An attack that leverages information about the current state of an application’s interface could lead to a compromise of sensitive information, such as log in credentials.
Called an UI state inference, researchers showed the attack on the Android platform, at the USENIX Security Symposium in San Diego.
While it worked on Android, it can also, in theory, work on other operating systems such as Mac OS X, iOS, and Windows.
“After evolving for decades, the most recent design is called compositing window manager, which is used virtually in all modern Oses,” the researchers said in a paper entitled titled “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks.”
The researchers are Qi Alfred Chen and Z. Morley Mao from the University of Michigan and Zhiyun Qian from the University of California, Riverside. “The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. We report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state by a background app without requiring any permissions.”
This is a general side-channel attack that targets exposing the running UI state of an app at window level as it relies on the shared-memory mechanism used by window managers for displaying application windows on the screen.
“This side channel exists because shared memory is commonly adopted by window managers to efficiently receive window changes or updates from running applications,” the researchers said.
Worth mentioning for this type of attack is the malicious app, which should run in the background, does not need any special permissions, Internet connectivity being sufficient.
Determining the UI state can occur with a certain degree of accuracy, which differs from an app to another.
In their demonstration, the researchers managed to steal the log in credentials of several popular apps on Android, the average success rate for determining the UI state being between 82 percent and 92 percent for some candidates; this increases to more than 91 percent with some popular applications and even 93 percent with others.
In the case of Gmail, the UI state detection was accurate in 92 percent of the cases, while inferring, whereas with Amazon the accuracy was low, at 47.6 percent, because certain features were not sufficiently clear for the inference method used by the researchers.
With information on the current interface accessed by the user, attackers could devise a method for injecting a phishing activity in the foreground, making the user believe they’re signing into the desired service but instead offering the credentials to the cybercriminals.
Apart from collecting credentials, the researchers were also able to access sensitive images taken with the built-in phone camera.
During their tests, the researchers used Samsung Galaxy S3 devices, running Android 4.1 for most experiments.
Click here to view the paper.