In my paper, I have detailed a simple but dangerous exploit of the Android framework that allows arbitrary applications to spoof sensitive activities of other applications in order to collect private data without user’s knowledge. This can be accomplished because of an inability to tell what app a given activity belongs to. Without this information, there is no way of knowing if the foreground activity is the same activity that was expected to be displayed when the app was launched. I have demonstrated a simple method for constructing spoof activities and integrating them into stand alone or existing code. The danger of this exploit lies in the simplicity of engineering a spoofed activity for any service that provides a native app for Android, and the ease of collecting the harvested data from user devices. Future work includes implementing a practical defense to this class of attacks, and doing comprehensive case studies to further demonstrate the need to fix this exploit.
Activity Spoofing Summary
August 31, 2011 by