Research On Exploitation And Defense Of Clickjacking Vulnerability In Android System

In recent years, with the popularity of mobile Internet, mobile network traffic increase greatly. Methods of users accessing to the Internet have become increasingly diverse, more and more users choose mobile phones or other mobile platform to access to the Internet. With the development of mobile Internet transmission capacity and the mobile intelligent terminal, mobile terminals can realize more and more function, and now users can not only realize functions such as web browsing on a mobile device, but also achieve functions of financial payment, mobile office, social network and so on. Therefore, the mobile Internet security has received widespread concern and attention.Web security is an important part of traditional Internet security. In the traditional desktop platform web attacks such as XSS(Cross-Site Scripting), CSRF(Cross-Site Request Forgery), Clickjacking etc. caused a lot of harm. With the development of mobile Internet, such attacks occur gradually in mobile platforms.In this dessertation we research the clickjacking attack in traditional desktop platform, analyzing the means to exploit vulnerabilities of different attacks, as well as the attacks combined other Web attacks.At the same time we research some existing Clickjacking attack defense methods, including X-Frame-Options and Frame Busting. After that, we research the exploitation of Clickjacking vunlnerabilities the Android system. The main advantage of this type of attack in Android systems and other mobile platforms is the use of specific attributes as the traditional method of Clickjacking defense will be ineffective.As the traditional methods of Clickjacking defense is ineffective in the Android mobile platform system, we presents a Clickjacking defense method based on visual integrity. The method can remind users or restrict users' privileges by detecting the visual integrity of the web page. As the causes of Clickjacking is the compromise of visual integrity, the content what user sees does not match the actual page content, so this defense method could mitigate most kinds of Clickjacking attacks.