UI Redressing Attacks on Android Devices

Marcus Niemietz, Jörg Schwenk

Black Hat Abu Dhabi 2012


Abstract

In this paper, we describe novel high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from desktop- to mobile- browser eld. Our main contribution is a demonstration of a browserless tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, one can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. To protect against this attack, we introduce a concept of a security layer that catches all tap-jacking attempts before they can reach home screen/arbitrary applications.

tags: