNames()API • Integration and implementation • Practicality of adoption
Thank you for your time Any Questions?