Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Feature engineering for mobile (SMS) spam filtering
SIGIR '07 Proceedings of the 30th annual international ACM SIGIR conference on Research and development in information retrieval
iPhish: phishing vulnerabilities on consumer electronics
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Spamalytics: an empirical analysis of spam marketing conversion
Proceedings of the 15th ACM conference on Computer and communications security
Implicit authentication for mobile devices
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Detecting repackaged smartphone applications in third-party android marketplaces
Proceedings of the second ACM conference on Data and Application Security and Privacy
Hi-index | 0.00 |
Notification service is a popular functionality provided by almost all modern smartphone platforms. To facilitate customization for developers, many smartphone platforms support highly customizable notifications, which allow the third party applications to specify the trigger events, the notification views to be displayed, and the allowed user operations on the notification views. In this paper, we show that notification customization may allow an installed trojan application to launch phishing attacks or anonymously post spam notifications. Through our studies on four major smartphone platforms, we show that both Android and BlackBerry OS are vulnerable under the phishing and spam notification attacks. iOS and Windows Phone allow little notification customization, thus launching the phishing and spam attacks will expose the identity of the trojan application. Attack demonstrations on all platforms are presented. To prevent the phishing and spam notification attacks while still allowing notification customization, we propose a Semi-OS-Controlled notification view design principle and a Notification Logging service. Moreover, to protect applications from fraudulent views, we propose a view authentication framework, named SecureView, which enables the third party applications to add the authentication image and text to their sensitive views (e.g. the account login view). The implementation and demonstrations of proposed defense approaches on Android are also presented in the paper.