Clickjacking是一個新型的網路攻擊,又稱做UI redress attack。Clickjacking通常發生在使用者嘗試點擊網頁上面的元素,但是這些元素上方覆蓋一層透明的元素,導致使用者不小心點擊到這些透明的元素。這些透明的元素,通常就是攻擊者想要使用者點擊的元素。 當這類Clickjacking攻擊發生在智慧型手機上時,這類攻擊又稱為Tapjacking攻擊。Tapjacking攻擊又可分為兩種,分為在瀏覽器上和非瀏覽器上的攻擊。這篇論文著重在非瀏覽器上的攻擊,因為這類攻擊造成比較嚴重的影響。我們重新還原了實際的攻擊情況,來證明Android提供的解決方法還是有缺陷。因此,這篇論文提供了一個新的防禦方法TCGM,來對抗非瀏覽器上的Tapjacking攻擊。 TCGM可以自動化阻擋非瀏覽器上的Tapjacking攻擊,而且非常有效果。不只如此,TCGM可以很輕鬆地整合進現有的Android framework。現有的手機廠商,甚至Google都可以很輕鬆的採用TCGM。 ;Clickjacking is a kind of cyber attacks, also known as UI redress attack. Clickjacking happens when the user clicks on the element, which is set to be transparent and put on top of the other visible element. When the user wants to click on the visible element, he actually clicks on the transparent element without his attention. When clickjacking occurred on smartphones, there is a new term called “Tapjacking”. Tapjacking can be divided into two types, desktop-based UI redress attack and browserless UI redress attack. We focus on browserless tapjacking attack and construct a real world browserless tapjacking attack to prove that there are still some problems on the existing tapjacking solution provided by Android. Besides, this thesis also proposes a new solution “TCGM” against browserless tapjacking attack. Our solution “TCGM” can stop browserless tapjacking attack automatically and effectively unlike existing Android solution, which needs to be enabled manually. Moreover, our solution can be integrated into existing Android framework with ease and only a few lines of code need to be inserted.
