WindowGuard: Systematic Protection of GUI Security in Android

Android graphic user interface (GUI) system plays an important role in rendering app GUIs on display and interacting with users. However, the security of this critical subsystem remains under-investigated. In fact, Android GUI has been plagued by a variety of GUI attacks in recent years. GUI attack refers to any harmful behavior that attempts to adversely affect the integrity or availability of the GUIs belonging to other apps. These attacks are real threats and can cause severe consequences, such as sensitive user information leakage, user device denial of service, etc. Given the seriousness and rapid growth of GUI attacks, we are in a pressing need for a comprehensive defense solution. Nevertheless, existing defense methods fall short in defense coverage, effectiveness and practicality. To overcome these challenges, we systematically scrutinize the security implications of Android GUI system design and propose a new security model, Android Window Integrity (AWI), to comprehensively protect the system against GUI attacks. The AWI model defines the user session to be protected and the legitimacy of GUI system states in the unique mobile GUI environment. By doing so, it can protect a normal user session against arbitrary manipulation by attackers, and still preserve the original user experience. Our implementation, WindowGuard, enforces the AWI model and responds to a suspicious behavior by briefing the user about a security event and asking for the final decision from the user. This design not only improves the detection accuracy, but also makes WindowGuard more usable and practical to meet diverse user needs. WindowGuard is implemented as an Xposed module, making it practical to be quickly deployed on a large number of user devices. Our evaluation shows that WindowGuard can successfully detect all known GUI attacks, while yielding small impacts on user experience and system performance.