Trapped by the UI: The Android Case

Mobile devices are highly dependent on the design of user interfaces, since their size and computational cost introduce considerable constraints. UI and UX are interdependent since UX measures the satisfaction of users interacting with digital products. Therefore, both UX and UI are considered as top priorities among major mobile OS platforms. In this work we highlight some pitfalls in the design of Android UI which can greatly expose users and break user trust in the UI by proving how deceiving it can be. To this end, we showcase a series of attacks that exploit side channel information and poor UI choices ranging from sniffing users’ input; resurrecting tapjacking, to wiping users’ data, in Android from KitKat to Nougat.

[1]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[2]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[3]  Claudio Soriente,et al.  Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking , 2016, SPSM@CCS.

[4]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[5]  Rajesh Kumar,et al.  Beware, Your Hands Reveal Your Secrets! , 2014, CCS.

[6]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[7]  Rong Li,et al.  Privacy Leakage in Mobile Sensing: Your Unlock Passwords Can Be Leaked through Wireless Hotspot Functionality , 2016, Mob. Inf. Syst..

[8]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[9]  Atul Prakash,et al.  Android UI Deception Revisited: Attacks and Defenses , 2016, Financial Cryptography.

[10]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[12]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[13]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[14]  Nicolas Christin,et al.  All Your Droid Are Belong to Us: A Survey of Current Android Attacks , 2011, WOOT.

[15]  Dengguo Feng,et al.  Attacks and Defence on Android Free Floating Windows , 2016, AsiaCCS.

[16]  Benjamin Lim Android Tapjacking Vulnerability , 2015, ArXiv.

[17]  Xiaojiang Chen,et al.  Cracking Android Pattern Lock in Five Attempts , 2017, NDSS.

[18]  Jie Yang,et al.  Snooping Keystrokes with mm-level Audio Ranging on a Single Phone , 2015, MobiCom.

[19]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[20]  Haibo Chen,et al.  You Shouldn't Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps , 2015, USENIX Security Symposium.

[21]  Srdjan Capkun,et al.  Mobile Application Impersonation Detection Using Dynamic User Interface Extraction , 2016, ESORICS.

[22]  Dirk Van Bruggen,et al.  Studying the Impact of Security Awareness Efforts on User Behavior , 2014 .

[23]  Xiaojiang Du,et al.  Analysis of clickjacking attacks and an effective defense scheme for Android devices , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[24]  Jie Wu,et al.  Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms , 2016, IEEE Transactions on Vehicular Technology.

[25]  Xiangyu Liu,et al.  When Good Becomes Evil: Keystroke Inference with Smartwatch , 2015, CCS.

[26]  Stefan Mangard,et al.  ARMageddon: Cache Attacks on Mobile Devices , 2015, USENIX Security Symposium.

[27]  Jörg Schwenk,et al.  UI Redressing Attacks on Android Devices , 2012 .

[28]  Mohamed Shehab,et al.  Maintaining User Interface Integrity on Android , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).