DOCSLIB.ORG

Phishing for Permissions with False Transparency Güliz Seray Tuncay, Google, University of Illinois at Urbana-Champaign; Jingyu Qian and Carl A

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Phishing for Permissions with False Transparency Güliz Seray Tuncay, Google, University of Illinois at Urbana-Champaign; Jingyu Qian and Carl A See No Evil: Phishing for Permissions with False Transparency Güliz Seray Tuncay, Google, University of Illinois at Urbana-Champaign; Jingyu Qian and Carl A. Gunter, University of Illinois at Urbana-Champaign https://www.usenix.org/conference/usenixsecurity20/presentation/tuncay This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. See No Evil: Phishing for Permissions with False Transparency Güliz Seray Tuncay Jingyu Qian Google, University of Illinois at Urbana-Champaign University of Illinois at Urbana-Champaign [email protected] [email protected] Carl A. Gunter University of Illinois at Urbana-Champaign [email protected] Abstract Android’s permission system enables access control on sen- Android introduced runtime permissions in order to provide sitive user data and platform resources based on user consent. users with more contextual information to make informed In an effort to foster meaningful consent, Android 6 intro- decisions as well as with finer granularity when dealing with duced runtime permissions to help users understand why a permissions. In this work, we identified that the correct op- permission is needed by an app by asking for it in a relevant eration of the runtime permission model relies on certain use context. In particular, the runtime permission model war- implicit assumptions which can conveniently be broken by rants certain security guarantees to achieve this goal. First, adversaries to illegitimately obtain permissions from the back- it provides a contextual guarantee to ensure that users will ground while impersonating foreground apps. We call this always be given the necessary contextual information to make detrimental scenario false transparency attacks. These attacks informed decisions, by enforcing apps to be in the foreground constitute a serious security threat to the Android platform as when requesting permissions. Second, it provides an identity they invalidate the security guarantees of 1) runtime permis- guarantee to ensure that users are well-aware of the identity sions by enabling background apps to spoof the context and of the app owning the current context during a permission re- identity of foreground apps when requesting permissions and quest, by clearly displaying the name of the requesting app in of 2) Android permissions altogether by allowing adversaries permission dialogs. In line with its ultimate goal of providing to exploit users’ trust in other apps to obtain permissions. context, the model also relies on the cooperation of app de- We demonstrated via a user study we conducted on Ama- velopers to be transparent regarding their need of permissions zon Mechanical Turk that mobile users’ comprehension of during permission requests. runtime permissions renders them susceptible to this attack In this work, we have identified that the security guaran- vector. We carefully designed our attacks to launch strategi- tees of runtime permissions are broken due to some implicit cally in order to appear persuasive and verified the validity assumptions made by the platform designers. To this end, we of our design strategies through our user study. To demon- show how our findings can be used by adversaries to stealthily strate the feasibility of our attacks, we conducted an in-lab obtain runtime permissions. First, Android assumes that an user study in a realistic setting and showed that none of the app in the foreground will always present a meaningful and subjects noticed our attacks. Finally, we discuss why the ex- legitimate context. However, we show that background apps isting defenses against mobile phishing fail in the context of can surreptitiously move to the foreground to request permis- false transparency attacks. In particular, we disclose the secu- sions without being noticed by users by utilizing Android rity vulnerabilities we identified in a key security mechanism APIs and invisible graphical displays. Second, we observed added in Android 10. We then propose a list of countermea- that the naming scheme utilized in the permission dialogs sures to be implemented on the Android platform and on app assumes that the app name will uniquely identify a single app stores to practically tackle false transparency attacks. installed on the user device for its secure operation; however, the Android ecosystem does not readily enforce any rules on these names. As a consequence, apps can spoof the names 1 Introduction of other apps or use irrelevant names that have the poten- tial to mislead users regarding the true source of the request. Be transparent. When you make a permissions The combination of these findings indicate the possibility of request, be clear about what you’re accessing, and phishing-based privilege escalation on runtime permissions; why, so users can make informed decisions. – App a background app (adversary) can now request and obtain permissions best practices by Google [1] permissions while leading the user to believe the request USENIX Association 29th USENIX Security Symposium 415 was triggered by the foreground app (victim), an insidious sign issues, which rendered our attacks still effective on this phishing scenario which we call false transparency attacks Android version and onward. Finally, we propose a list of on runtime permissions. countermeasures that can be practically implemented on the In false transparency attacks, a permission request from an Android platform and on app stores such as Google Play to app is not transparent in the sense of the quote above. Instead, defend against false transparency attacks. its context is literally transparent as a graphical display to en- Our contributions can be summarized as follows: sure that the user only sees the victim app at the time of the re- • We uncovered design shortcomings in Android’s runtime quest. In addition, its origin is intentionally set to mislead the permissions which inadvertently lead to a violation of the user into thinking the request was triggered by the foreground essential security guarantees of this permission model. app. Hence, the adversary can take advantage of both the con- • By utilizing these shortcomings, we built false trans- text and the identity of a victim app for its own requests to parency attacks, which enable adversaries to illegiti- more conveniently obtain permissions. To illustrate, suppose mately obtain permissions using a victim app’s context Vibr is an attack app that launches a false transparency attack and identity. from the background while the widely-used communication • We conducted a user study to understand if users’ com- app Viber is in the foreground. If, for example, Vibr requests prehension of runtime permissions created susceptibility permission to access the user’s contacts, then an unwary user to this attack vector as well as to verify the validity of may grant this if they think the request comes from Viber, our design strategies for stealthy attacks. as users would generally feel comfortable granting contacts permission to a popular communication app that needs it for • We conducted a user study to demonstrate the feasibility its utility [2]. In particular, we argue that these attacks con- of our attacks in a realistic setting. stitute a notable security hazard for the Android platform for • We discovered serious issues in the new security mecha- two reasons. First, they allow background apps to stealthily nism that addresses phishing in Android 10 and later and obtain permissions while providing a spoofed context and showed the feasibility of our attacks on these versions. identity, which clearly defeats the purpose of using runtime • We proposed practical countermeasures that can effec- permissions to provide meaningful contextual information to tively tackle false transparency attacks. users. Second, they create an opportunity for malicious apps to exploit the user’s trust in another, possibly high-profile app to obtain permissions that they would normally not be 2 Background able to acquire, breaking the security guarantees of Android permissions altogether. 2.1 Android Permissions False transparency attacks serve as a platform for adver- Previously, permissions were permanently granted to apps at saries to obtain any set of dangerous permissions by exploit- installation time on Android. With the introduction of Android ing user’s trust in other apps. In order to profitably mislead 6.0 (API level 23), Android switched to runtime permissions users to grant permissions, the permission dialogs triggered where permissions for high-risk resources (e.g., camera, con- by adversaries should appear plausible, justifying the need for tacts etc.) are requested dynamically and could be revoked a permission, as users have a strong tendency towards deny- by the user at any time. This was done in an effort to provide ing requests that seem irrelevant to the app’s use [2,3]. We users more context while making decisions [4]. In this permis- first show via a user study we conduct on Amazon Mechani- sion model, users are presented with a permission dialog on cal Turk that users indeed demonstrate susceptibility to false or before the first use of a sensitive resource that is protected transparency attacks due to a lack of complete understanding with a dangerous permission and are given the ability to allow of the runtime permission model (e.g., security guarantees of or deny a permission request. Furthermore,
Load more

Recommended publications
  • Phishing Brochure
    hereʼs a new type of Internet Here’s how phishing works: How to Protect Yourself piracy called “phishing.” Itʼs n a typical case, youʼll receive an e-mail that Never provide your personal pronounced “fishing,” and appears to come from a reputable company information in response to an Tthatʼs exactly what these thieves are that you recognize and do business with, unsolicited request, whether it is over the Isuch as your financial institution. In some 1phone or over the Internet. E-mails and Internet doing: “fishing” for your personal cases, the e-mail may appear to come from a pages created by phishers may look exactly financial information. What government agency, including one of the federal like the real thing. They may even have a fake financial institution regulatory agencies. padlock icon that ordinarily is used to denote they want are account numbers, The e-mail will probably warn you of a serious a secure site. If you did not initiate the passwords, Social Security problem that requires your immediate attention. communication, you should not provide any numbers, and other confidential It may use phrases, such as “Immediate attention information. information that they can use to loot required,” or “Please contact us immediately If you believe the contact may be about your account.” The e-mail will then legitimate, contact the financial your checking account or run up encourage you to click on a button to go to the institution yourself. You can find bills on your credit cards. institutionʼs Web site. 2phone numbers and Web sites on the monthly statements you receive from your financial In a phishing scam, you could be redirected In the worst case, you could find institution, or you can look the company up in to a phony Web site that may look exactly a phone book or on the Internet.
    [Show full text]
  • Copy of OC Awareness Campaign #5
    DDOONN‘‘TT GGEETT CCAAUUGGHHTT IINN AA TTEECCHH SSUUPPPPOORRTT SSCCAAMM!! HOW DO TECH SUPPORT SCAMS WORK? Tech support scammers may call you, enlist pop-up ads on your computer, or place ads for their "tech support company" to look credible and attempt a scam. They often gain control of your computer by asking you to give them remote access to your computer. Once they gain access, the scammer may pretend to run a diagnostic test of your computer. In reality, they are downloading malware, or other viruses, downloading sensitive information that was stored on your computer, or locking you out of your computer by downloading ransomware. WHAT'S IN IT FOR THE SCAMMER? Obtain sensitive information Find credit card information Ask you to pay to fix an issue that doesn't exist with a wire transfer, gift card, or credit card. Though some will ask you for credit card information, the scammer often asks you to pay by wiring money, putting money on a gift card, prepaid card or cash reload card, or using a money transfer app because they know those types of payments can be hard to reverse. SPOTTING AND AVOIDING TECH SUPPORT SCAMS Tech support scammers use many different tactics to trick people. Spotting these tactics will help you avoid falling for the scam. Phone Calls (Vishing) Tech support scammers may call and pretend to be a computer technician from a well-known company. They say they’ve found a problem with your computer. They often ask you to give them remote access to your computer and then pretend to run a diagnostic test.
    [Show full text]
  • Phishing Attacks Or to Give Sensitive Information Away (Such As Bank Details)
    Phishing emails try to convince users to click on links to dodgy websites or attachments, Phishing attacks or to give sensitive information away (such as bank details). This advice includes tips about how to spot the most obvious signs of phishing, and what to do if you think you've Dealing with suspicious emails clicked a bad link. For more information, please visit www.ncsc.gov.uk/phishing . Make yourself a Tell tale signs harder target of phishing ***** Information from your website or Spotting a phishing email is social media accounts leaves a becoming increasingly difficult, and 'digital footprint' that can be even the most careful user can be exploited by criminals. You can make yourself tricked. Here are some tell tale signs less likely to be phished by doing the following: that could indicate a phishing attempt. Criminals use publicly available ? Is the email addressed to you by information about you to make their name, or does it refer to 'valued phishing emails appear convincing. customer', or 'friend' or 'colleague'? Review your privacy settings, and think This can be a sign that the sender about what you post. does not actually know you, and that it What is phishing? Be aware what your friends, family and is part of a phishing scam. colleagues say about you online, as Others will try and create official- Phishing is when criminals attempt to this can also reveal information that can be used to target you. looking emails by including logos and trick people into doing 'the wrong thing', graphics. Is the design (and quality) such as clicking a link to a dodgy website.
    [Show full text]
  • Clickjacking
    Security Now! Transcript of Episode #168 Page 1 of 18 Transcript of Episode #168 ClickJacking Description: Steve and Leo discuss yet another challenge to surfing safely in the web world: Known as "ClickJacking," or more formally as "UI Redressing," this class of newly popular threats tricks web users into performing web-based actions they don't intend by leading them to believe they are doing something else entirely. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-168.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-168-lq.mp3 INTRO: Netcasts you love, from people you trust. This is TWiT. Leo Laporte: Bandwidth for Security Now! is provided by AOL Radio at AOL.com/podcasting. This is Security Now! with Steve Gibson, Episode 168 for October 30, 2008: Clickjacking. It's time for Security Now!, the show where we cover everything you'd ever want to know about security. And we do it with a guy who is the king, really, as far as I'm concerned, the man who discovered spyware, named spyware, wrote some of the most used security utilities out there, including ShieldsUP!, Mr. Steve Gibson of GRC.com. Hi, Steve. Steve Gibson: Yes, in fact sometimes we're discussing things that you'd rather wish weren't the case. I mean... Leo: Well, lately it's been kind of bleak because it's like, there's bad stuff, and there doesn't really seem like there's any cure. Steve: Yes, that's true.
    [Show full text]
  • Beware of These Common Scams
    Beware of these common scams Nigerian Scams People claiming to be officials, businessmen or surviving relatives of former government officials in countries around the world send countless offers via e-mail, attempting to convince consumers that they will transfer thousands of dollars into your bank account if you will just pay a fee or "taxes" to help them access their money. If you respond to the initial offer, you may receive documents that look "official." Unfortunately, you will get more e-mails asking you to send more money to cover transaction and transfer costs, attorney's fees, blank letterhead and your bank account numbers and other sensitive, personal information. Tech Support Scams A tech support person may call or email you and claim that they are from Windows, Microsoft or another software company. The person says your computer is running slow or has a virus and it’s sending out error messages. Scammers will ask you to visit a website that gives them remote access to your computer. If the caller obtains access they can steal personal information, usernames and passwords to commit identity theft or send spam messages. In some cases, the caller may even be asked for a wired payment or credit card information. Lottery Scams In foreign lottery scams, you receive an email claiming that you are the winner of a foreign lottery. All you need to do to claim your prize is send money to pay the taxes, insurance, or processing or customs fees. Sometimes, you will be asked to provide a bank account number so the funds can be deposited.
    [Show full text]
  • SECURITY GUIDE with Internet Use on the Rise, Cybercrime Is Big Business
    SECURITY GUIDE With internet use on the rise, cybercrime is big business. Computer savvy hackers and opportunistic spammers are constantly trying to steal or scam money from internet users. PayPal works hard to keep your information secure. We have lots of security measures in place that help protect your personal and financial information. PayPal security key Encryption This provides extra security when When you communicate with Here’s you log in to PayPal and eBay. When PayPal online or on your mobile, how to get you opt for a mobile security key, the information you provide is we’ll SMS you a random 6 digit encrypted. This means it can only a security key code to enter with your password be read by you. A padlock symbol when you log in to your accounts. is displayed on the right side of your 1. Log in to your PayPal You can also buy a credit card sized web browser to let you know you account at device that will generate this code. are viewing a secure web page. www.paypal.com.au Visit our website and click Security to learn more. Automatic timeout period 2. Click Profile then If you’re logged into PayPal and My settings. Website identity verification there’s been no activity for 15 3. Click Get started beside If your web browser supports an minutes, we’ll log you out to help “Security key.” Extended Validation Certificate, the stop anyone from accessing your address bar will turn green when information or transferring funds 4. Click Get security key you’re on PayPal’s site.
    [Show full text]
  • A Semi-Automated Security Advisory System to Resist Cyber-Attack in Social Networks
    A Semi-Automated Security Advisory System to Resist Cyber-attack in Social Networks Samar Muslah Albladi and George R S Weir University of Strathclyde, Glasgow G1 1XH, UK {samar.albladi; george.weir}@strath.ac.uk Abstract. Social networking sites often witness various types of social engi- neering (SE) attacks. Yet, limited research has addressed the most severe types of social engineering in social networks (SNs). The present study in- vestigates the extent to which people respond differently to different types of attack in a social network context and how we can segment users based on their vulnerability. In turn, this leads to the prospect of a personalised security advisory system. 316 participants have completed an online-ques- tionnaire that includes a scenario-based experiment. The study result re- veals that people respond to cyber-attacks differently based on their de- mographics. Furthermore, people’s competence, social network experience, and their limited connections with strangers in social networks can decrease their likelihood of falling victim to some types of attacks more than others. Keywords: Advisory System, Social Engineering, Social Networks. 1 Introduction Individuals and organisations are becoming increasingly dependent on working with computers, accessing the World Wide Web and, more importantly, sharing data through virtual communication. This makes cyber-security one of today’s greatest issues. Pro- tecting people and organisations from being targeted by cybercriminals is becoming a priority for industry and academia [1]. This is due to the huge potential damage that could be associated with losing valuable data and documents in such attacks. Previous research focuses on identifying factors that influence people’s vulnerability to cyber-attack [2] as the human has been characterised as the weakest link in infor- mation security research.
    [Show full text]
  • Financial Fraud and Internet Banking: Threats and Countermeasures
    Report Financial Fraud and Internet Banking: Threats and Countermeasures By François Paget, McAfee® Avert® Labs Report Financial Fraud and Internet Banking: Threats and Countermeasures Table of Contents Some Figures 3 U.S. Federal Trade Commission Statistics 3 CyberSource 4 Internet Crime Complaint Center 4 In Europe 5 The Many Faces of Fraud 6 Small- and large-scale identity theft 7 Carding and skimming 8 Phishing and pharming 8 Crimeware 9 Money laundering 10 Mules 10 Virtual casinos 11 Pump and dump 12 Nigerian advance fee fraud (419 fraud) 12 Auctions 14 Online shopping 16 Anonymous payment methods 17 Protective Measures 18 Scoring 18 Europay, MasterCard, and Visa (EMV) standard 18 PCI-DSS 19 Secure Sockets Layer (SSL) and Transport Secured Layer (TLS) protocols 19 SSL extended validation 20 3-D Secure technology 21 Strong authentication and one-time password devices 22 Knowledge-based authentication 23 Email authentication 23 Conclusion 24 About McAfee, Inc. 26 Report Financial Fraud and Internet Banking: Threats and Countermeasures Financial fraud has many faces. Whether it involves swindling, debit or credit card fraud, real estate fraud, drug trafficking, identity theft, deceptive telemarketing, or money laundering, the goal of cybercriminals is to make as much money as possible within a short time and to do so inconspicuously. This paper will introduce you to an array of threats facing banks and their customers. It includes some statistics and descriptions of solutions that should give readers—whether they are responsible for security in a financial organization or a customer—an overview of the current situation. Some Figures U.S.
    [Show full text]
  • Phishing: Crime That Pays
    1 Phishing: Crime That Pays Philip J. Nero, Brad Wardman, Heith Copes, Gary Warner University of Alabama at Birmingham Abstract—Email phishing requires functional The 2010 Javelin Strategy Identity Theft & Fraud countermeasures, as does any crime that results in Survey shows that there were an estimated 11.1 million millions of dollars in yearly losses. Many financial victims of identity theft and/or fraud in 2009 (Javelin, institutions currently combat phishing by contracting 2010). These victims lost over 54 billion dollars. A large takedown companies that remove relevant phishing percentage of these victims were victims of cyber-based websites as soon as possible after they are detected. By criminal activity. According to a recent Gartner Research comparing the median time necessary for professionals to study, 3.6 million American consumers lost money to take a phishing website down to the average time it takes phishing scams in 2007 (Gartner, 2007). Each phishing for a phishing website to turn a profit for its creator, I victim lost an average of $361. Therein, the approximate have demonstrated the overall effectiveness of the financial loss to phishing in the United States in 2008 takedown process. On average, takedown companies fail was nearly $2 billion. These studies also show that to eradicate phishing websites before their creators financial institutions accrue $1 billion in losses from garner valuable information from multiple victims. phishing every year. The above statistics demonstrate Furthermore, forensic evidence that could lead to the serious criminal activity, but the real problem is that the arrest of the cybercriminals responsible for the phishing vast majority of phishers go unpunished.
    [Show full text]
  • Clickjacking: Attacks and Defenses
    Clickjacking: Attacks and Defenses Lin-Shung Huang Alex Moshchuk Helen J. Wang Carnegie Mellon University Microsoft Research Microsoft Research [email protected] [email protected] [email protected] Stuart Schechter Collin Jackson Microsoft Research Carnegie Mellon University [email protected] [email protected] Abstract such as a “claim your free iPad” button. Hence, when Clickjacking attacks are an emerging threat on the web. the user “claims” a free iPad, a story appears in the user’s In this paper, we design new clickjacking attack variants Facebook friends’ news feed stating that she “likes” the using existing techniques and demonstrate that existing attacker web site. For ease of exposition, our description clickjacking defenses are insufficient. Our attacks show will be in the context of web browsers. Nevertheless, the that clickjacking can cause severe damages, including concepts and techniques described are generally applica- compromising a user’s private webcam, email or other ble to all client operating systems where display is shared private data, and web surfing anonymity. by mutually distrusting principals. We observe the root cause of clickjacking is that an Several clickjacking defenses have been proposed and attacker application presents a sensitive UI element of a deployed for web browsers, but all have shortcomings. target application out of context to a user (such as hiding Today’s most widely deployed defenses rely on frame- the sensitive UI by making it transparent), and hence the busting [21, 37], which disallows a sensitive page from user is tricked to act out of context. To address this root being framed (i.e., embedded within another web page).
    [Show full text]
  • A Case Study on Clickjacking Attack and Location Leakage
    International Journal of Scientific & Engineering Research, Volume 5, Issue 7, July-2014 190 ISSN 2229-5518 A Case Study on Clickjacking Attack and Location Leakage Lim Chin Nei, Loo Yow Cherng, Manmeet Mahinderjit Singh Abstract— The advanced in technologies such as mobile devices, GSP, WIFI, and 3G has encourage the information sharing using social media. The large amount of information shared on social media often lead to security issues which are unaware by the users. This information may include sensitive information such as a person’s name, location, relationship status and many more and can be dangerous if is put in a wrong hand. In this research, we provide a review on the type of social media ad what are the current threat in social media. We then focus on two specific threat namely clickjacking and location leakage, and proposed a solution for each of it as well as the evaluation of the solution. Index Terms—Security; Social media; Attack; Defense Machine, Clickjacking, Location leakage —————————— —————————— 1 INTRODUCTION This rapid shift of technologies in this era of informa- media. With this large amount of information shared online, tion and communication has dramatically boosted the usage the social media actually has become a perfect platform for of the social media. With the advanced in technologies such hackers to find their victims. The information shared using as smart mobile devices, GPS, WIFI, and 3G services, user social media often contain sensitive and private information were able to connect to the internet regardless of time and which can be easily compromised by the hackers.
    [Show full text]
  • Cisco 2017 Midyear Cybersecurity Report
    Cisco 2017 Midyear Cybersecurity Report 1 Executive Summary Table of Contents Executive Summary ..........................................................03 Vulnerabilities update: Rise in attacks following key disclosures ................................................................ 47 Major Findings ..................................................................05 Don’t let DevOps technologies leave the Introduction ......................................................................07 business exposed ............................................................ 50 Attacker Behavior .............................................................09 Organizations not moving fast enough to patch Exploit kits: Down, but not likely out ................................. 09 known Memcached server vulnerabilities ......................... 54 How defender behavior can shift attackers’ focus ...........11 Malicious hackers head to the cloud to shorten the path to top targets ..................................................... 56 Web attack methods provide evidence of a mature Internet ............................................................. 12 Unmanaged infrastructure and endpoints leave organizations at risk ......................................................... 59 Web block activity around the globe ................................ 13 Security Challenges and Opportunities Spyware really is as bad as it sounds............................... 14 for Defenders ...................................................................61
    [Show full text]