Knock-Knock: The unbearable lightness of Android Notifications
This addresses a critical security problem for Android users and developers, exposing risks in a widely used interaction mechanism, though it is incremental in building on known OS vulnerabilities.
The paper tackles the security vulnerabilities in Android Notifications, showing how adversaries can exploit them to forge notifications for phishing sensitive information or launch Denial of Service attacks, both locally and remotely, rendering devices unusable.
Android Notifications can be considered as essential parts in Human-Smartphone interaction and inextricable modules of modern mobile applications that can facilitate User Interaction and improve User Experience. This paper presents how this well-crafted and thoroughly documented mechanism, provided by the OS can be exploited by an adversary. More precisely, we present attacks that result either in forging smartphone application notifications to lure the user in disclosing sensitive information, or manipulate Android Notifications to launch a Denial of Service attack to the users' device, locally and remotely, rendering them unusable. This paper concludes by proposing generic countermeasures for the discussed security threats.