Knock-Knock: The unbearable lightness of Android Notifications

@article{Patsakis2018KnockKnockTU,
  title={Knock-Knock: The unbearable lightness of Android Notifications},
  author={Constantinos Patsakis and Efthymios Alepis},
  journal={ArXiv},
  year={2018},
  volume={abs/1801.08225}
}
Android Notifications can be considered as essential parts in Human-Smartphone interaction and inextricable modules of modern mobile applications that can facilitate User Interaction and improve User Experience. This paper presents how this well-crafted and thoroughly documented mechanism, provided by the OS can be exploited by an adversary. More precisely, we present attacks that result either in forging smartphone application notifications to lure the user in disclosing sensitive information… 

Figures from this paper

Notify This: Exploiting Android Notifications for Fun and Profit
TLDR
This paper analyzes flaws in this fundamental mechanism, as found in the most widespread mobile OS to date, namely Android, and proposes generic countermeasures for the security threats in question.
Unravelling Security Issues of Runtime Permissions in Android
TLDR
This work presents a thorough analysis of the new android permission architecture, accompanied with a criticism regarding its advantages and disadvantages based on a number of disclosed security issues.
This is Just Metadata: From No Communication Content to User Profiling, Surveillance and Exploitation
TLDR
It is showcased that unprivileged apps, without actually using any permissions, can harvest a considerable amount of valuable user information in Android by monitoring and exploiting the file and folder metadata of the most well-known messaging apps in Android.
"Shhh...be quiet!" Reducing the Unwanted Interruptions of Notification Permission Prompts on Chrome
TLDR
A novel adaptive activation mechanism coupled with a block list of interrupting websites, which is derived from crowd-sourced telemetry from Chrome clients, is designed and tested to reduce unwanted interruptions and potential abuses for the users.
Testing the Message Flow of Android Auto Apps
TLDR
The quality of current compatible apps in Android Auto is investigated, and two main error-prone points are located, and the experience and lessons from this empirical study are helpful to the detailed design and implementation of messaging modules.
Software Measures for Common Design Patterns Using Visual Studio Code Metrics
TLDR
This paper proposes one more evaluation dimension for common design patterns, using code metrics and structuring specific experiments of software projects that derive from real life and thus can be considered as quite realistic.

References

SHOWING 1-10 OF 29 REFERENCES
UI Redressing Attacks on Android Devices
TLDR
A browserless tap-jacking attack is demonstrated, which greatly enriches the impact of previous work on this matter and introduces a concept of a security layer that catches all tapjacking attempts before they can reach home screen/arbitrary applications.
Abusing Notification Services on Smartphones for Phishing and Spamming
TLDR
It is shown that both Android and BlackBerry OS are vulnerable under the phishing and spam notification attacks, so a Semi-OS-Controlled notification view design principle and a Notification Logging service are proposed and a view authentication framework, named SecureView, is proposed to protect applications from fraudulent views.
WindowGuard: Systematic Protection of GUI Security in Android
TLDR
The implementation, WindowGuard, enforces the AWI model and responds to a suspicious behavior by briefing the user about a security event and asking for the final decision from the user, which makes WindowGuard more usable and practical to meet diverse user needs.
Analysis of clickjacking attacks and an effective defense scheme for Android devices
TLDR
A system-level defense scheme against clickjacking attacks on Android platform, which requires no user or developer effort and is compatible with existing apps is proposed.
The All Seeing Eye: Web to App Intercommunication for Session Fingerprinting in Android
TLDR
This work introduces some novel user deanonymisation approaches for device fingerprinting in Android and proves that web pages, by using several inherent mechanisms, can cooperate with installed mobile apps to identify which sessions operate in specific devices and consequently to further expose users’ privacy.
Android UI Deception Revisited: Attacks and Defenses
TLDR
This work found that the solution proposed has a significant side channel vulnerability as well as susceptibility to clickjacking that allow non-privileged malware to completely compromise the defenses, and successfully steal passwords or other keyboard input.
Phishing on Mobile Devices
TLDR
This work conducts a systematic analysis of ways in which mobile applications and web sites link to each other and finds that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing.
What the App is That? Deception and Countermeasures in the Android User Interface
TLDR
This paper analyzes in detail the many ways in which Android users can be confused into misidentifying an app, thus, for instance, being deceived into giving sensitive information to a malicious app and designs and implements an on-device defense that addresses the underlying issue of the lack of a security indicator in the Android GUI.
Trapped by the UI: The Android Case
TLDR
This work highlights some pitfalls in the design of Android UI which can greatly expose users and break user trust in the UI by proving how deceiving it can be and showcases a series of attacks that exploit side channel information and poor UI choices.
Mobile devices: A phisher's paradise
TLDR
An evaluation of the phishing protection mechanisms that are available with the popular web browsers of Android and iOS is presented and the protection they offer against their desktop counterparts are compared, revealing and analyzing the significant gap between the two.
...
...