Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University.

Similar presentations


Presentation on theme: "Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University."— Presentation transcript:

1 Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University

2 (a) (c) (b)(d) (g)(f)(e)(h)

3 News Covered

4 Outline HTML5-based Mobile App and Risk Code Injection Attacks on HTML5-based mobile apps Detection of Code Injection Attacks on HTML5-based mobile apps Mitigation of Code Injection Attacks on HTML5-based mobile apps

5 HTML5-based Mobile App and Risk

6 Cross Platform Application Development Windows Phone How Can I develop applications for all the platforms?

7 Overview of HTML5-based Mobile App PhoneGap Device Accelerometer Camera Compass Contacts File Geolocation Notification … WebView HTML CSS JavaScript addJavascriptInterface() Advantage: Can be easily ported between different platforms Disadvantage: Need to build the bridge between JavaScript and native resources

8 Overview of PhoneGap Architecture

9 Risks in HTML5-based Mobile App (JavaScript) Data and code can be mixed together. var text="Hello! alert('hello') "; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.

10 Code Injection Attacks on HTML5-based Mobile App

11 Cross-Site Scripting Attack (XSS)

12 Overview of our Attack Much broader attack surface

13 Condition1: Attack Channels NFC SMS MP3

14 Condition2: Display APIs(Triggering Code) In our sample set (15,510 apps), 93% of apps use at least one unsafe APIs/attributes at least one time

15 Vulnerable Code Example document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } function unrealted() { alert(‘Unrelated functio’); } document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } function unrealted() { alert(‘Unrelated functio’); } Condition 1 (channel: barcode) Condition 2 (Vulnerable API:html)

16 Achieving Damage Directly Attack System Resources 2.Propagate to other Apps 3.Propagate to other Devices

17 Real Vulnerable App Example Malicious QR code Vulnerable App (Android, iOS, Windows Phone) Being Traced

18 Real Vulnerable App Example The malicious code injected in the QR code Use HTML5 Geolocation API to get Location Alert location information for demonstration purpose Real damage, send location information to remote server

19 Detection of Code Injection Attacks on HTML5-based Mobile App

20 Derive Data Flow Problem Data Retrieved Using PhoneGap API Vulnerable Display APIs Sink Source

21 Challenges C1: Mixture of application and framework code C2: Difficulties in static analysis on JavaScript C3: Dynamic loaded content document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } …… document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } …… C3 C2 C1

22 Framework Modeling Goal: connect data flow within PhoneGap Framework PhoneGap Framework Model Data Flow window = { plugins: { barcodeScanner:{ scan: function scan (mode,suc,err) { exec(suc, err, “scan”,[mode]); }}}} exec:function exec(suc,err,plugin,op,arg){ var dat = “fake”; suc(dat); err(dat); } Windows.plugins.barcodeScanner. scan(0, onSuccess, onError);

23 Static Taint Analysis on Slice Goal: Accurate detect taint slice by backward slice from vulnerable APIs document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSucc ess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSucc ess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } window.plugins.barcodeScanner.scan (Source) window.plugins.barcodeScanner.scan (Source) OnSuccess().html() (Sink).html() (Sink)

24 Evaluation 15,510 apps from the official Google Play Market Hardware spec: Intel Core i GHz with 16 GB RAM. Average processing time : sec/app 478/15,510 flagged as vulnerable False positive rate: 2.30% (because of dead code) Performance Accuracy

25 Case Study (The most powerful ones) Selected 20 apps (most powerful ones)

26 Other Static Analysis in Android Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS StowawayChexSMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroidAppSealerCryptoLint

27 Mitigation of Code Injection Attacks on HTML5-based Mobile App

28 Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Plugin Manager Filter (jsoup) Filter (jsoup) JSMessage Queue JSMessage Queue WebView HTML5 CSS JavaScript HTML5 CSS JavaScript addJavascript -interface ResourcesResources

29 WiFi Demo (SSID Length Limitation) (need to usejQuery) 32 Each SSID < 32

30 Demo (Video)

31 Conclusion Presented a systematic study of Code Injection Attacks on HTML5- based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack

32 Thanks! Q & A Would you scan this?


Download ppt "Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University."

Similar presentations


Ads by Google