1 / 17

Phishing Attacks on Modern Android

Phishing Attacks on Modern Android. CompSci 702 Sze- Meeng Tan. Introduction – Mobile password managers. Mobile traffic constitutes to almost half the world wide website traffic Provide a practical way for users to use different pseudo-random passwords rather than a simple shared password

parley
Download Presentation

Phishing Attacks on Modern Android

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Phishing Attacks on Modern Android CompSci 702 Sze-Meeng Tan

  2. Introduction – Mobile password managers • Mobile traffic constitutes to almost half the world wide website traffic • Provide a practical way for users to use different pseudo-random passwords rather than a simple shared password • Mobile password managers use package names • Vulnerabilities in package and domain name mappings • Need support from the Android Framework or require modifications to their potential “clients” to be implemented

  3. Background • Generally found and distributed via App stores • Side-loading • Package name is main app identifier • Constraints and security guarantees • Sandboxed - Android permission system controls • App information • Privacy-related functionality • Access to security • Inter-app communication via Intent system

  4. Instant Apps • “Try” Android apps without having to fully install it on their device • Associated with a URL pattern • Carried out through multi-step procedure called App Link Verification • Relies on Digital Asset Links • Attacker can gain full UI control • Unlike on web page, where it is constrained by the web browser

  5. Three mechanisms that PMs use for implementation • Accessibility Service • Allows apps to be “accessible” to users with disabilities • Allows apps to interact with others programmatically • Autofill Framework • A new component of the Android Framework • OpenYOLO (You Only Login Once) • Does not affect the Android Framework • Requires modifications to each “client” and “server” app

  6. Accessibility Service • Uses BIND_ACCESSIBILITY_SERVICE permission • Receives callbacks by the system when “accessibility events” are fired • Which app the user is currently using • Whether there are text fields that could be filled with stored credentials • Used for malicious functionality • Stealing user’s personal information • Complete compromise of the device

  7. Autofill Framework • Requires BIND_AUTOFILL_SERVICE permission • Service allows filling out forms by injecting data directly into the views • Needs XML attributes to be compatible to framework • importantForAutofill – whether view is autofillable • autofillHints – what data to fill the view with • autofillType – type of data to expect

  8. OpenYOLO • Does not require Accessibility Service or Autofill Framework • This mechanism requires modification to the client and the credential provider • Client interacts with credential provider via Intent mechanism

  9. The Mapping Problem • Credentials are generally used to authenticate to web service backends rather than mobile apps • “Which website is this package name associated to?” • Domain names are trusted • PKI (Public Key Infrastructure) and digital certificates ecosystem • No authentication of package names • No authority on “sub packages” • E.g. com.example package name has no control over com.example.evil

  10. Vulnerable Mappings • Secure Mapping • Digital Asset Links (DAL) – associate an app with a website via verifiable statements • Publish an “assets” file with a list of apps legitimately associated with it. • Identified by its package name and by the hash of its legitimate signing key • Static one-to-one mapping • One package name to one domain name • Credentials are shared even if app is not legitimate • E.g. com.facebook.katana to facebook.com

  11. Vulnerable Mappings • Static many-to-one mapping • N package names to one domain name • Websites with multiple apps (ie, tablet and mobile) • User may only install one of the multiple apps • Crowdsourced mapping • User inserts credentials for an app that is linked to domain D, that the PM doesn’t know about • Request to share with other users • Package name does not need to exist

  12. Vulnerable Mappings • Heuristic-based mapping • Implement heuristics on the package name • Can be gamed • No mapping • Suggest all stored credentials associated with all websites • Simple but not secure

  13. Instant Apps for UI control • On web browser, user can check the domain name, if connection is done via HTTPS, or if there is a valid SSL certificate • Can gain control of all the pixels on a screen without requesting any permission • Could resemble the real Facebook app • Could resemble the browser app

  14. Hidden Password Fields • Transparency • Alpha value of 0.01 • Small size • 1dp x 1dp • Same-colour background and foreground • Yellow overlay with Autofill Service • Invisible • A11y-based PMs do not autofill but Autofill Service do

  15. End to end phishing attack • Combination of flawed password managers and loophole in Instant Apps • Package manager does not notice the difference between Instant App and full application • Password managers can leak confidential information to hidden password fields

  16. Google Smart Lock • A part of Google Play Services for Android, to keep the phone locked when the user was not around • Offers a password saving feature • GSL mapping is securely implemented but requires the developer to provide all necessary information • It uses the Digital Assets Link but require the developer to manually fill out a Google Form • Google could benefit the community if it released it’s current mapping database to the public

  17. Secure-By-Design API • Domain names as the only abstraction PMs need to interact with • getVerifiedDomainNames() API would provide PMs a list of domain names an app is legitimately associated to

More Related