170 likes | 270 Views
Phishing Attacks on Modern Android. CompSci 702 Sze- Meeng Tan. Introduction – Mobile password managers. Mobile traffic constitutes to almost half the world wide website traffic Provide a practical way for users to use different pseudo-random passwords rather than a simple shared password
E N D
Phishing Attacks on Modern Android CompSci 702 Sze-Meeng Tan
Introduction – Mobile password managers • Mobile traffic constitutes to almost half the world wide website traffic • Provide a practical way for users to use different pseudo-random passwords rather than a simple shared password • Mobile password managers use package names • Vulnerabilities in package and domain name mappings • Need support from the Android Framework or require modifications to their potential “clients” to be implemented
Background • Generally found and distributed via App stores • Side-loading • Package name is main app identifier • Constraints and security guarantees • Sandboxed - Android permission system controls • App information • Privacy-related functionality • Access to security • Inter-app communication via Intent system
Instant Apps • “Try” Android apps without having to fully install it on their device • Associated with a URL pattern • Carried out through multi-step procedure called App Link Verification • Relies on Digital Asset Links • Attacker can gain full UI control • Unlike on web page, where it is constrained by the web browser
Three mechanisms that PMs use for implementation • Accessibility Service • Allows apps to be “accessible” to users with disabilities • Allows apps to interact with others programmatically • Autofill Framework • A new component of the Android Framework • OpenYOLO (You Only Login Once) • Does not affect the Android Framework • Requires modifications to each “client” and “server” app
Accessibility Service • Uses BIND_ACCESSIBILITY_SERVICE permission • Receives callbacks by the system when “accessibility events” are fired • Which app the user is currently using • Whether there are text fields that could be filled with stored credentials • Used for malicious functionality • Stealing user’s personal information • Complete compromise of the device
Autofill Framework • Requires BIND_AUTOFILL_SERVICE permission • Service allows filling out forms by injecting data directly into the views • Needs XML attributes to be compatible to framework • importantForAutofill – whether view is autofillable • autofillHints – what data to fill the view with • autofillType – type of data to expect
OpenYOLO • Does not require Accessibility Service or Autofill Framework • This mechanism requires modification to the client and the credential provider • Client interacts with credential provider via Intent mechanism
The Mapping Problem • Credentials are generally used to authenticate to web service backends rather than mobile apps • “Which website is this package name associated to?” • Domain names are trusted • PKI (Public Key Infrastructure) and digital certificates ecosystem • No authentication of package names • No authority on “sub packages” • E.g. com.example package name has no control over com.example.evil
Vulnerable Mappings • Secure Mapping • Digital Asset Links (DAL) – associate an app with a website via verifiable statements • Publish an “assets” file with a list of apps legitimately associated with it. • Identified by its package name and by the hash of its legitimate signing key • Static one-to-one mapping • One package name to one domain name • Credentials are shared even if app is not legitimate • E.g. com.facebook.katana to facebook.com
Vulnerable Mappings • Static many-to-one mapping • N package names to one domain name • Websites with multiple apps (ie, tablet and mobile) • User may only install one of the multiple apps • Crowdsourced mapping • User inserts credentials for an app that is linked to domain D, that the PM doesn’t know about • Request to share with other users • Package name does not need to exist
Vulnerable Mappings • Heuristic-based mapping • Implement heuristics on the package name • Can be gamed • No mapping • Suggest all stored credentials associated with all websites • Simple but not secure
Instant Apps for UI control • On web browser, user can check the domain name, if connection is done via HTTPS, or if there is a valid SSL certificate • Can gain control of all the pixels on a screen without requesting any permission • Could resemble the real Facebook app • Could resemble the browser app
Hidden Password Fields • Transparency • Alpha value of 0.01 • Small size • 1dp x 1dp • Same-colour background and foreground • Yellow overlay with Autofill Service • Invisible • A11y-based PMs do not autofill but Autofill Service do
End to end phishing attack • Combination of flawed password managers and loophole in Instant Apps • Package manager does not notice the difference between Instant App and full application • Password managers can leak confidential information to hidden password fields
Google Smart Lock • A part of Google Play Services for Android, to keep the phone locked when the user was not around • Offers a password saving feature • GSL mapping is securely implemented but requires the developer to provide all necessary information • It uses the Digital Assets Link but require the developer to manually fill out a Google Form • Google could benefit the community if it released it’s current mapping database to the public
Secure-By-Design API • Domain names as the only abstraction PMs need to interact with • getVerifiedDomainNames() API would provide PMs a list of domain names an app is legitimately associated to