Clickjacking reaches its attacking purpose by luring the victims to click the disguised interface elements.In mobile internet en-vironment,the specialities of smartphone such as screen feature,gesture recognition and high-level support of HTML5 become the new availa-ble loopholes of clickjacking.In the paper we elaborately analyse and verify through the experiment the vulnerable characteristics of smartpho-nes,and present on this basis the latent attacking scheme of clickjacking on smartphones,thus design and implement a set of targeted detection solution.The solution extracts the attacking features from two perspectives of static webpage and dynamic behaviour,and makes the rules-based quantitative assessment and combinational judgement.Experimental result illustrates that the solution can effectively reduce the false negatives and false positives of the traditional webpage feature detection scheme.%点击劫持通过欺骗用户点击经过伪装的界面元素达到攻击目的。移动互联网环境下,智能手机的屏幕特征、手势识别、HTML5支持度高等特性成为点击劫持新的利用点。深入分析并实验验证智能手机脆弱特性,在此基础上提出点击劫持在智能手机上的潜在攻击方案。进而设计并实现一套有针对性的检测方案。该方案从静态页面和动态行为两个角度提取攻击特征,并进行基于规则的量化评估与组合判定。实验结果表明该方案可以有效地降低传统页面特征检测方案的漏报和误报情况。
展开▼
