臺灣博碩士論文加值系統

近年來，智慧型手機已成為我們生活中最重要的物品之一，但手機使用者在上網時可能會遭遇資訊洩漏的問題。在本篇論文中，我們發現了 Android 輸入法框架的漏洞。我們指出惡意應用程式可以劫持 InputConnection 介面，而 InputConnection 介面是用於將使用者輸入的文字從正在使用的輸入法（例如：軟體鍵盤）傳遞到 View 物件（例如：WebView）處。因此，惡意應用程式可以竊聽由 WebView 加載的第三方網頁上使用者輸入的文字。而後，我們提出了一種基於此漏洞竊取用戶憑據的新型攻擊方法。這種攻擊方法可以被輕鬆發動，並且只需要 INTERNET 權限。我們還驗證了此攻擊可以在大多數 Android 版本（從 Android 4.4 到 8.1）上運行。這種攻擊非常有效，但並非無法防禦。我們提出了幾種對策，其中包括網頁內容提供者和 Android 平台的解決方案，並實作其中一種以防禦此種攻擊。最後，我們顯示我們實作的防禦方法能正確地保護使用者資料且運作良好。

In recent years, mobile device has become one of the most essential things in our lives. However, users may suffer from information leakage when they surf the Internet. In this paper, we discover the vulnerability of the Android input method framework. We find that the InputConnection interface, which is used for delivering user inputs from the active input method (e.g., software keyboard) to a View object (e.g., WebView), can be hijacked by a malicious application. Thus, the malicious application can wiretap the user inputs on a third-party web page loaded by the WebView. Then, we propose a novel attack method to steal user credentials based on this vulnerability. This attack method can be easily launch and only requires INTERNET permission. We also validate that this attack can work on most of the Android versions (from Android 4.4 to 8.1). This attacks are quite effective, but things are not that hopeless. We propose several countermeasures including solutions for web content providers and the Android platform, and implement one of them to mitigate the hijacking attack. At the end, we show that our implementation of the solution can properly secure user data and work perfectly.

1 Introduction 1
2 Background 4
2.1 Input Method Framework ........................... 4
2.2 WebView .................................... 6
2.3 Android Open Source Project ......................... 7
3 Attack 9
3.1 Threat Model .................................. 9
3.2 Vulnerability: Input Channel Hijacking .................... 10
3.3 Validation .................................... 12
4 Countermeasure 15
4.1 Web-based Virtual Keyboard ......................... 15
4.2 IMF Hijacking Detector ............................ 16
4.3 IMF Hijacking Guardian ............................ 22
5 Implementation 24
5.1 InputConnection Function Calls Analysis ................... 24
5.2 IMF Hijacking Guardian Implementation ................... 26
6 Evaluation 30
6.1 Input Channel Hijacking Test ......................... 30
6.2 Performance Test ................................ 31
7 Discussion 33
8 Related Work 35
8.1 WebView Security ............................... 35
8.2 Privacy Leakage in Android .......................... 36
9 Conclusion 38
References 39

StatCounter Global Stats. Mobile and tablet internet usage exceeds desktop for first time worldwide. http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide. 2016.
Klemen Kloboves. Continuing to make the web more mobile friendly. Google Webmaster Central Blog. https://webmasters.googleblog.com/2016/03/continuing-to-make-web-more-mobile.html. 2016.
Jason Hong. “The State of Phishing Attacks”. In: Communications of the ACM 55.1 (2012), pp. 74–81.
Chris Karlof et al. “Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers”. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007, pp. 58–71.
S. Gastellier-Prevost, G. Gonzalez Granadillo, and M. Laurent. “A Dual Approach to Detect Pharming Attacks at the Client-Side”. In: Proceedings of the 4th IFIP International Conference on New Technologies, Mobility and Security. 2011, pp. 1–5.
Ye Cao, Weili Han, and Yueran Le. “Anti-phishing Based on Automated Individual White-list”. In: Proceedings of the 4th ACM Workshop on Digital Identity Management. 2008, pp. 51–60.
Sadia Afroz and Rachel Greenstadt. “PhishZoo: Detecting Phishing Websites by Looking at Them”. In: Proceedings of the 5th IEEE International Conference on Semantic Computing. Sept. 2011, pp. 368–375.
Guang Xiang et al. “CANTINA+: A Feature-Rich Machine Learning Framework for Detecting Phishing Web Sites”. In: ACM Transactions on Information and System Security 14.2 (2011), 21:1–21:28.
S. Marchal et al. “Know Your Phish: Novel Techniques for Detecting Phishing Sites and their Targets”. In: Proceedings of the 36th IEEE International Conference on Distributed Computing Systems (June 2016), pp. 323–333.
Gowtham Ramesh, Ilango Krishnamurthi, and K. Sampath Sree Kumar. “An efficacious method for detecting phishing webpages through target domain identi cation”. In: Decision Support Systems 61.Supplement C (2014), pp. 12–22.
Giovanni Bottazzi et al. “MP-Shield: A Framework for Phishing Detection in Mobile Devices”. In: Proceedings of the 3rd IEEE International Workshop on Cybercrimes and Emerging Web Environments. 2015.
Longfei Wu, Xiaojiang Du, and Jie Wu. “MobiFish: A lightweight anti-phishing scheme for mobile phones”. In: Proceedings of the 23rd International Conference on Computer Communication and Networks. 2014.
Longfei Wu, Xiaojiang Du, and Jie Wu. “Effective Defense Schemes for Phishing Attacks on Mobile Computing Platforms”. In: IEEE Transactions on Vehicular Technology 65.8 (2016), pp. 6678–6691.
Anti-Phishing Working Group. Phishing Activity Trends Report: 4th Quarter 2015. https://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf. 2016.
Anti-Phishing Working Group. Phishing Activity Trends Report: 4th Quarter 2016. https://docs.apwg.org/reports/apwg_trends_report_q4_2015.pdf. 2017.
Android.com. InputMethodManager API Reference. https://developer.android.com/reference/android/view/inputmethod/InputMethodManager. 2018.
Android.com. InputMethodService API Reference. https://developer.android.com/reference/android/inputmethodservice/InputMethodService. 2018.
Android.com. InputConnection API Reference. https://developer.android.com/reference/android/view/inputmethod/InputConnection. 2018.
Android.com. WebView API Reference. https://developer.android.com/reference/android/webkit/WebView. 2018.
Android.com. Android 7.0 for Developers. https://developer.android.com/about/versions/nougat/android-7.0. 2018.
Android.com. Android 8.0 Behavior Changes. https://developer.android.com/about/versions/oreo/android-8.0-changes. 2018.
Erika Chin and David Wagner. “Bifocals: Analyzing WebView Vulnerabilities in Android Applications”. In: Proceedings of International Workshop on Information Security Applications. 2013.
Jing Yu and Toshihiro Yamauchi. “Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS”. In: Proceedings of the10th IEEE International Conference on High Performance Computing and Communications and IEEE International Conference on Embedded and Ubiquitous Computing. 2013, pp. 1628–1633.
Tongbo Luo et al. “Attacks on WebView in the Android system”. In: Proceedings of the 27th Annual Computer Security Applications Conference. 2011.
Tongbo Luo. “Attacks and Countermeasures for WebView on Mobile Systems”. PhD thesis. Syracuse University, 2014.
Martin Georgiev Suman Jana and Vitaly Shmatikov. “Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks”. In: 2014 Network and Distributed System Security (NDSS ’14). San Diego, 2014.
Guangliang Yang et al. “Precisely and Scalably Vetting JavaScript Bridge In Android Hybrid Apps”. In: proceedings of the 20th International Symposium on Research in Attacks, Intrusions, and Defenses. 2017.
Drew Davidson et al. “Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems”. In: Proceedings of the 12th ACM on Asia Conference on Computer and Communications Security. 2017.
Android.com. Android Open Source Project. https://source.android.com/. 2018.
Android.com. Android Permissions Overview. https://developer.android.com/guide/topics/permissions/overview. 2018.
Android.com. BaseInputConnection API Reference. https://developer.android.com/reference/android/view/inputmethod/BaseInputConnection. 2018.
Android.com. InputConnectionWrapper API Reference. https://developer.android.com/reference/android/view/inputmethod/InputConnectionWrapper. 2018.
Sherry Ruan et al. “Comparing Speech and Keyboard Text Entry for Short Messages in Two Languages on Touchscreen Phones”. In: Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1.4 (Jan. 2018), 159:1–159:23.
ABI Research. Average Size of Mobile Games for iOS Increased by a Whopping 42% between March and September. ABI Research Press. https://www.abiresearch.com/press/average-size-of-mobile-games-for-ios-increased-by-/. Oct. 2012.
Brendon Boshell. Average App File Size: Data for Android and iOS Mobile Apps. Sweet Pricing Blog. https://sweetpricing.com/blog/2017/02/average-app-file-size/. Feb. 2017.
Tongbo Luo et al. “Touchjacking Attacks on Web in Android, iOS, and Windows Phone”. In: Proceedings of International Symposium on Foundations and Practice of Security. 2012.
Dongwan Shin, Huiping Yao, and Une Rosi. “Supporting visual security cues for WebView-based Android apps”. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing. 2013.
Huan Feng and Kang G. Shin. “Understanding and Defending the Binder Attack Surface In Android”. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016, pp. 398–409.
Liang Cai and Hao Chen. “TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion”. In: Proceedings of the 6th USENIX Workshop on Hot Topics in Security. 2011.
Fadi Mohsen and Mohammed Shehab. “Android keylogging threat”. In: Proceedings of the 9th International Conference Conference on Collaborative Computing: Networking, Applications and Worksharing. 2013.
Tobias Fiebig, Janis Danisevskis, and Marta Piekarska. “A Metric for the Evaluation and Comparison of Keylogger Performance”. In: Proceedings of the 7th USENIX Workshop on Cyber Security Experimentation and Test. 2014.
M. Hossein Ahmadzadegan, Ali asghar Khorshidvand, and Mehrdad Pezeshki. “A method for securing username and password against the Keylogger software using the logistic map chaos function”. In: Proceedings of the 2nd International Conference on Knowledge-Based Engineering and Innovation. 2015.
Junsung Cho, Geumhwan Cho, and Hyoungshick Kim. “Keyboard or keylogger?: A security analysis of third-party keyboards on Android”. In: Proceedings of the 13th Annual Conference on Privacy, Security and Trust. 2015.
Fadi Mohsen, Emmanuel Bello-Ogunu, and Mohamed Shehab. “Investigating the keylogging threat in android – User perspective”. In: Proceedings of the 2nd International Conference on Mobile and Secure Services. 2016.
Enis Ulqinaku et al. “Using Hover to Compromise the Con dentiality of User Input on Android”. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2017.
Adrienne Porter Felt et al. “Android Permissions: User Attention, Comprehension, and Behavior”. In: Proceedings of the Eighth Symposium on Usable Privacy and Security. SOUPS ’12. Washington, D.C.: ACM, 2012, 3:1–3:14. ISBN: 978-1-4503-1532-6. DOI: 10.1145/2335356.2335360. URL: http://doi.acm.org/10.1145/2335356.2335360.
Yuan Zhang et al. “Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis”. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. 2013, pp. 611–622.
Justin Cappos et al. “BlurSense: Dynamic Fine-Grained Access Control for Smartphone Privacy”. In: The 2014 IEEE Sensors Applications Symposium. 2014.
Yanick Fratantonio et al. “On the security and engineering implications of finer-grained access controls for android developers and users”. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2015.
Dongtao Liu. “Enhanced Password Security on Mobile Devices”. PhD thesis. Duke University, 2013.
Dongtao Liu et al. “ScreenPass: Secure Password Entry on Touchscreen Devices”. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services. 2013.
Xing Jin et al. “Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation”. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 2014.
Tongxin Li et al. “Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews”. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. CCS ’17. Dallas, Texas, USA: ACM, 2017, pp. 829–844. ISBN: 978-1-4503-4946-8. DOI: 10.1145/3133956.3134021. URL: http://doi.acm.org/10.1145/3133956.3134021.
Guliz Seray Tuncay, Soteris Demetriou, and Carl A. Gunter. “Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android”. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS ’16. Vienna, Austria: ACM, 2016, pp. 104–115. ISBN: 978-1-4503-4139-4. DOI: 10.1145/2976749.2978322. URL: http://doi.acm.org/10.1145/2976749.2978322.
Min Wu, Robert C. Miller, and Simson L. Gar nkel. “Do Security Toolbars Actually Prevent Phishing Attacks?” In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2006, pp. 601–610.
William Enck et al. “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”. In: ACM Transactions on Computer Systems 32.2 (June 2014), 5:1–5:29. ISSN: 0734-2071. DOI: 10.1145/2619091. URL: http://doi.acm.org/10.1145/2619091.
Kassem Fawaz, Huan Feng, and Kang G. Shin. “Anatomization and Protection of Mobile Apps’ Location Privacy Threats”. In: 24th USENIX Security Symposium. Washington, D.C.: USENIX Association, 2015, pp. 753–768. ISBN: 978-1-931971-232. URL: https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/fawaz.
Wil Koch et al. “Semi-automated Discovery of Server-based Information Oversharing Vulnerabilities in Android Applications”. In: Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis. ISSTA 2017. Santa Barbara, CA, USA: ACM, 2017, pp. 147–157. ISBN: 978-1-4503-5076-1. DOI: 10.1145/3092703.3092708. URL: http://doi.acm.org/10.1145/3092703.3092708.
Yanick Fratantonio et al. “Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop”. In: Proceedings of the IEEE Symposium on Security and Privacy. May 2017.
Sascha Fahl et al. “Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers”. In: Financial Cryptography and Data Security. Ed. by Ahmad-Reza Sadeghi. Berlin, Heidelberg: Springer Berlin Heidelberg, 2013, pp. 144–161. ISBN: 978-3-642-39884-1.