In pursuit of a secure UI: The cycle of breaking and fixing Android’s UI

Davide Bove 1  and Anatoli Kalysch 1
  • 1 Friedrich-Alexander Universität Erlangen-Nürnberg, Lehrstuhl für Informatik 1, Martensstr. 3, Erlangen, Germany
M. Sc. Davide Bove
  • Corresponding author
  • 9171Friedrich-Alexander Universität Erlangen-Nürnberg, Lehrstuhl für Informatik 1, Martensstr. 3, D-91058, Erlangen, Germany
  • Email
  • Further information
  • M. Sc. Davide Bove is a Master’s graduate from Friedrich-Alexander University Erlangen-Nürnberg (FAU). He graduated in the field of Software Engineering and now focuses his studies on secure software, Android security and distributed networks.
  • Search for other articles:
  • degruyter.comGoogle Scholar
and M. Sc. Anatoli Kalysch
  • 9171Friedrich-Alexander Universität Erlangen-Nürnberg, Lehrstuhl für Informatik 1, Martensstr. 3, D-91058, Erlangen, Germany
  • Email
  • Further information
  • M. Sc. Anatoli Kalysch is a PhD student at Friedrich-Alexander University Erlangen-Nürnberg (FAU). His research interests include reverse engineering and program analysis, obfuscation techniques, and Android security. Anatoli Kalysch has a M. Sc. in computer science from FAU.
  • Search for other articles:
  • degruyter.comGoogle Scholar


Hijacking user clicks and touch gestures has become a common attack vector and offers a stealthy approach at escalating the privileges of a process without raising red flags among users or AV software. Exploits falling into this category are categorized as clickjacking attacks and have gained increased popularity on mobile devices, Android being the recent victim of a series of UI vulnerabilities.

Focusing on the Android OS this paper highlights previous and current UI-based attack vectors and finishes with an overview of security mechanisms, covering both system-wide as well as app-level protection measures.

  • 1.

    Vitor Afonso, Anatoli Kalysch, Tilo Müller, Daniela Oliveira, André Grégio, and Paulo Lício de Geus. Lumus: Dynamically uncovering evasive Android applications. In International Conference on Information Security, pages 47–66. Springer, 2018.

  • 2.

    Abeer AlJarrah and Mohamed Shehab. Maintaining user interface integrity on Android. In Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, volume 1, pages 449–458. IEEE 2016.

  • 3.

    Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. What the app is that? Deception and countermeasures in the Android user interface. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 931–948. IEEE, 2015.

  • 4.

    Qi Alfred Chen, Zhiyun Qian, and Zhuoqing Morley Mao. Peeking into your app without actually seeing it: UI state inference and novel Android attacks. In USENIX Security Symposium, pages 1037–1052, 2014.

  • 5.

    Adrienne Porter Felt, Robert W Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Embre Acer, Elisabeth Morant, and Sunny Consolvo. Rethinking connection security indicators. In SOUPS, pages 1–14, 2016.

  • 6.

    Earlence Fernandes, Qi Alfred Chen, Justin Paupore, Georg Essl, J Alex Halderman, Z Morley Mao, and Atul Prakash. Android UI deception revisited: Attacks and defenses. In International Conference on Financial Cryptography and Data Security, pages 41–59. Springer, 2016.

  • 7.

    Lorenzo Franceschi-Bicchierai. The iPhone’s constant password popups are a hacker’s dream, may 2017., accessed on May 29th, 2018.

  • 8.

    Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. Cloak and dagger: from two permissions to complete control of the UI feedback loop. In Security and Privacy (SP), 2017 IEEE Symposium on, pages 1041–1057. IEEE, 2017.

  • 9.

    Jeremiah Grossman. Clickjacking: Web pages can see and hear you, Oct 2008., accessed on April 20, 2018.

  • 10.

    Yeongjin Jang, Chengyu Song, Simon P. Chung, Tielei Wang, and Wenke Lee. A11y attacks: Exploiting accessibility in operating systems. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 103–115, ACM, New York, NY, USA, 2014.

  • 11.

    Ken Johnson. Revisiting Android tapjacking, May 2011., accessed on June 1st, 2018.

  • 12.

    Anatoli Kalysch, Davide Bove, and Tilo Müller. How Android’s UI security is undermined by accessibility. In Proceedings of the 2nd Reversing and Offensive-oriented Trends Symposium, ROOTS, pages 2:1–2:10, ACM, New York, NY, USA, 2018.

  • 13.

    Joshua Kraunelis, Yinjie Chen, Zhen Ling, Xinwen Fu, and Wei Zhao. On malware leveraging the Android accessibility framework. In International Conference on Mobile and Ubiquitous Systems: Computing, Networking, and Services, pages 512–523. Springer, 2013.

  • 14.

    Tongbo Luo, Xing Jin, Ajai Ananthanarayanan, and Wenliang Du. Touchjacking attacks on web in Android, iOS, and windows phone. In International Symposium on Foundations and Practice of Security, pages 227–243. Springer, 2012.

  • 15.

    Marcus Niemietz and Jörg Schwenk. UI redressing attacks on Android devices. Black Hat Abu Dhabi, 2012.

  • 16.

    Andrea Possemato, Andrea Lanzi, Simon Pak Ho Chung, Wenke Lee, and Yanick Fratantonio. Clickshield: Are you hiding something? Towards eradicating clickjacking on Android. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 1120–1136, ACM, New York, NY, USA, 2018.

  • 17.

    Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. How current Android malware seeks to evade automated code analysis. In IFIP International Conference on Information Security Theory and Practice, pages 187–202. Springer, 2015.

  • 18.

    Siegfried Rasthofer, Irfan Asrar, Stephan Huber, and Eric Bodden. An investigation of the Android/BadAccents malware which exploits a new Android tapjacking attack. Technical report, TU Darmstadt, Fraunhofer SIT and McAfee Mobile Research, 2015.

  • 19.

    Chuangang Ren, Peng Liu, and Sencun Zhu. Windowguard: Systematic protection of GUI security in Android. In Proc. of the Annual Symposium on Network and Distributed System Security (NDSS), 2017.

  • 20.

    Stuart E Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The emperor’s new security indicators. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 51–65. IEEE, 2007.

  • 21.

    Dinesh Venkatesan. Android malware steals uber credentials and covers up the heist using deep links, 2018., accessed on May 23rd, 2018.

  • 22.

    Longfei Wu, Benjamin Brandt, Xiaojiang Du, and Bo Ji. Analysis of clickjacking attacks and an effective defense scheme for Android devices. In Communications and Network Security (CNS), 2016 IEEE Conference on, pages 55–63. IEEE, 2016.

Purchase article
Get instant unlimited access to the article.
Log in
Already have access? Please log in.

Log in with your institution

Journal + Issues

it - Information Technology is a strictly peer-reviewed scientific journal. It is the oldest German journal in the field of information technology. Today, the major aim of it - Information Technology is highlighting issues on ongoing newsworthy areas in information technology and informatics and their application. It aims at presenting the topics with a holistic view.