Vorschau! Die Detailseite für diese Publikation wurde nicht aktiviert!
How Android's UI Security is Undermined by Accessibility
Abstract
Android's accessibility API was designed to assist users with disabilities, or preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications. We reveal flaws in the accessibility design of Android allowing information leakages and denial of service attacks against fully patched systems. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android's own lock screen. To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25 % of them to be vulnerable. Although app-level protection measures against these attacks can be implemented, e.g., to prevent information leakage through password fields, the number of affected apps proves that these kind of vulnerabilities must be tackled by Google rather than app developers. From December 2017 to March 2018, we submitted seven bug reports to Google, from which three have been marked as won't fix while four are progressed but ranked with either low severity or no security bulletin class. We conclude our paper with a list of best practices for app-level protections for the time those bugs remain unfixed by Google.Mehr zum Titel
| Titel | How Android's UI Security is Undermined by Accessibility |
|---|---|
| Medien | ROOTS '18: Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium |
| Verlag | ACM |
| Heft | 2 |
| Verfasser | Anatoli Kalysch, Davide Bove, Prof. Dr. Tilo Müller |
| Seiten | S. 1-10 |
| Veröffentlichungsdatum | 29.11.2018 |
| Zitation | Kalysch, Anatoli; Bove, Davide; Müller, Tilo (2018): How Android's UI Security is Undermined by Accessibility. ROOTS '18: Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium (2), S. 1-10. |