UI State Inference Attack

What is UI state inference attack?
    UI state is defined as a mostly consistent user interface shown in the window level, reflecting a specific piece of program functionality. An example of a UI state is a login window, in which the text content may change but the overall layout and functionality remain the same. According to this definition, the login window and the help window in a banking app are different UI states. Some examples: the following screens of WebMD app are sign-in, choose symptom, and browse article UI state respectively.

In UI state inference attack, an attacker first builds a UI state machine based on UI state signatures constructed offline, then infers the UI state in real time from an unprivileged background app. In Android terminology, the UI state is known as Activity. So we also call it Activity inference attack. The inference requires no Android permission.

What can UI state inference attack do?
    UI state knowledge does not directly reveal user input, but we find that it can effectively serve as a powerful building block and enable further catastrophic security breaches including capturing user input. For example, based on inferred UI states, we can further break GUI integrity by carefully exploiting the designed functionality that allow UI preemption, which is commonly used by alarm or reminder apps on Android.
     In our work, we discover a number of serious attacks enabled by our UI state inference attack:
  • Hijacking the UI state for stealing sensitive user input, for example, login credentials
  • Obtaining sensitive camera images shot by users, for example, personal check photos forbanking apps

  • Inferring user behavior through tracking UI state changes
  • Enhancing existing attacks in both stealthiness and efficiency by providing the target UI state

[ Key enabling factor ]: novel side channels in popular GUI framework design
We find that in the window manger design of Android GUI framework, every UI state change can be unexpectedly observed through publicly accessible side channels. Specifically, the major enabling factor is a newly-discovered shared-memory side channel, which can be used to detect window events in the target application.
In fact, such design is not specific to Android: nearly all popular OSes such as Mac OS X, iOS, and Windows also adopt this shared-memory mechanism for their window managers. Thus, we believe our attack on Android can be generalizable to other platforms.

Attack video demos:
Please check out demo page

[Security'14] Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks
Qi Alfred Chen, Zhiyun Qian, and Z. Morley Mao
To appear in 23rd USENIX Security Symposium, San Diego, CA, August 2014

[Security'13 PosterWhen to Attack? Android UI Context Inference as an Attack Building Block
Qi Alfred Chen, Zhiyun Qian, Sanae Rosen, Yuanyuan Zhou, and Z. Morley Mao
Poster at 22nd USENIX Security Symposium, 
Washington, D.C., August 2013