ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1517

术语表: /attack/glossary

访问通知

恶意应用程序可以读取操作系统或其他应用程序发送的通知,其中可能包含敏感数据,例如通过SMS,电子邮件或其他介质发送的一次性身份验证代码。恶意应用程序还可以消除通知,以防止用户注意到通知已到达,并可能触发通知中包含的操作按钮。

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications

标签

ID编号: T1517

战术类型: 事后访问设备

策略: 收集,凭证访问

平台: Android

缓解措施

减轻 描述
应用程序开发人员指南 (M1013) 可以鼓励应用程序开发人员避免将敏感数据放在通知文本中。
企业政策(M1012) 在具有受管工作资料的Android设备(设备的企业受管部分)上,该DevicePolicyManager.setPermittedCrossProfileNotificationListeners方法可用于管理在主要用户(设备的个人方面)内运行的应用程序列表(包括将其设置为空列表)可以查看托管配置文件中发生的通知。但是,此策略仅影响在托管配置文件中生成的通知,而不影响设备的其余部分。该DevicePolicyManager.setApplicationHidden方法可用于禁用正在访问通知的有害应用程序,但是使用此方法将阻止整个应用程序运行。
Mitigation Description
Application Developer Guidance(M1013) Application developers could be encouraged to avoid placing sensitive data in notification text.
Enterprise Policy(M1012) On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.

检测

用户可以通过设备设置检查(和修改)具有通知访问权限的应用程序列表(例如,应用程序和通知->特殊应用程序访问->通知访问权限)。

The user can inspect (and modify) the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access).