Paper Summary: Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. Chen, Qian, and Mao. Usenix Security 2014.

The authors introduce a new set of attacks called UI state inference attacks, exploiting a subtle vulnerability due to side channel memory in Android systems. The attack allows a background attacker app that requires no suspicious special permissions to infer the current activity of any application running in the foreground. They present the seriousness of this vulnerability by building attacks such as information phishing and unauthorized camera access.

The paper exploits the then newly discovered shared memory side channel, which exists to allow window managers to effectively communicate with applications for change in window state. The core contribution of this work is its demonstration that a malicious app can infer UI state transitions by passively observing system-level shared memory statistics, such as shared_vm, private_dirty, and file_rss, which are made available through Linux’s procfs interface. The authors show that these memory metrics change in measurable ways as apps render new UI activities. By monitoring these values over time and modeling UI transitions using a Hidden Markov Model (HMM), they are able to accurately identify foreground app activities with high precision of around 80-90%.

The attacks presented by the authors are both creative and effective. They combine four types of side-channel features: (1) memory statistics, (2) CPU usage, (3) content provider access patterns, and (4) soft keyboard visibility to decode app activities. As discussed before, the attack is stealthy with no permissions or user interactions required. It is also broad in scope (as it is applicable to any app), and has its practicality demonstrated by running it across several popular apps including Gmail, Facebook, and Amazon).

The authors validate their approach on real devices (Samsung Galaxy S3 running Android 4.1 and 4.2), showing that inference accuracy for many apps can reach up to 90% or higher. They also demonstrate creative end-to-end attacks using this UI state inference attack, which are far more serious but use the state inference information. These are attacks such as credential theft via UI hijacking, where an overlay mimics a login screen based on the inferred UI state, and camera peeking, where camera access is requested precisely when the target app’s camera is likely active.

The attack’s effectiveness depends on app structure, UI complexity, and how distinct each activity’s signature is. The authors present that apps like Amazon, with high reuse of activities and aggressive caching, significantly reduce inference accuracy. It is also worth noting that the attack’s accuracy depends on apps having stable, repeatable UI behaviors. Additionally, the Android versions tested are somewhat dated, although the authors argue the underlying OS design issues still persist in newer versions. Overall, the paper makes a significant contribution by exposing a novel attack type in mobile OSes, with important security directions for software design.