Top

Published in:

2019 | OriginalPaper | Chapter

Notify This: Exploiting Android Notifications for Fun and Profit

Author : Efthimios Alepis

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

In the era of telecommunications, where mobile phones are becoming continuously smarter, how users interact with smartphones plays a very essential role, magnified by statistics that reveal great increase in human time spent in human-smartphone interaction. Some of the basic reasons for users to use their smartphones include notifications, whose functionality has been investigated and improved over the last decade. As a result, this mechanism, namely smartphone notifications, is not only well-rounded by both OS vendors and app developers, but is also inextricably accompanying vital parts of the majority of modern mobile applications. This paper analyzes flaws in this fundamental mechanism, as found in the most widespread mobile OS to date, namely Android. After presenting forging smartphone application notifications and Denial of Service attacks to the users’ device, accomplished both locally and remotely, we conclude by proposing generic countermeasures for the security threats in question.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Simple Attack on CaptchaStar

next chapter The Current State of the Holistic Privacy and Security Modelling Approach in Business Process and Software Architecture Modelling

Pielot, M., Church, K., de Oliveira, R.: An in-situ study of mobile phone notifications. In: Proceedings of the 16th International Conference on Human-computer Interaction with Mobile Devices & #38; Services, MobileHCI 2014, New York, NY, USA, pp. 233–242. ACM (2014)

ZDNet: Whatsapp: Now one billion people send 55 billion messages per day. http://www.zdnet.com/article/whatsapp-now-one-billion-people-send-55-billion-messages-per-day/. Accessed 27 July 2017

Biznessapps: What is a push notification? And why should you care? https://www.biznessapps.com/blog/what-is-a-push-notification/. Accessed 27 July 2017

O’Connell, C.: The year that push notifications grew up (2015). http://info.localytics.com/blog/2015-the-year-that-push-notifications-grew-up. Accessed 01 Sept 2017

Urban Airship: New urban airship study reveals app publishers that don’t message users waste 95 percent of their acquisition spend. https://www.urbanairship.com/company/press-releases/new-urban-airship-mobile-app-retention-study. Accessed 01 Sept 2017

Freyne, J., Yin, J., Brindal, E., Hendrie, G., Berkovsky, S., Noakes, M.: Push notifications in diet apps: influencing engagement times and tasks. Int. J. Hum. Comput. Interact. 33, 833–845 (2017)CrossRef

Kerber, F., Gehring, S., Krüger, A., Löchtefeld, M.: Adding expressiveness to smartwatch notifications through ambient illumination. IJMHCI 9, 1–14 (2017)

Mahmud, M.S., Islam, M.S., Rahman, M.A.: Smart fire detection system with early notifications using machine learning. Int. J. Comput. Intell. Appl. 16, 1–17 (2017)

Wang, Y., Millet, B., Smith, J.L.: Designing wearable vibrotactile notifications for information communication. Int. J. Hum. Comput. Stud. 89, 24–34 (2016)CrossRef

10.

Patsakis, C., Alepis, E.: Knock-knock: the unbearable lightness of Android notifications. In: Mori, P., Furnell, S., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, Madeira - Portugal, 22–24 January 2018, pp. 52–61. SciTePress (2018)

11.

Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current Android malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 252–276. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_12CrossRef

12.

Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)

13.

Niemietz, M., Schwenk, J.: UI redressing attacks on Android devices. Black Hat Abu Dhabi (2012)

14.

Ying, L., Cheng, Y., Lu, Y., Gu, Y., Su, P., Feng, D.: Attacks and defence on Android free floating windows. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, New York, NY, USA, pp. 759–770. ACM (2016)

15.

Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA (2017)

16.

Android Developer: Manifest.permission - SYSTEM\(\_\)ALERT\(\_\)WINDOW. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW. Accessed 28 Mar 2017

17.

Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_15CrossRef

18.

Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your app without actually seeing it: UI state inference and novel android attacks. In: USENIX Security Symposium, pp. 1037–1052 (2014)

19.

Xu, Z., Zhu, S.: Abusing notification services on smartphones for phishing and spamming. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, USENIX Association, p. 1 (2012)

20.

Felt, A.P., Wagner, D.: Phishing on mobile devices. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (2011)

21.

Virvilis, N., Tsalis, N., Mylonas, A., Gritzalis, D.: Mobile devices: a phisher’s paradise. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1–9. IEEE (2014)

22.

Virvou, M., Alepis, E.: Mobile educational features in authoring tools for personalised tutoring. Comput. Educ. 44, 53–68 (2005)CrossRef

23.

Papageorgiou, A., Strigkos, M., Politou, E.A., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018)CrossRef

24.

Casino, F., Patsakis, C., Batista, E., Borras, F., Martínez-Ballesté, A.: Healthy routes in the smart city: a context-aware mobile recommender. IEEE Softw. 34, 42–47 (2017)CrossRef

25.

StatCounter GlobalStats: Mobile and tablet internet usage exceeds desktop for first time worldwide. http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide. Accessed 01 Sept 2017

26.

Flurry Analytics: U.s. consumers time-spent on mobile crosses 5 hours a day. http://flurrymobile.tumblr.com/post/157921590345/us-consumers-time-spent-on-mobile-crosses-5. Accessed 01 Sept 2017

27.

Commscope: The generation z study of tech intimates (2017). https://commscope.com/insights/uploads/2017/09/Generation-Z-Report.pdf

28.

Alepis, E., Patsakis, C.: The all seeing eye: web to app intercommunication for session fingerprinting in Android. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 93–107. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72389-1_9CrossRef

29.

Perez, S.: Nearly 1 in 4 people abandon mobile apps after only one use (2016). https://techcrunch.com/2016/05/31/nearly-1-in-4-people-abandon-mobile-apps-after-only-one-use/

30.

Perro, J.: Mobile apps: What’s a good retention rate? (2018). http://info.localytics.com/blog/mobile-apps-whats-a-good-retention-rate

31.

Samanta, I.: Exploring the factors of customer retention in mobile sector. IJSITA 3, 36–46 (2012)

32.

Peng, J., Zhang, S., Quan, J., Wei, Z.: Effectiveness of mobile phone customer retention strategies. In: 11th Wuhan International Conference on E-Business, WHICEB 2012, Wuhan, China, 26–27 May 2012, vol. 63. Association for Information Systems (2012)

33.

Viljanen, M., Airola, A., Pahikkala, T., Heikkonen, J.: Modelling user retention in mobile games. In: IEEE Conference on Computational Intelligence and Games, CIG 2016, Santorini, Greece, 20–23 September 2016, pp. 1–8. IEEE (2016)

34.

Zhou, Y., Raake, A., Xu, T., Zhang, X.: Users’ perceived control, trust and expectation on privacy settings of smartphone. In: Wen, S., Wu, W., Castiglione, A. (eds.) CSS 2017. LNCS, vol. 10581, pp. 427–441. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69471-9_31CrossRef

35.

Choi, H., Choi, Y.-J., Kim, K.-M.: The understanding of building trust model on smartphone application: focusing on users’ motivation. In: Kim, K.J., Ahn, S.J. (eds.) Proceedings of the International Conference on IT Convergence and Security 2011. LNEE, vol. 120, pp. 13–20. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2911-7_2CrossRef

36.

Mylonas, A., Gritzalis, D., Tsoumas, B., Apostolopoulos, T.: A qualitative metrics vector for the awareness of smartphone security users. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2013. LNCS, vol. 8058, pp. 173–184. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40343-9_15CrossRef

37.

Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? deception and countermeasures in the Android user interface. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 931–948. IEEE (2015)

38.

Wu, L., Brandt, B., Du, X., Ji, B.: Analysis of clickjacking attacks and an effective defense scheme for Android devices. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 55–63. IEEE (2016)

39.

40.

Ren, C., Liu, P., Zhu, S.: Windowguard: Systematic protection of GUI security in Android. In: Network and Distributed System Security Symposium (2017)

41.

Malisa, L., Kostiainen, K., Och, M., Capkun, S.: Mobile application impersonation detection using dynamic user interface extraction. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 217–237. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_11CrossRef

42.

Malisa, L., Kostiainen, K., Capkun, S.: Detecting mobile application spoofing attacks by leveraging user visual similarity perception. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 289–300. ACM (2017)

43.

Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3CrossRef

44.

Marforio, C., Jayaram Masti, R., Soriente, C., Kostiainen, K., Čapkun, S.: Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp. 540–551. ACM (2016)

45.

Wu, L., Du, X., Wu, J.: Effective defense schemes for phishing attacks on mobile computing platforms. IEEE Trans. Veh. Technol. 65, 6678–6691 (2016)CrossRef

46.

Heartfield, R., Loukas, G.: A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv. (CSUR) 48, 37 (2016)

47.

Aleroud, A., Zhou, L.: Phishing environments, techniques, and countermeasures: a survey. Comput. Secur. 68, 160–196 (2017)CrossRef

48.

Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266 (2006)

49.

Liu, C., Stamm, S.: Fighting unicode-obfuscated spam. In: Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, pp. 45–59. ACM (2007)

Title: Notify This: Exploiting Android Notifications for Fun and Profit
Author: Efthimios Alepis
Publisher: Springer International Publishing
Book: Information Systems Security and Privacy
Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-25109-3_5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner