Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Published byDoreen Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX."— Presentation transcript:

1 Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX 2013

2 Embedded User Interfaces 2 Embedded third-party UIs are common on websites and in smartphone apps. On the Web: via iframes

3 Embedded User Interfaces Embedded third-party UIs are common on websites and in smartphone apps. 3 On Android: include library code

4 Security and Embedding Browsers provide secure isolation between an embedding page and embedded content. Android does not. Third-party libraries run in app’s context. No true cross-application UI embedding. 4

5 Outline The Case for Secure UI in Android Design & Implementation: LayerCake Evaluation – Functionality case studies – Performance Summary 5

6 Outline The Case for Secure UI in Android Design & Implementation: LayerCake Evaluation – Functionality case studies – Performance Summary 6

7 Security Concerns on Android Both the parent and the child may be malicious. 7 Parent Child Parent Child UI Layout Tree

8 Security Concerns: Malicious Child Example: Screen takeover (or redirection) 8 Like us on Facebook! View parent = adView.getParent(); parent.removeChildren(); parent.addChild(fullScreenAd); Ad Library Code Code in the same context can access all UI elements. Frame Layout AdView MapView LikeView FullScreenAd

9 Security Concerns: Malicious Parent Example: Input Eavesdropping and Blocking 9 Input events propagate down the UI layout tree, through potentially untrusted nodes. Frame Layout TextView WebView password ********

10 Many Security Concerns Malicious parents and children can both perform: Data theft, Display forgery, Focus stealing, Programmatic input forgery Additionally, a malicious parent can perform: Input eavesdropping, Input DoS, Size manipulation, Clickjacking Additionally, a malicious child can perform: Ancestor redirection 10

11 This Work Many (though not all) of these attacks are impossible with iframes on the Web. Most of these attacks are possible on Android. Existing approaches [AdDroid: Pearce et al., AdSplit: Shekhar et al.] only target ad scenario. Our prior work [UIST ‘12] considered secure UI embedding in theory. 11 What does it take to implement secure third-party embedding on Android?

12 Outline The Case for Secure UI in Android Design & Implementation: LayerCake Evaluation – Functionality case studies – Performance Summary 12

13 Secure UI Embedding for Android LayerCake is a modified version of Android 4.2 (Jelly Bean) that securely supports embedded applications. 13 Location Gadget MapView AdView

14 Android Background Activity: A page of an application’s UI. – Only one Activity in the foreground at a time. – Activity consists of tree of UI elements (Views). Activity drawn in a Window. – Contains one View tree. 14 Button (View)

15 Supporting Embedded Activities Goal: Allow an Activity in one application to securely embed an Activity from another app. ParentActivity AdActivity 15 1.Separate processes. 2.Separate windows. 3.Handle additional security concerns. Requires pervasive changes to ActivityManager and WindowManager.

16 (1) Separate Processes Allow developers to embed Activities from other applications (“iframes for Android”). ParentActivity AdActivity 16 Challenges: Developer API ( EmbeddedActivityView ) Multiple running Activities Parent-child communication Separating code into processes prevents direct UI manipulation.

17 Separate Processes Not Sufficient ParentActivity AdActivity 17 How does LayerCake actually embed cross-application UI? WindowManager Relative Layout Frame Layout (…) Embedded ActivityView (AdActivity) app window user input

18 (2) Separate Windows ParentActivity AdActivity 18 Visually overlay separate windows, don’t nest UI trees. WindowManager Relative Layout Frame Layout (…) Embedded ActivityView (AdActivity) parent window child window Visually overlay child window on parent window. Separating UI trees prevents input eavesdropping and DoS attacks.

19 Overlaying: Practical Challenges Layout changes must be automatically propagated across processes. 19 Cropping is needed to make overlaying look like embedding.

20 (3) Additional Security: Handling Size Conflicts Threat: What if the parent makes the child too small? (e.g., camera preview) Observation: Enforcing a minimum size provides no additional security on its own: attacker can mimic effect by scrolling or obstructing. 20 ParentActivity (1 pixel X 1 pixel camera preview)

21 Threat: Trick user into clicking on an embedded element that is visually obscured. Embedded Activities can request to NOT receive user input events if they are: 1.Covered (fully or partly) by another window. 2.Not the minimum requested size. 3.Not fully visible due to window placement. (3) Additional Security: Preventing Clickjacking 21 (Additional clickjacking protection: e.g., InContext: Huang et al.)

22 (3) Additional Security: Preventing Ancestor Redirection Threat: What if a malicious child tries to open a new top-level Activity? Note: Opening another embedded Activity (in its place) is ok. On attempt to open top-level Activity: – Prompt user, or – Allow automatically if in response to user click (≈ user intent) 22

23 Outline The Case for Secure UI in Android Design & Implementation: LayerCake Evaluation – Functionality case studies – Performance Summary 23

24 Functionality Case Studies Not (securely) possible on stock Android; enabled by LayerCake: 24 Advertising Facebook Widgets Secure WebView User-Driven Access Control [Oakland ’12] Apply to top-level redirection.

25 Legacy Applications Applications don’t require modification to be embedded. 25

26 Performance Evaluation: Activity Load Time 26 ApplicationLoad time (10 trial average) No Embedding Embedding* RestaurantReviewer163 ms533 ms FacebookDemo158 ms305 ms Listen&Shop160 ms303 ms * Note that load time for parent Activity is unaffected.

27 Performance Evaluation: Event Dispatch 27 ScenarioEvent Dispatch Time (10 trial average) Stock Android1.9 ms No focus change2.1 ms Focus change3.6 ms

28 Outline The Case for Secure UI in Android Design & Implementation: LayerCake Evaluation – Functionality case studies – Performance Summary 28

29 Contributions LayerCake: Artifact resulting from systematic application of secure embedded UI concepts. Code: http://layercake.cs.washington.eduhttp://layercake.cs.washington.edu Lessons Learned: Visually overlay windows, don’t nest UI trees. Size manipulation, scroll placement, and obstruction must be considered together. Ancestor redirection can follow user intent. 29

30 Summary Embedded third-party UIs pose security concerns, unaddressed on Android. LayerCake: modified version of Android that securely supports application embedding. See me for demo! http://layercake.cs.washington.edu 30

Download ppt "Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Syracuse University, New York, USA

Syracuse University, New York, USA
Android User Interface

Android User Interface
Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:

Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:
User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk,

User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk,
Programming with Android: Widgets and Events Luca Bedogni Marco Di Felice Dipartimento di Scienze dell’Informazione Università di Bologna.

Programming with Android: Widgets and Events Luca Bedogni Marco Di Felice Dipartimento di Scienze dell’Informazione Università di Bologna.
Clickjacking Attacks and Defenses.

Clickjacking Attacks and Defenses.
Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
All About Android Introduction to Android 1. Creating a New App “These aren’t the droids we’re looking for.” Obi-wan Kenobi 1. Bring up Eclipse. 2. Click.

All About Android Introduction to Android 1. Creating a New App “These aren’t the droids we’re looking for.” Obi-wan Kenobi 1. Bring up Eclipse. 2. Click.
 User Interface - Raeha Sandalwala.  Introduction to UI  Layouts  UI Controls  Menus and ‘Toasts’  Notifications  Other interesting UIs ◦ ListView.

 User Interface - Raeha Sandalwala.  Introduction to UI  Layouts  UI Controls  Menus and ‘Toasts’  Notifications  Other interesting UIs ◦ ListView.
0 CS 160: Design Process: Implement Event-based UI Programming, Model-View-Controller, and the Web Jeffrey Nichols IBM Almaden Research Center

0 CS 160: Design Process: Implement Event-based UI Programming, Model-View-Controller, and the Web Jeffrey Nichols IBM Almaden Research Center
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.

Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
Building Trusted Path on Untrusted Device Drivers for Mobile Devices

Building Trusted Path on Untrusted Device Drivers for Mobile Devices
Android Application Development 2013 PClassic Chris Murphy 1.

Android Application Development 2013 PClassic Chris Murphy 1.
The Easiest Way to Write Web Applications Jordi Sastre IT Architect, PSC May 2012.

The Easiest Way to Write Web Applications Jordi Sastre IT Architect, PSC May 2012.
Written by Liron Blecher

Written by Liron Blecher

Similar presentations

Ads by Google