Skip to main content
SpringerLink
Log in

Notify This: Exploiting Android Notifications for Fun and Profit

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 977))

Included in the following conference series:

  • 726 Accesses

Abstract

In the era of telecommunications, where mobile phones are becoming continuously smarter, how users interact with smartphones plays a very essential role, magnified by statistics that reveal great increase in human time spent in human-smartphone interaction. Some of the basic reasons for users to use their smartphones include notifications, whose functionality has been investigated and improved over the last decade. As a result, this mechanism, namely smartphone notifications, is not only well-rounded by both OS vendors and app developers, but is also inextricably accompanying vital parts of the majority of modern mobile applications. This paper analyzes flaws in this fundamental mechanism, as found in the most widespread mobile OS to date, namely Android. After presenting forging smartphone application notifications and Denial of Service attacks to the users’ device, accomplished both locally and remotely, we conclude by proposing generic countermeasures for the security threats in question.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Pielot, M., Church, K., de Oliveira, R.: An in-situ study of mobile phone notifications. In: Proceedings of the 16th International Conference on Human-computer Interaction with Mobile Devices & #38; Services, MobileHCI 2014, New York, NY, USA, pp. 233–242. ACM (2014)

    Google Scholar 

  2. ZDNet: Whatsapp: Now one billion people send 55 billion messages per day. http://www.zdnet.com/article/whatsapp-now-one-billion-people-send-55-billion-messages-per-day/. Accessed 27 July 2017

  3. Biznessapps: What is a push notification? And why should you care? https://www.biznessapps.com/blog/what-is-a-push-notification/. Accessed 27 July 2017

  4. O’Connell, C.: The year that push notifications grew up (2015). http://info.localytics.com/blog/2015-the-year-that-push-notifications-grew-up. Accessed 01 Sept 2017

  5. Urban Airship: New urban airship study reveals app publishers that don’t message users waste 95 percent of their acquisition spend. https://www.urbanairship.com/company/press-releases/new-urban-airship-mobile-app-retention-study. Accessed 01 Sept 2017

  6. Freyne, J., Yin, J., Brindal, E., Hendrie, G., Berkovsky, S., Noakes, M.: Push notifications in diet apps: influencing engagement times and tasks. Int. J. Hum. Comput. Interact. 33, 833–845 (2017)

    Article  Google Scholar 

  7. Kerber, F., Gehring, S., Krüger, A., Löchtefeld, M.: Adding expressiveness to smartwatch notifications through ambient illumination. IJMHCI 9, 1–14 (2017)

    Google Scholar 

  8. Mahmud, M.S., Islam, M.S., Rahman, M.A.: Smart fire detection system with early notifications using machine learning. Int. J. Comput. Intell. Appl. 16, 1–17 (2017)

    Google Scholar 

  9. Wang, Y., Millet, B., Smith, J.L.: Designing wearable vibrotactile notifications for information communication. Int. J. Hum. Comput. Stud. 89, 24–34 (2016)

    Article  Google Scholar 

  10. Patsakis, C., Alepis, E.: Knock-knock: the unbearable lightness of Android notifications. In: Mori, P., Furnell, S., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, Madeira - Portugal, 22–24 January 2018, pp. 52–61. SciTePress (2018)

    Google Scholar 

  11. Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current Android malware. In: Polychronakis, M., Meier, M. (eds.) DIMVA 2017. LNCS, vol. 10327, pp. 252–276. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60876-1_12

    Chapter  Google Scholar 

  12. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, pp. 239–252. ACM (2011)

    Google Scholar 

  13. Niemietz, M., Schwenk, J.: UI redressing attacks on Android devices. Black Hat Abu Dhabi (2012)

    Google Scholar 

  14. Ying, L., Cheng, Y., Lu, Y., Gu, Y., Su, P., Feng, D.: Attacks and defence on Android free floating windows. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, New York, NY, USA, pp. 759–770. ACM (2016)

    Google Scholar 

  15. Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA (2017)

    Google Scholar 

  16. Android Developer: Manifest.permission - SYSTEM\(\_\)ALERT\(\_\)WINDOW. https://developer.android.com/reference/android/Manifest.permission.html#SYSTEM_ALERT_WINDOW. Accessed 28 Mar 2017

  17. Alepis, E., Patsakis, C.: Trapped by the UI: the Android case. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 334–354. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_15

    Chapter  Google Scholar 

  18. Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your app without actually seeing it: UI state inference and novel android attacks. In: USENIX Security Symposium, pp. 1037–1052 (2014)

    Google Scholar 

  19. Xu, Z., Zhu, S.: Abusing notification services on smartphones for phishing and spamming. In: Proceedings of the 6th USENIX Conference on Offensive Technologies, USENIX Association, p. 1 (2012)

    Google Scholar 

  20. Felt, A.P., Wagner, D.: Phishing on mobile devices. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (2011)

    Google Scholar 

  21. Virvilis, N., Tsalis, N., Mylonas, A., Gritzalis, D.: Mobile devices: a phisher’s paradise. In: 2014 11th International Conference on Security and Cryptography (SECRYPT), pp. 1–9. IEEE (2014)

    Google Scholar 

  22. Virvou, M., Alepis, E.: Mobile educational features in authoring tools for personalised tutoring. Comput. Educ. 44, 53–68 (2005)

    Article  Google Scholar 

  23. Papageorgiou, A., Strigkos, M., Politou, E.A., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018)

    Article  Google Scholar 

  24. Casino, F., Patsakis, C., Batista, E., Borras, F., Martínez-Ballesté, A.: Healthy routes in the smart city: a context-aware mobile recommender. IEEE Softw. 34, 42–47 (2017)

    Article  Google Scholar 

  25. StatCounter GlobalStats: Mobile and tablet internet usage exceeds desktop for first time worldwide. http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide. Accessed 01 Sept 2017

  26. Flurry Analytics: U.s. consumers time-spent on mobile crosses 5 hours a day. http://flurrymobile.tumblr.com/post/157921590345/us-consumers-time-spent-on-mobile-crosses-5. Accessed 01 Sept 2017

  27. Commscope: The generation z study of tech intimates (2017). https://commscope.com/insights/uploads/2017/09/Generation-Z-Report.pdf

  28. Alepis, E., Patsakis, C.: The all seeing eye: web to app intercommunication for session fingerprinting in Android. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 93–107. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72389-1_9

    Chapter  Google Scholar 

  29. Perez, S.: Nearly 1 in 4 people abandon mobile apps after only one use (2016). https://techcrunch.com/2016/05/31/nearly-1-in-4-people-abandon-mobile-apps-after-only-one-use/

  30. Perro, J.: Mobile apps: What’s a good retention rate? (2018). http://info.localytics.com/blog/mobile-apps-whats-a-good-retention-rate

  31. Samanta, I.: Exploring the factors of customer retention in mobile sector. IJSITA 3, 36–46 (2012)

    Google Scholar 

  32. Peng, J., Zhang, S., Quan, J., Wei, Z.: Effectiveness of mobile phone customer retention strategies. In: 11th Wuhan International Conference on E-Business, WHICEB 2012, Wuhan, China, 26–27 May 2012, vol. 63. Association for Information Systems (2012)

    Google Scholar 

  33. Viljanen, M., Airola, A., Pahikkala, T., Heikkonen, J.: Modelling user retention in mobile games. In: IEEE Conference on Computational Intelligence and Games, CIG 2016, Santorini, Greece, 20–23 September 2016, pp. 1–8. IEEE (2016)

    Google Scholar 

  34. Zhou, Y., Raake, A., Xu, T., Zhang, X.: Users’ perceived control, trust and expectation on privacy settings of smartphone. In: Wen, S., Wu, W., Castiglione, A. (eds.) CSS 2017. LNCS, vol. 10581, pp. 427–441. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69471-9_31

    Chapter  Google Scholar 

  35. Choi, H., Choi, Y.-J., Kim, K.-M.: The understanding of building trust model on smartphone application: focusing on users’ motivation. In: Kim, K.J., Ahn, S.J. (eds.) Proceedings of the International Conference on IT Convergence and Security 2011. LNEE, vol. 120, pp. 13–20. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2911-7_2

    Chapter  Google Scholar 

  36. Mylonas, A., Gritzalis, D., Tsoumas, B., Apostolopoulos, T.: A qualitative metrics vector for the awareness of smartphone security users. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2013. LNCS, vol. 8058, pp. 173–184. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40343-9_15

    Chapter  Google Scholar 

  37. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? deception and countermeasures in the Android user interface. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 931–948. IEEE (2015)

    Google Scholar 

  38. Wu, L., Brandt, B., Du, X., Ji, B.: Analysis of clickjacking attacks and an effective defense scheme for Android devices. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 55–63. IEEE (2016)

    Google Scholar 

  39. Ying, L., Cheng, Y., Lu, Y., Gu, Y., Su, P., Feng, D.: Attacks and defence on Android free floating windows. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 759–770. ACM (2016)

    Google Scholar 

  40. Ren, C., Liu, P., Zhu, S.: Windowguard: Systematic protection of GUI security in Android. In: Network and Distributed System Security Symposium (2017)

    Google Scholar 

  41. Malisa, L., Kostiainen, K., Och, M., Capkun, S.: Mobile application impersonation detection using dynamic user interface extraction. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 217–237. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_11

    Chapter  Google Scholar 

  42. Malisa, L., Kostiainen, K., Capkun, S.: Detecting mobile application spoofing attacks by leveraging user visual similarity perception. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 289–300. ACM (2017)

    Google Scholar 

  43. Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3

    Chapter  Google Scholar 

  44. Marforio, C., Jayaram Masti, R., Soriente, C., Kostiainen, K., Čapkun, S.: Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pp. 540–551. ACM (2016)

    Google Scholar 

  45. Wu, L., Du, X., Wu, J.: Effective defense schemes for phishing attacks on mobile computing platforms. IEEE Trans. Veh. Technol. 65, 6678–6691 (2016)

    Article  Google Scholar 

  46. Heartfield, R., Loukas, G.: A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv. (CSUR) 48, 37 (2016)

    Google Scholar 

  47. Aleroud, A., Zhou, L.: Phishing environments, techniques, and countermeasures: a survey. Comput. Secur. 68, 160–196 (2017)

    Article  Google Scholar 

  48. Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266 (2006)

    Google Scholar 

  49. Liu, C., Stamm, S.: Fighting unicode-obfuscated spam. In: Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, pp. 45–59. ACM (2007)

    Google Scholar 

Download references

Acknowledgments

This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704) and is based upon work from COST Action CRYPTACUS, supported by COST (European Cooperation in Science and Technology). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.

Author information

Authors and Affiliations

  1. Department of Informatics, University of Piraeus, 80, Karaoli & Dimitriou, 18534, Piraeus, Greece

    Efthimios Alepis

Authors
  1. Efthimios Alepis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Efthimios Alepis .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 02, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Alepis, E. (2019). Notify This: Exploiting Android Notifications for Fun and Profit. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25109-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25108-6

  • Online ISBN: 978-3-030-25109-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation