ROOTS 2018: How Android’s UI Security is Undermined by Accessibility – Anatoli Kalysch
Android’s accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications.
This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features. Starting with an app store centered overview of how accessibility services are used we will continue with currently unpatched flaws in the accessibility design of Android discovered during our assessment. These flaws and vulnerabilities allow information leakages and denial of service attacks up until Android 8.1. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android’s own lock screen.
To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25% of them to be vulnerable to at least one of the attacks covered in this talk. In the end possible countermeasures are discussed and we shed some light on the reporting process of Android vulnerabilities.
We asked Anatoli a few more questions about his talk.
Please tell us the top 5 facts about your talk.
The talk will feature some new Android vulnerabilities and possible mitigation techniques, insights about Android’s accessibility system and probably interesting trivia about vulnerability disclosure.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
As part of the preparation for a live hacking event we once decided to venture into Android UI security and see what attacks we could come up with. This essentially yielded the vulnerabilities that were disclosed to Google. During the live hacking event itself we only presented already known UI vulnerabilities.
Why do you think this is an important topic?
Our vulnerability analysis of available application shows that most developers are not aware of the presented security issues and it is probably unclear of whether AOSP maintainers or developers should be in charge of addressing them.
Is there something you want everybody to know – some good advice for our readers maybe?
Accessibility and UI security seem to be a vastly underestimated attack vector for the Android ecosystem.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
New UI features often seem to undermine Androids UI security concepts, e.g., the introduction of overlays, or the new picture in picture feature. New releases of Android should always be assessed regarding which security assumptions still hold.
Anatoli Kalysch is a PhD student in IT Security at Friedrich-Alexander University Erlangen-Nürnberg (FAU). His research interests include reverse engineering and program analysis, obfuscation techniques, and Android security with a focus on malware analysis, and UI security. Selected projects are available on ‘https://github.com/anatolikalysch/‘.