Towards discovering and understanding task hijacking in android

Chuangang Ren; Yulong Zhang; Hui Xue; Tao Wei; Peng Liu

Towards discovering and understanding task hijacking in android

Chuangang Ren, Yulong Zhang, Hui Xue, Tao Wei, Peng Liu

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denial-of-service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.

Original language	English (US)
Title of host publication	Proceedings of the 24th USENIX Security Symposium
Publisher	USENIX Association
Pages	945-959
Number of pages	15
ISBN (Electronic)	9781931971232
State	Published - Jan 1 2015
Event	24th USENIX Security Symposium - Washington, United States Duration: Aug 12 2015 → Aug 14 2015

Publication series

Name	Proceedings of the 24th USENIX Security Symposium

Conference

Conference	24th USENIX Security Symposium
Country	United States
City	Washington
Period	8/12/15 → 8/14/15

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Access to Document

Fingerprint Dive into the research topics of 'Towards discovering and understanding task hijacking in android'. Together they form a unique fingerprint.

Cite this

Ren, C., Zhang, Y., Xue, H., Wei, T., & Liu, P. (2015). Towards discovering and understanding task hijacking in android. In Proceedings of the 24th USENIX Security Symposium (pp. 945-959). (Proceedings of the 24th USENIX Security Symposium). USENIX Association.

@inproceedings{a2e0068b4fcb43b9ad440d6c7e7feeb2,

title = "Towards discovering and understanding task hijacking in android",

abstract = "Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denial-of-service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user{\textquoteright}s activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.",

author = "Chuangang Ren and Yulong Zhang and Hui Xue and Tao Wei and Peng Liu",

year = "2015",

month = jan,

day = "1",

language = "English (US)",

series = "Proceedings of the 24th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "945--959",

booktitle = "Proceedings of the 24th USENIX Security Symposium",

note = "24th USENIX Security Symposium ; Conference date: 12-08-2015 Through 14-08-2015",

}

TY - GEN

T1 - Towards discovering and understanding task hijacking in android

AU - Ren, Chuangang

AU - Zhang, Yulong

AU - Xue, Hui

AU - Wei, Tao

AU - Liu, Peng

PY - 2015/1/1

Y1 - 2015/1/1

N2 - Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denial-of-service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.

AB - Android multitasking provides rich features to enhance user experience and offers great flexibility for app developers to promote app personalization. However, the security implication of Android multitasking remains under-investigated. With a systematic study of the complex tasks dynamics, we find design flaws of Android multitasking which make all recent versions of Android vulnerable to task hijacking attacks. We demonstrate proof-of-concept examples utilizing the task hijacking attack surface to implement UI spoofing, denial-of-service and user monitoring attacks. Attackers may steal login credentials, implement ransomware and spy on user’s activities. We have collected and analyzed over 6.8 million apps from various Android markets. Our analysis shows that the task hijacking risk is prevalent. Since many apps depend on the current multitasking design, defeating task hijacking is not easy. We have notified the Android team about these issues and we discuss possible mitigation techniques in this paper.

UR - http://www.scopus.com/inward/record.url?scp=85030791452&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030791452&partnerID=8YFLogxK

M3 - Conference contribution

T3 - Proceedings of the 24th USENIX Security Symposium

SP - 945

EP - 959

BT - Proceedings of the 24th USENIX Security Symposium

PB - USENIX Association

T2 - 24th USENIX Security Symposium

Y2 - 12 August 2015 through 14 August 2015

ER -