Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg March 15, 2019

In pursuit of a secure UI: The cycle of breaking and fixing Android’s UI

Davide Bove and Anatoli Kalysch


Hijacking user clicks and touch gestures has become a common attack vector and offers a stealthy approach at escalating the privileges of a process without raising red flags among users or AV software. Exploits falling into this category are categorized as clickjacking attacks and have gained increased popularity on mobile devices, Android being the recent victim of a series of UI vulnerabilities.

Focusing on the Android OS this paper highlights previous and current UI-based attack vectors and finishes with an overview of security mechanisms, covering both system-wide as well as app-level protection measures.



We thank Prof. Dr.-Ing. Freiling and Tobias Groß for their helpful comments on earlier versions of this paper.


1. Vitor Afonso, Anatoli Kalysch, Tilo Müller, Daniela Oliveira, André Grégio, and Paulo Lício de Geus. Lumus: Dynamically uncovering evasive Android applications. In International Conference on Information Security, pages 47–66. Springer, 2018.10.1007/978-3-319-99136-8_3Search in Google Scholar

2. Abeer AlJarrah and Mohamed Shehab. Maintaining user interface integrity on Android. In Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, volume 1, pages 449–458. IEEE 2016.10.1109/COMPSAC.2016.150Search in Google Scholar

3. Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. What the app is that? Deception and countermeasures in the Android user interface. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 931–948. IEEE, 2015.10.1109/SP.2015.62Search in Google Scholar

4. Qi Alfred Chen, Zhiyun Qian, and Zhuoqing Morley Mao. Peeking into your app without actually seeing it: UI state inference and novel Android attacks. In USENIX Security Symposium, pages 1037–1052, 2014.Search in Google Scholar

5. Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking connection security indicators. In SOUPS, pages 1–14, 2016.Search in Google Scholar

6. Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. Android UI deception revisited: Attacks and defenses. In International Conference on Financial Cryptography and Data Security, pages 41–59. Springer, 2016.10.1007/978-3-662-54970-4_3Search in Google Scholar

7. Lorenzo Franceschi-Bicchierai. The iPhone’s constant password popups are a hacker’s dream, may 2017., accessed on May 29th, 2018.Search in Google Scholar

8. Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. Cloak and dagger: from two permissions to complete control of the UI feedback loop. In Security and Privacy (SP), 2017 IEEE Symposium on, pages 1041–1057. IEEE, 2017.10.1109/SP.2017.39Search in Google Scholar

9. Jeremiah Grossman. Clickjacking: Web pages can see and hear you, Oct 2008., accessed on April 20, 2018.Search in Google Scholar

10. Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. A11y attacks: Exploiting accessibility in operating systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 103–115, ACM, New York, NY, USA, 2014.10.1145/2660267.2660295Search in Google Scholar

11. Ken Johnson. Revisiting Android tapjacking, May 2011., accessed on June 1st, 2018.Search in Google Scholar

12. Anatoli Kalysch, Davide Bove, and Tilo Müller. How Android’s UI security is undermined by accessibility. In Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium, ROOTS, pages 2:1–2:10, ACM, New York, NY, USA, 2018.10.1145/3289595.3289597Search in Google Scholar

13. Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. On malware leveraging the Android accessibility framework. In International Conference on Mobile and Ubiquitous Systems: Computing, Networking, and Services, pages 512–523. Springer, 2013.10.1007/978-3-319-11569-6_40Search in Google Scholar

14. Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. Touchjacking attacks on web in Android, iOS, and windows phone. In International Symposium on Foundations and Practice of Security, pages 227–243. Springer, 2012.10.1007/978-3-642-37119-6_15Search in Google Scholar

15. Marcus Niemietz and Jörg Schwenk. UI redressing attacks on Android devices. Black Hat Abu Dhabi, 2012.Search in Google Scholar

16. Andrea Possemato, Andrea Lanzi, Simon Pak Ho Chung, Wenke Lee, and Yanick Fratantonio. Clickshield: Are you hiding something? Towards eradicating clickjacking on Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 1120–1136, ACM, New York, NY, USA, 2018.10.1145/3243734.3243785Search in Google Scholar

17. Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. How current Android malware seeks to evade automated code analysis. In IFIP International Conference on Information Security Theory and Practice, pages 187–202. Springer, 2015.10.1007/978-3-319-24018-3_12Search in Google Scholar

18. Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. An investigation of the Android/BadAccents malware which exploits a new Android tapjacking attack. Technical report, TU Darmstadt, Fraunhofer SIT and McAfee Mobile Research, 2015.Search in Google Scholar

19. Chuangang Ren, Peng Liu, and Sencun Zhu. Windowguard: Systematic protection of GUI security in Android. In Proc. of the Annual Symposium on Network and Distributed System Security (NDSS), 2017.Search in Google Scholar

20. Stuart E Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The emperor’s new security indicators. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 51–65. IEEE, 2007.10.1109/SP.2007.35Search in Google Scholar

21. Dinesh Venkatesan. Android malware steals uber credentials and covers up the heist using deep links, 2018., accessed on May 23rd, 2018.Search in Google Scholar

22. Longfei Wu, Benjamin Brandt, Xiaojiang Du, and Bo Ji. Analysis of clickjacking attacks and an effective defense scheme for Android devices. In Communications and Network Security (CNS), 2016 IEEE Conference on, pages 55–63. IEEE, 2016.10.1109/CNS.2016.7860470Search in Google Scholar

Received: 2018-08-23
Revised: 2019-01-24
Accepted: 2019-02-28
Published Online: 2019-03-15
Published in Print: 2019-04-24

© 2019 Walter de Gruyter GmbH, Berlin/Boston