This paper will appear in Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, August 2014.
Peeking into Your App without Actually Seeing It: UI State Inference and
Novel Android Attacks
Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao
University of...
More
This paper will appear in Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, August 2014.
Peeking into Your App without Actually Seeing It: UI State Inference and
Novel Android Attacks
Qi Alfred Chen, Zhiyun Qian†, Z. Morley Mao
University of Michigan, †University of California, Riverside
alfchen@umich.edu, zhiyunq@cs.ucr.edu, zmao@umich.edu
Abstract
The security of smartphone GUI frameworks remains
an important yet under-scrutinized topic. In this paper, we report that on the Android system (and likely
other OSes), a weaker form of GUI confidentiality can
be breached in the form of UI state (not the pixels) by a
background app without requiring any permissions. Our
finding leads to a class of attacks which we name UI state
inference attack. The underlying problem is that popular
GUI frameworks by design can potentially reveal every
UI state change through a newly-discovered public side
channel — shared memory. In our evaluation, we show
that for 6 out of 7 popular Android
Less