UI Redressing Attacks on Android Devices Revisited

Presented at Black Hat Asia 2014, Unknown date/time (Unknown duration)

In this presentation, we describe high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from the desktop- to the mobile-browser field. Our main contribution is a demonstration of a browser less tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, we can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. We will show, with an 0day, how an attacker can install applications in the background though it should be fixed by Google in Android v4.

Presenters:

• Marcus Niemietz - Ruhr-University Bochum
  Marcus Niemietz is a professional security researcher at the Ruhr-University Bochum in Germany. He is focusing on web security related stuff like HTML5 and especially UI redressing. Marcus has published a book about UI redressing and clickjacking for security experts and web developers in 2012. Beside that he works as a security consultancy and gives security trainings for well-known companies. Marcus has spoken on a large variety of international conferences.

Links:

• https://www.blackhat.com/asia-14/briefings.html#Niemietz
• https://www.youtube.com/watch?v=QwqZLIEP2Gc

Similar Presentations:

• Black Hat USA 2013 / Clickjacking Revisited: A Perceptual View of UI Security
• DeepSec 2013 „Secrets, Failures, and Visions“ / Automation In Android & iOS Application Security Review
• DEF CON 19 (2011) / This is REALLY not the droid you're looking for...