Ecole d'ingénieur et centre de recherche en Sciences du numérique

ClickShield: Are you hiding something? Towards eradicating clickjacking on Android

Possemato, Andrea; Lanzi, Andrea; Chung, Pak; Lee, Wenke; Fratantonio, Yanick

CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada

In the context of mobile-based user-interface (UI) attacks, the common belief is that clickjacking is a solved problem. On the contrary, this paper shows that clickjacking is still an open problem for mobile devices. In fact, all known academic and industry solutions are either not effective or not applicable in the real-world for backward compatibility reasons. This work shows that, as a consequence, even popular and sensitive apps like Google Play Store remain, to date, completely unprotected from clickjacking attacks. After gathering insights into how apps use the user interface, this work performs a systematic exploration of the design space for an effective and practical protection against clickjacking attacks. We then use this exploration to guide the design of ClickShield, a new defensive mechanism. To address backward compatibility issues, our design allows for overlays to cover the screen, and we employ image analysis techniques to determine whether the user could be confused. We have implemented a prototype and we have tested it against ClickBench, a newly developed benchmark specifically tailored to stress-test clickjacking protection solutions. This dataset is constituted by 104 test cases, and it includes real-world and simulated benign and malicious examples that evaluate the system across a wide range of legitimate and attack scenarios. The results show that our system is able to address backward compatibility concerns, to detect all known attacks (including a never-seen-before real-world malware that was published after we have developed our solution), and it introduces a negligible overhead.

Document Doi Bibtex

Titre:ClickShield: Are you hiding something? Towards eradicating clickjacking on Android
Type:Conférence
Langue:English
Ville:Toronto
Pays:CANADA
Date:
Département:Sécurité numérique
Eurecom ref:5638
Copyright: © ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada http://dx.doi.org/10.1145/3243734.3243785
Bibtex: @inproceedings{EURECOM+5638, doi = {http://dx.doi.org/10.1145/3243734.3243785}, year = {2018}, title = {{C}lick{S}hield: {A}re you hiding something? {T}owards eradicating clickjacking on {A}ndroid}, author = {{P}ossemato, {A}ndrea and {L}anzi, {A}ndrea and {C}hung, {P}ak and {L}ee, {W}enke and {F}ratantonio, {Y}anick}, booktitle = {{CCS} 2018, {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity, 15-19 {O}ctober 2018, {T}oronto, {C}anada}, address = {{T}oronto, {CANADA}}, month = {10}, url = {http://www.eurecom.fr/publication/5638} }
Voir aussi: