VButton: Practical Attestation of User-driven Operations in Mobile Apps

Abstract

More and more malicious apps and mobile rootkits are found to perform sensitive operations on behalf of legitimate users without their awareness. Malware does so by either forging user inputs or tricking users into making unintended requests to online service providers. Such malware is hard to detect and generates large revenues for cybercriminals, which is often used for committing ad/click frauds, faking reviews/ratings, promoting people or business on social networks, etc. We find that this class of malware is possible due to the lack of practical and robust means for service providers to verify the authenticity of user-driven operations (i.e., operations supposed to be performed, or explicitly confirmed, by a user). We design and build the VButton system to fill this void. Our system introduces a class of attestation-enabled app UI widgets (called VButton UI). Developers can easily integrate VButton UI in their apps to allow service providers to verify that a user-driven operation triggered by a VButton UI is indeed initiated and intended by a real user. Our system contains an on-device Manager, and a server-side Verifier. Leveraging ARM TrustZone, our system can attest operation authenticity even in the presence of a compromised OS. We have implemented the VButton system on an ARM development board as well as a commercial off-the-shelf smartphone. The evaluation results show that the system incurs negligible overhead.