Jump to ContentJump to Main Navigation
Show Summary Details
More options …

it - Information Technology

Methods and Applications of Informatics and Information Technology

Editor-in-Chief: Conrad, Stefan

See all formats and pricing
More options …
Ahead of print


In pursuit of a secure UI: The cycle of breaking and fixing Android’s UI

M. Sc. Davide Bove
  • Corresponding author
  • 9171 Friedrich-Alexander Universität Erlangen-Nürnberg, Lehrstuhl für Informatik 1, Martensstr. 3, D-91058 Erlangen, Germany
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ M. Sc. Anatoli Kalysch
  • 9171 Friedrich-Alexander Universität Erlangen-Nürnberg, Lehrstuhl für Informatik 1, Martensstr. 3, D-91058 Erlangen, Germany
  • Email
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
Published Online: 2019-03-15 | DOI: https://doi.org/10.1515/itit-2018-0023


Hijacking user clicks and touch gestures has become a common attack vector and offers a stealthy approach at escalating the privileges of a process without raising red flags among users or AV software. Exploits falling into this category are categorized as clickjacking attacks and have gained increased popularity on mobile devices, Android being the recent victim of a series of UI vulnerabilities.

Focusing on the Android OS this paper highlights previous and current UI-based attack vectors and finishes with an overview of security mechanisms, covering both system-wide as well as app-level protection measures.

Keywords: Android; Clickjacking; UI; Overlay; Security

ACM CCS: Security and privacy; Systems security; Operating systems security; Mobile platform security


  • 1.

    Vitor Afonso, Anatoli Kalysch, Tilo Müller, Daniela Oliveira, André Grégio, and Paulo Lício de Geus. Lumus: Dynamically uncovering evasive Android applications. In International Conference on Information Security, pages 47–66. Springer, 2018.Google Scholar

  • 2.

    Abeer AlJarrah and Mohamed Shehab. Maintaining user interface integrity on Android. In Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, volume 1, pages 449–458. IEEE 2016.Google Scholar

  • 3.

    Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. What the app is that? Deception and countermeasures in the Android user interface. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 931–948. IEEE, 2015.Google Scholar

  • 4.

    Qi Alfred Chen, Zhiyun Qian, and Zhuoqing Morley Mao. Peeking into your app without actually seeing it: UI state inference and novel Android attacks. In USENIX Security Symposium, pages 1037–1052, 2014.Google Scholar

  • 5.

    Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking connection security indicators. In SOUPS, pages 1–14, 2016.Google Scholar

  • 6.

    Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. Android UI deception revisited: Attacks and defenses. In International Conference on Financial Cryptography and Data Security, pages 41–59. Springer, 2016.Google Scholar

  • 7.

    Lorenzo Franceschi-Bicchierai. The iPhone’s constant password popups are a hacker’s dream, may 2017. https://motherboard.vice.com/en_us/article/ne7gxz/ios-iphone-password-phishing-app-popups, accessed on May 29th, 2018.Google Scholar

  • 8.

    Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. Cloak and dagger: from two permissions to complete control of the UI feedback loop. In Security and Privacy (SP), 2017 IEEE Symposium on, pages 1041–1057. IEEE, 2017.Google Scholar

  • 9.

    Jeremiah Grossman. Clickjacking: Web pages can see and hear you, Oct 2008. http://blog.jeremiahgrossman.com/2008/10/clickjacking-web-pages-can-see-and-hear.html, accessed on April 20, 2018.Google Scholar

  • 10.

    Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. A11y attacks: Exploiting accessibility in operating systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 103–115, ACM, New York, NY, USA, 2014.Google Scholar

  • 11.

    Ken Johnson. Revisiting Android tapjacking, May 2011. https://web.archive.org/web/20171121203845/https://nvisium.com/blog/2011/05/26/revisiting-android-tapjacking/, accessed on June 1st, 2018.Google Scholar

  • 12.

    Anatoli Kalysch, Davide Bove, and Tilo Müller. How Android’s UI security is undermined by accessibility. In Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium, ROOTS, pages 2:1–2:10, ACM, New York, NY, USA, 2018.Google Scholar

  • 13.

    Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. On malware leveraging the Android accessibility framework. In International Conference on Mobile and Ubiquitous Systems: Computing, Networking, and Services, pages 512–523. Springer, 2013.Google Scholar

  • 14.

    Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. Touchjacking attacks on web in Android, iOS, and windows phone. In International Symposium on Foundations and Practice of Security, pages 227–243. Springer, 2012.Google Scholar

  • 15.

    Marcus Niemietz and Jörg Schwenk. UI redressing attacks on Android devices. Black Hat Abu Dhabi, 2012.

  • 16.

    Andrea Possemato, Andrea Lanzi, Simon Pak Ho Chung, Wenke Lee, and Yanick Fratantonio. Clickshield: Are you hiding something? Towards eradicating clickjacking on Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 1120–1136, ACM, New York, NY, USA, 2018.Google Scholar

  • 17.

    Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. How current Android malware seeks to evade automated code analysis. In IFIP International Conference on Information Security Theory and Practice, pages 187–202. Springer, 2015.Google Scholar

  • 18.

    Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. An investigation of the Android/BadAccents malware which exploits a new Android tapjacking attack. Technical report, TU Darmstadt, Fraunhofer SIT and McAfee Mobile Research, 2015.Google Scholar

  • 19.

    Chuangang Ren, Peng Liu, and Sencun Zhu. Windowguard: Systematic protection of GUI security in Android. In Proc. of the Annual Symposium on Network and Distributed System Security (NDSS), 2017.Google Scholar

  • 20.

    Stuart E Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The emperor’s new security indicators. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 51–65. IEEE, 2007.Google Scholar

  • 21.

    Dinesh Venkatesan. Android malware steals uber credentials and covers up the heist using deep links, 2018. https://www.symantec.com/blogs/threat-intelligence/android-malware-uber-credentials-deep-links, accessed on May 23rd, 2018.Google Scholar

  • 22.

    Longfei Wu, Benjamin Brandt, Xiaojiang Du, and Bo Ji. Analysis of clickjacking attacks and an effective defense scheme for Android devices. In Communications and Network Security (CNS), 2016 IEEE Conference on, pages 55–63. IEEE, 2016.Google Scholar

About the article

M. Sc. Davide Bove

M. Sc. Davide Bove is a Master’s graduate from Friedrich-Alexander University Erlangen-Nürnberg (FAU). He graduated in the field of Software Engineering and now focuses his studies on secure software, Android security and distributed networks.

M. Sc. Anatoli Kalysch

M. Sc. Anatoli Kalysch is a PhD student at Friedrich-Alexander University Erlangen-Nürnberg (FAU). His research interests include reverse engineering and program analysis, obfuscation techniques, and Android security. Anatoli Kalysch has a M. Sc. in computer science from FAU.

Received: 2018-08-23

Revised: 2019-01-24

Accepted: 2019-02-28

Published Online: 2019-03-15

Citation Information: it - Information Technology, ISSN (Online) 2196-7032, ISSN (Print) 1611-2776, DOI: https://doi.org/10.1515/itit-2018-0023.

Export Citation

© 2019 Walter de Gruyter GmbH, Berlin/Boston.Get Permission

Comments (0)

Please log in or register to comment.
Log in