Personalized Security Indicators to Detect Application Phishing Attacks in Mobile Platforms

Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism. We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered. We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.

[1]  Baptiste Gourdin Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.

[2]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[3]  Zhi Xu,et al.  Abusing Notification Services on Smartphones for Phishing and Spamming , 2012, WOOT.

[4]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[5]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[6]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[7]  Michael K. Reiter,et al.  Usability Testing a Malware-Resistant Input Mechanism , 2011, NDSS.

[8]  Eemil Lagerspetz,et al.  The company you keep: mobile malware infection rates and inexpensive risk indicators , 2013, WWW.

[9]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[10]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[11]  Joseph L. Mundy,et al.  Change Detection , 2014, Computer Vision, A Reference Guide.

[12]  David Jablon The SPEKE Password-Based Key Agreement Methods , 2002 .

[13]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[14]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[15]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[16]  Lujo Bauer,et al.  The Effectiveness of Security Images in Internet Banking , 2015, IEEE Internet Computing.

[17]  Max-Emanuel Maurer,et al.  Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing , 2012, CSS.

[18]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[19]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[20]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[21]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[22]  Christian Stüble,et al.  Towards a Trusted Mobile Desktop , 2010, TRUST.

[23]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[24]  J. D. Tygar,et al.  WWW electronic commerce and java trojan horses , 1996 .

[25]  Amir Herzberg,et al.  My Authentication Album: Adaptive Images-Based Login Mechanism , 2012, SEC.

[26]  A. Porter Phishing on Mobile Devices , 2011 .

[27]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[29]  Hao Chen,et al.  iPhish: Phishing Vulnerabilities on Consumer Electronics , 2008, UPSEC.

[30]  Virgil D. Gligor,et al.  On the Design and the Implementation of Secure Xenix Workstations , 1986, 1986 IEEE Symposium on Security and Privacy.

[31]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[32]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[33]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[34]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.

[35]  Philip MacKenzie,et al.  On the Security of the SPEKE Password-Authenticated Key Exchange Protocol , 2001, IACR Cryptol. ePrint Arch..