A majority of today’s mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the other hand, malicious web content can use the privileges of its embedding app to exfiltrate sensitive information such as the user’s location and contacts. In this paper, we discuss security weaknesses of the interface between app code and web content through attacks, then introduce defenses that can be deployed without modifying the OS. Our defenses feature WIREframe, a service that securely embeds and renders external web content in Android apps, and in turn, prevents attacks between em- bedded web and host apps. WIREframe fully mediates the interface between app code and embedded web content. Un- like the existing web-embedding mechanisms, WIREframe allows both apps and embedded web content to define simple access policies to protect their own resources. These policies recognize fine-grained security principals, such as origins, and control all interactions between apps and the web. We also introduce WIRE (Web Isolation Rewriting Engine), an offline app rewriting tool that allows app users to inject WIREframe protections into existing apps. Our evaluation, based on 7166 popular apps and 20 specially selected apps, shows these techniques work on complex apps and incur acceptable end-to-end performance overhead.

The goal of cyber attack investigation is to fully reconstruct the details of an attack, so we can trace back to its origin, and recover the system from the damage caused by the attack. However, it is often difficult and requires tremendous manual efforts because attack events occurred days or even weeks before the investigation and detailed information we need is not available anymore. Consequently, forensic logging is significantly important for cyber attack investigation. In this paper, we present DroidForensics, a multi-layer forensic logging technique for Android. Our goal is to provide the user with detailed information about attack behaviors that can enable accurate post-mortem investigation of Android attacks. DroidForensics consists of three logging modules. API logger captures Android API calls that contain high-level semantics of an application. Binder logger records interactions between applications to identify causal relations between processes, and system call logger efficiently monitors low-level system events. We also provide the user interface that the user can compose SQL-like queries to inspect an attack. Our experiments show that DroidForensics has low runtime overhead (2.9% on average) and low space overhead (105 ? 169 MByte during 24 hours) on real Android devices. It is effective in the reconstruction of realworld Android attacks we have studied.

Nowadays, attacking and defending Android apps has be- come an arms race between black hats and white hats. In this paper, we explore a new hacking technique called the App Confusion Attack, which allows hackers to take full control of benign apps and their resources without device root- ing or privilege escalation. Conceptually, an App Confusion Attack hijacks the launching process of each benign app, and forces it to run in a virtual execution context controlled by hackers, instead of the native one provided by the Android Application Framework. This attack is furtive but lethal. When a user clicks on a benign app, the malicious alternative can be loaded and executed with an indistinguishable user interface. As a result, hackers can manipulate the communication between the benign app and the OS, including kernel and system services, and manipulate the code and data at will. To address this issue, we build DroidPill, a framework for malware creation that employs the app virtualization technique and the design flaws in Android to achieve such attacks with free apps. Our evaluation results and case studies show that DroidPill is practical and effective. Lastly, we conclude this work with several possible countermeasures to the App Confusion Attack.