Hi all a paper to be presented this month at Usenix Security "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" ([0,1]) reads various profcs files to infer a victim app's Activity displayed to a user. They can then launch their own Activity (in foreground) to impersonate as the victim's app. The procfs files they read are:
/proc/net/tcp6 /proc/pid/statm /proc/pid/stat /proc/uid_stat/uid/tcp_snd where pid is the victim app's pid, not the attacker's app. They have used a Galaxy S3, but do not tell the android version. In their Countermeasure section, they do not mention SEandroid... so I am left puzzled: have they purposely omitted it? Or is SEandroid still vulnerable to it? For example, they claim that on the S3, /proc/pid/statm "can be freely accessed without any privileges". Can anyone elaborate? I thought SEandroid DID make procfs no longer readable to apps? [0] http://web.eecs.umich.edu/~alfchen/alfred_sec14.pdf [1] https://sites.google.com/site/uistateinferenceattack/demos
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
