跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 吳昊澄
Hao-Cheng Wu
論文名稱: NINJA: A New Android UI State Inference Attack and Defense Mechanism
指導教授: 許富皓
Fu-Hau Hsu
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
論文出版年: 2015
畢業學年度: 103
語文別: 英文
論文頁數: 43
中文關鍵詞: 手機惡意軟體
外文關鍵詞: Malicious apps, UI State Inference Attack
相關次數: 點閱:7下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • UI( User Interface ) State Inference Attack 是一種最近在手機上新起的攻擊模式,攻擊者事先做好偽造的UI,偵測使用者目前正要執行哪個activity,針對目標惡意的app會跳出相對於這個activity的偽造UI,導致使用者洩漏一些較敏感的資料給攻擊者。
    舉例而言,假設使用者現在正要開啟一個登入的頁面,被攻擊者偵測到了並跳出事先偽造好的UI,來奪取使用者的帳號以及密碼。
    使用這種方法,使用者很難察覺到手機有何異狀,就算真的被使用者發現,攻擊者所要的結果也已經達成。
    這篇論文提出一種新型的方式來達到UI State Inference Attack,並且提出一種防禦機制,可以簡單的實做在現有的手機上。

    UI( User Interface ) State Inference Attack 是一種最近在手機上新起的攻擊模式,攻擊者事先做好偽造的UI,偵測使用者目前正要執行哪個activity,針對目標惡意的app會跳出相對於這個activity的偽造UI,導致使用者洩漏一些較敏感的資料給攻擊者。
    舉例而言,假設使用者現在正要開啟一個登入的頁面,被攻擊者偵測到了並跳出事先偽造好的UI,來奪取使用者的帳號以及密碼。
    使用這種方法,使用者很難察覺到手機有何異狀,就算真的被使用者發現,攻擊者所要的結果也已經達成。
    這篇論文提出一種新型的方式來達到UI State Inference Attack,並且提出一種防禦機制,可以簡單的實做在現有的手機上。

    CONTENTS 中文摘要 i ABSTRACT ii 致謝 iii CONTENTS iv LIST OF FIGURES vi LIST OF TABLES vii Chapter 1 INTRODUCTION 1 Chapter 2 RELATED WORK 5 2.1 UI State Inference Attack 5 2.2 Two Major Step of Chen’s Method 6 2.3 Chen’s UI State Inference Attack Overview : 6 Chapter 3 BACKGROUND KNOWLEDGE 9 3.1 Add View on Android 9 3.2 Get Outside Touch 11 3.3 Hook Click Event 12 3.4 Search Running App 13 3.5 Android Webview 14 3.6 Android Camera 16 Chapter 4 THREAT MODEL 17 4.1 Our Attack: NINJA 17 4.2 NINJA Overview 18 4.3 Inject Javascript in Webview 19 4.4 Other Useful Attack 22 Chapter 5 DEFENSE MECHANISM 24 5.1 ViewGuard Overview 24 5.2 ViewGuard 26 Chapter 6 EVALUATION 28 6.1 Attack Evaluation 28 6.2 Defense mechanism evaluation 29 Chapter 7 CONCLUSION 31 REFERENCES 32

    REFERENCES
    [1] Qi Alfred Chen, Zhiyun Qian, Sanae Rosen, Yuanyuan Zhou, and Z. Morley Mao. “When to Attack? Android UI Context Inference as an Attack Building Block,” in Poster at 22nd USENIX Security Symposium, Washington, D.C., August 2013.
    [2] T. Fischer, A.-R. Sadeghi, and M. Winandy, “A pattern for secure graphical user interface systems,” in 20th International Workshop on Database and Expert Systems Application. IEEE, 2009.
    [3] S. Chen, J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang, “A Systematic Approach to Uncover Security Flaws in GUI Logic,” in IEEE Symposium on Security and Privacy, 2007.
    [4] C.-C. Lin, H. Li, X. Zhou, and X. Wang, “Screenmilker: How to Milk Your Android Screen for Secrets,” in NDSS, 2014.
    [5] Google. Uistateinferenceattack [Online]. Available: https://sites.google.com/site/uistateinferenceattack/
    [6] Android Developer, Manifest.permission [Online].Available: http://developer.android.com/reference/android/Manifest.permission.html
    [7] Android Developer, User Interface [Online]. Available: https://developer.android.com/guide/topics/ui/index.html
    [8] S. Chen, J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang, “A Systematic Approach to Uncover Security Flaws in GUI Logic,” in IEEE Symposium on Security and Privacy, 2007.
    [9]X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and K. Nahrstedt, “Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources,” in CCS, 2013.
    [10] Android Developer, ViewGroup [Online]. Available: http://developer.android.com/reference/android/view/ViewGroup.html
    [11] Laura Suciu. Android Add Views into a ViewGroup Dynamically [Online]. Available: http://www.myandroidsolutions.com/2013/02/10/android-add-views-into-view-dynamically/
    [12]Android developer, View [Online]. Available: http://developer.android.com/reference/android/view/View.html
    [13] Android developer, WindowManager.LayoutParams [Online]. Available: http://developer.android.com/reference/android/view/WindowManager.LayoutParams.html
    [14] Nick Pozoulakis. Sensing All Touch Events in Android OS [Online]. Available: https://www.youtube.com/watch?v=TKcC3Q9Ss6o
    [15] Android developer, View.OnClickListener [Online]. Available: http://developer.android.com/reference/android/view/View.OnClickListener.html

    [16] Android developer, ActivityManager.RunningTaskInfo [Online]. Available: http://developer.android.com/reference/android/app/ActivityManager.RunningTaskInfo.html
    [17] Java Runtime.getRuntime [Online]. Available: http://www.tutorialspoint.com/java/lang/runtime_getruntime.htm
    [18] Android developer, Webview [Online]. Available: http://developer.android.com/reference/android/webkit/WebView.html
    [19] Android developer, Camera [Online]. Available: http://developer.android.com/reference/android/hardware/Camera.html
    [20] Martin Georgiev, Suman Jana, Vitaly Shmatikov, Breaking and Fixing, “Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks,” in NDSS Symposium 2014.
    [21] Genymotion [Online]. Available: https://www.genymotion.com/
    [22] Content Security Policy [Online]. Available: http://www.w3.org/TR/CSP2/
    [23] AnTuTu [Online]. Available: http://www.antutu.com/index.shtml

    QR CODE
    :::