In my view, the core issue here is that Android's permissions system doesn't consider "Running in the background" and "Accessing the Internet" to be things that apps need to ask the user for permission and the user can restrict.

This attack wouldn't work if every app, even an "offline game", has those implicit permissions by default. Many apps should at most have "Only while using the app" permission to access the Internet. Which would not be complete protection -- there's always the risk you misclick on a now-malicious app that you never use -- but it would make the attack far less effective.

> I am an app developer. How do I protect my users? > We are not aware of mitigation strategies to protect apps against Pixnapping. If you have any insights into mitigations, please let us know and we will update this section.

IDK, I think there are obvious low-hanging attempts [0] such as: do not display secret codes in stable position on screen? Hide it when in background? Move it around to make timing attacks difficult? Change colours and contrast (over time)? Static noise around? Do not show it whole at the time (not necessarily so that user could observe it: just blink parts of it in and out maybe)? Admittedly, all of this will harm UX more or less, but in naïve theory should significantly raise demands for the attacker.

[0] Provided the target of the secret stealing is not in fact some system static raster snapshot containing the secret, cached for task switcher or something like that.

It's not exactly a new technique but it's effective for most super targeted attacks, honestly it seems if you were this inclined to be able to get a specific app on the users phone, you might as well just work off the Android app you've already gotten delivered to the users phone. Like Facebook.

Throw a privacy notice to the users "This app will take periodic screenshots of your phone" You'd be amazed how many people will accept it.

> Did you release the source code of Pixnapping? We will release the source code at this link once patches become available: https://github.com/TAC-UCB/pixnapping

It's not exactly impossible to reverse what's happening here. You could have waited until it was patched but sounds like you wanted to get your own attention as soon as possible.

Note that for TOTP the attack is only feasible if the font and pixel-perfect positions on the screen are known:

> The attacks described in Section 5 take hours to steal sensitive screen regions—placing certain categories of ephemeral secrets out of reach for the attacker app. Consider for example 2FA codes. By default, these 6-digit codes are refreshed every 30 seconds [38]. This imposes a strict time limit on the attack: if the attacker cannot leak the 6 digits within 30 seconds, they disappear from the screen

> Instead, assuming the font is known to the attacker, each secret digit can be differentiated by leaking just a few carefully chosen pixels

I would say this is a nice & clever attack vector by calculating from rendering time aka side channeling. Kudos to the researchers though it would take lot of time and capture pixels even for Google authenticator. My worry is now how much of this could be reproduced to steal OTP from messages.

Given to rise of well defined templates (accurately vibe coding design for example: GitHub notification emails) phishing via email, I have literally stopped clicking links email and now I have stop launching apps from intent directly (say open with). Better to open manually and perform such operation + remove useless apps but people underestimate the attack surface (it can come through sdk, web page intents)

I'm no expert in security, but I'm guessing if you install an app on a Windows Desktop computer it can do more chaos faster and more discreetly than pixnapping can on Android.

If you use the same password on two websites, any one of the two websites can use it to log you it in the second website (if it doesn't have an extra layer of security).

On paper security is pretty weak yet in practice these attacks are not very common or easy to do.

I was looking for a nice browser game, just judging by the name.

Discussion: https://news.ycombinator.com/item?id=45574613

undefined

Modern devices are simply too complex to be completely secure.

We have this tendency of adding more and more "features", more and more functionality 85% of which nobody asked for or has use for.

I believe that there will be a market for a small, bare bones secure OS in the future. Akin to how freeBSD is being run.

Seems like the only real solution would be to have a dedicated device just for 2fa

Not a phone designer, but could we imagine a new class of screen region which is excluded from screen grab, draw over and soft focus with a mask, and then notification which do otp or pin subscribe to use it?

The best defence seems to be to configure your 2FA app to require biometrics. I'm not sure why they didn't mention this option.

This is wild.

Don't extra security measures in authenticator apps provide protection against this? I need to enter a pin/fingerprint in order to access my codes. And the code of an entry is hidden and only temporarily shown after being tapped.

Things like this make me wonder if the social media giants use attacks like these to gain certain info about you and advertise to you that way.

Either that or Meta's ability to track/influence emotional state by behaviour is that good that they can advertise to me things I've only thought of and not uttered or even searched anywhere.

interesting

My takeaway:

Do not install apps. Use websites.

Apps have way too much permissions, even when they have "no permissions".

You know it's serious because it's got a domain and a logo. Even security researchers gotta create engagement and develop their brand.

[dead]

[dead]

Huh. I don’t know that I’ve seen a whole domain name registered, for a paper on a single CVE, before.