Privacy Leakage and Protection of InputConnection Interface in Android

Leakage of user credentials has been a conventional security threat for mobile users. In this work, we discover a new leakage threat caused by a vulnerability of the input method framework (IMF) on Android. The vulnerability lies in an IMF interface, called InputConnection, which is dynamically built to deliver user inputs from an active input method (e.g., software keyboard) to WebView, which is an essential Android component rendering Web pages. It allows the IMF interface of a WebView component to be hijacked by the app or the third-party library that embeds the WebView. Such hijacking can be exploited to steal user inputs on the Web pages loaded by the WebView. It can also eavesdrop on input fields of all the Web pages loaded by WebView without user awareness; the attack is self-contained and does not require any external dependency. It does not interrupt, delay, or change normal operations. More threateningly, this attack is easy to launch and works for most Android versions (from 4.4 to 11.0). We conduct a field study including more than 1500 tests on our developed IWH attack app. The result shows that the app can successfully steal user inputs in all the tests and identify the input strings with 98.0% accuracy. We further devise two solutions, a Web-based virtual keyboard and an IMF hijacking guardian, for mobile Web services and the Android platform, respectively. We finally prototype them on a Web server and on an Android framework, respectively, to confirm their effectiveness.