Philipp Beer

Users interact with mobile devices under the assumption that the graphical user interface (GUI) accurately reflects their actions, a trust fundamental to the user experience. In this work, we present TapTrap, a novel attack that enables zero-permission apps to exploit UI animations to undermine this trust relationship. TapTrap can be used by a malicious app to stealthily bypass Android’s permission system and gain access to sensitive data or execute destructive actions, such as wiping the device without user approval. Its impact extends beyond the Android ecosystem, enabling tapjacking and Web clickjacking. TapTrap is able to bypass existing tapjacking defenses, as those are targeted toward overlays. Our novel approach, instead, abuses activity transition animations and is effective even on Android 15. We analyzed 99,705 apps that we downloaded from the Play Store to assess whether TapTrap is actively exploited in the wild. Our analysis found no evidence of such exploitation. Additionally, we conducted a large-scale study on these apps and discovered that 76.33% of apps are vulnerable to TapTrap. Finally, we evaluated the real-world feasibility of TapTrap through a user study with 20 participants, showing that all of them failed to notice at least one attack variant. Our findings have resulted in two assigned CVEs.

Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. A recently introduced component called Custom Tab (CT) provides an outstanding feature to overcome the usability limitations of traditional WebViews: it shares the state with the underlying browser. Similar to traditional WebViews, it can also keep the host application informed about ongoing Web navigations. In this paper, we perform the first systematic security evaluation of the CT component and show how the design of its security model did not consider crosscontext state inference attacks when the feature was introduced. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user Browse data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage. To assess the prevalence of CTs in the wild and the practicality of the mitigation strategies we propose, we carry out the first large-scale analysis of CT usage on over 50K Android applications. Our analysis reveals that their usage is widespread, with 83% of applications embedding CTs either directly or as part of a library.

We have responsibly disclosed all our findings to Google, which has already taken steps to apply targeted mitigations, assigned three CVEs for the discovered vulnerabilities, and awarded us $10,000 in bounties. Our interaction with Google led to clarifications of the CT security model in the new Chrome Custom Tabs Security FAQ document.

The traditional way for users to access web content on mobile devices is by loading websites in a standalone browser like Google Chrome or Firefox. Websites and recently also Progressive Web Applications (PWAs) can, however, not only be rendered in such standalone browsers, but also in so-called mobile Web Views embedded in native mobile applications. PWAs are a new paradigm in web development that brings native app-like features, such as push notifications and offline usage, to the Web. We investigate the security of those Web Views at the intersection of application security and web security and present two new attacks: (1) an attack in which Android’s Custom Tab browser feature serves as a cross-site oracle to infer information about a user on target websites and (2) a vulnerability in Web View plugins of two third-party development frameworks that allows an attacker to use a vulnerable application to access the victim’s microphone and camera stealthily. We perform a preliminary real-world evaluation on the top 250 free Android applications and found that 5% of those that request microphone or camera permissions are potentially vulnerable to the Web View attack.

Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. The Custom Tab (CT) mechanism provides two outstanding features to overcome the usability and security limitations of traditional WebViews: (1) it shares the state with the underlying browser, and (2) it can send information about navigations to the host application. In this presentation, we will discuss our systematic security evaluation of the CT component and show how the design of its security model did not consider cross-context state inference attacks. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user browsing data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage.