摘要: In this paper, we perform a thorough study on the risks imposed by globally accessible Android Clipboard. Based risk assessment, formulate series of attacks and categorize them into two groups, i.e., manipulation stealing. Clipboard data may lead to common code injection attacks, like JavaScript command injection. Furthermore, it can also cause phishing including web app phishing. Data stealing happens when sensitive copied clipboard is accessed malicious applications. For each category attack, analyze large number candidate apps show multiple case studies demonstrate its feasibility. Also, our analysis process formulated benefit future development vulnerability detection. After comprehensive exposure risk, briefly discuss some potential solutions.
springer.com
syr.edu
core.ac.uk参考文章(36)
Sascha Fahl, Marian Harbach, Marten Oltrogge, Thomas Muders, Matthew Smith, Hey, You, Get Off of My Clipboard financial cryptography. pp. 144- 161 ,(2013) , 10.1007/978-3-642-39884-1_12
Michael Martin, Monica S. Lam, Automatic generation of XSS and SQL injection attacks with goal-directed model checking usenix security symposium. pp. 31- 43 ,(2008)
Shashi Shekhar, Michael Dietz, Dan S. Wallach, AdSplit: separating smartphone advertising from applications usenix security symposium. pp. 28- 28 ,(2012)
Sven Bugiel, Ahmad-Reza Sadeghi, Stephan Heuser, Flexible and fine-grained mandatory access control on Android for diverse security and privacy policies usenix security symposium. pp. 131- 146 ,(2013)
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Prithvi Bisht, V. N. Venkatakrishnan, XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks international conference on detection of intrusions and malware and vulnerability assessment. pp. 23- 43 ,(2008) , 10.1007/978-3-540-70542-0_2
Vitaly Shmatikov, George Danezis, Yan Chen, Proceedings of the 18th ACM conference on Computer and communications security computer and communications security. ,(2011)
Joseph Bonneau, Mike Just, Greg Matthews, What's in a name? Evaluating statistical attacks on personal knowledge questions financial cryptography. pp. 98- 113 ,(2010) , 10.1007/978-3-642-14577-3_10
Shashi Shekhar, Michael Dietz, Anhei Shu, Dan S. Wallach, Yuliy Pisetsky, Quire: lightweight provenance for smart phone operating systems usenix security symposium. pp. 23- 23 ,(2011)
Alexander Moshchuk, Adrienne Porter Felt, Helen J. Wang, Erika Chin, Steven Hanna, Permission re-delegation: attacks and defenses usenix security symposium. pp. 22- 22 ,(2011)