1 / 15

Exploring Phishing Threats in Android Password Managers

This study delves into vulnerabilities in Android password managers and practical phishing attack methods, focusing on API security and app mappings. Learn about secure mapping, vulnerable mappings, and more.

flores
Download Presentation

Exploring Phishing Threats in Android Password Managers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Phishing Attacks on Modern Android [Aonzo-CCS18] Aonzo, Simone, Alessio Merlo, Giulio Tavella, and Yanick Fratantonio "Phishing Attacks on Modern Android" In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security pp. 1788-1801, Toronto, Canada, 2018

  2. Introduction • Mobile devices becoming more significant • More than half worldwide website traffic has been generated via mobile devices • Improve user experience  Native Android • To authenticate the mobile back-end, the users need to insert their credentials • The need for a more convenient and easy method of handling credentials. • To meet the needs of this demand  new features

  3. Background • APKs • Google Play store • Package names - Constraints • Sandboxed execution • Intent system

  4. Mobile password managers • Initially developed for the web • Password managers available for mobile devices. • Developed as apps • Android apps sandboxing mechanisms

  5. Android Password Manager Implementation • 3 mechanisms that act as necessary blocks to allow for their implementation • Accessibility Service(a11y for short) • allows apps to be “accessible” to users with disabilities, • allows apps to interact with other apps • Vulnerable to attacks

  6. Android Password Manager Implementation • Autofill Framework • implemented by Google • a new component of the Android Framework specifically developed to allow password managers to suggest and autofill credentials to mobile apps

  7. Android Password Manager Implementation OpenYOLO – • for storing and updating credentials for mobile apps. • Developed by Google and Dashlane • follows a different paradigm: requires modifications of each “client” and “server” app • All 3 mechanisms are affected by design and implementation issues

  8. The mapping problem • Bridging mobile world with the web world • The app package name as the main abstraction to identify an app. • How would Password managers map package names to associated websites?

  9. Vulnerable Mappings Characteristics Types of mappings Secure mapping Static one-to-one mapping Static many-to-one mapping Crowdsourced mapping Heuristic-based mapping No mapping • Domain names are trusted • No authentication of package names • No authority on “sub-packages

  10. Password managers An investigation into some of the most popular password manager apps

  11. Instant Apps for UI control • Implemented by Google • Allow users to try an app without fully installing the app • Instant apps provide an attacker the ability to gain full control over the device UI, without the need of installing an application.

  12. PRACTICAL PHISHING ATTACKS End-to-end proof-of-concept attack

  13. A SECURE-BY-DESIGN API • The getVerfiedDomainNames()API • Integration and implementation • Practicality of adoption

  14. Conclusion

  15. Thank you for your time Any Questions?

More Related