WindowGuard: Systematic Protection of GUI Security in Android

Android graphic user interface (GUI) system plays an important role in rendering app GUIs on display and interacting with users. However, the security of this critical subsystem remains under-investigated. In fact, Android GUI has been plagued by a variety of GUI attacks in recent years. GUI attack refers to any harmful behavior that attempts to adversely affect the integrity or availability of the GUIs belonging to other apps. These attacks are real threats and can cause severe consequences, such as sensitive user information leakage, user device denial of service, etc. Given the seriousness and rapid growth of GUI attacks, we are in a pressing need for a comprehensive defense solution. Nevertheless, existing defense methods fall short in defense coverage, effectiveness and practicality. To overcome these challenges, we systematically scrutinize the security implications of Android GUI system design and propose a new security model, Android Window Integrity (AWI), to comprehensively protect the system against GUI attacks. The AWI model defines the user session to be protected and the legitimacy of GUI system states in the unique mobile GUI environment. By doing so, it can protect a normal user session against arbitrary manipulation by attackers, and still preserve the original user experience. Our implementation, WindowGuard, enforces the AWI model and responds to a suspicious behavior by briefing the user about a security event and asking for the final decision from the user. This design not only improves the detection accuracy, but also makes WindowGuard more usable and practical to meet diverse user needs. WindowGuard is implemented as an Xposed module, making it practical to be quickly deployed on a large number of user devices. Our evaluation shows that WindowGuard can successfully detect all known GUI attacks, while yielding small impacts on user experience and system performance.

[1]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[2]  Norman Feske,et al.  A Nitpicker’s guide to a minimal-complexity secure GUI , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Jörg Schwenk,et al.  UI Redressing Attacks on Android Devices , 2012 .

[5]  Peter Reiher,et al.  Cashtags: Prevent Leaking Sensitive Information through Screen Display , 2014 .

[6]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[7]  Haibo Chen,et al.  You Shouldn't Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps , 2015, USENIX Security Symposium.

[8]  Nan Zhang,et al.  Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[10]  Emre Erturk A case study in open source software security and privacy: Android adware , 2012, World Congress on Internet Security (WorldCIS-2012).

[11]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[12]  Vitaly Shmatikov,et al.  What Mobile Ads Know About Mobile Users , 2016, NDSS.

[13]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[14]  Dawn Xiaodong Song,et al.  Clickjacking Revisited: A Perceptual View of UI Security , 2014, WOOT.

[15]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[16]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[17]  Xiang Pan,et al.  Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces , 2016, NDSS.

[18]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.

[19]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[20]  Lucas Davi,et al.  ROPdefender: a detection tool to defend against return-oriented programming attacks , 2011, ASIACCS '11.

[21]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[22]  Zhuoqing Morley Mao,et al.  Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks , 2014, USENIX Security Symposium.

[23]  Wenliang Du,et al.  Touchjacking Attacks on Web in Android, iOS, and Windows Phone , 2012, FPS.

[24]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[25]  A. Porter Phishing on Mobile Devices , 2011 .

[26]  Tadayoshi Kohno,et al.  Securing Embedded User Interfaces: Android and Beyond , 2013, USENIX Security Symposium.

[27]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[28]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.