Presentation is loading. Please wait.

Presentation is loading. Please wait.

Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction.

Published byVictoria Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction."— Presentation transcript:

1 Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction with S&P’15

2 Prologue Mobile apps are gaining significant popularity. Much of sensitive user information is stored inside mobile apps. – Facebook’s cookie files – Evernote’s private notes – Tencent QQ’s chat logs Sandbox-based app isolation is employed to … 2

3 Indirect File Leak (IFL) attacks 3

4 Contributions Four new mobile IFL attacks – Can affect both Android and iOS – Are exploitable not only locally but also remotely A number of zero-day IFL vulnerabilities – In popular Android and iOS apps – Also a serious SOP issue in the latest iOS 8 system A comparison of Android and iOS’s susceptibility 4

5 An Overview of Our IFL Attacks The sopIFL attacks – Bypass the same-origin policy on browsing interfaces The aimIFL attacks – Execute unauthorized JavaScript directly on target files The cmdIFL attacks – Execute unauthorized commands on cmd interpreters The serverIFL attacks – Send unauthorized file extraction requests to embedded app server deputies 5

6 1. The sopIFL attacks Via breaking the SOP enforcement on: – http://  file:// ( SOPf1 ) – file://a.html  file://b.txt ( SOPf2 ) Our prior work [47] showed that many Android browsers fail to enforce SOPf2. Our this paper shows that even the latest iOS 8 does not properly enforce SOPf2 (also iOS 7). 6 [47] D. Wu and R. Chang. Analyzing Android browser apps for file:// vulnerabilities. In Proc. Springer ISC, 2014.

7 The root problem on SOPf2 The legacy SOP cannot adequately cover the local schemes, such as file://. According to the typical web SOP principle, – Legal for a file A (at file:///dir1/a.html) to access another file B (at file:///dir2/b.txt). – Because the two origins share the same scheme, domain (i.e., 127.0.0.1 or localhost), and port. But in practice, – This legal behavior fails to meet the security requirements for file://, especially in the mobile env. – We call for an enhanced SOP for local schemes, such as adding the “path” element. 7

8 The sopIFL attacks affect many iOS apps Causes: – The by-default vulnerable SOPf2 on iOS – One common app design practice in iOS apps 8

9 iOS’s “open with” feature sopIFL Case Study: Evernote 9 Evernote’s cookie file is stolen

10 sopIFL Case Study: Mail.Ru Just send an email with a crafted attachment! 10 Mail.Ru’s database file is stolen

11 sopIFL Case Study: QQ 11

12 2. The aimIFL attacks Inject and execute unauthorized JavaScripts directly on target files to steal files. – Also leverage browsing interfaces as deputies – But no SOP violation anymore Two types (based on who loads the target file): – aimIFL-1 : the adversary loads Need to come up ways to load – aimIFL-2 : the victim app loads (as an app feature) No need to worry about how to load 12

13 Apps vulnerable to the aimIFL attacks 13

14 The aimIFL-1 attacks via file:// 14

15 The aimIFL-1 attacks via file:// (Baidu’s most valuable vuln. report) 15

16 The aimIFL-1 attacks via content:// (Qihoo 360’s highest bug bounty award) 16

17 3. The cmdIFL attacks Exploit command interpreters as deputies inside victim apps to execute unauthorized commands for file leaks 17

18 The Case of Terminal Emulator 18

19 4. The serverIFL attacks Send unauthorized file extraction requests to embedded app server deputies inside victim apps to obtain private files. 19

20 Android VS iOS in terms of the impact of IFL attacks Implication 1: The common practice in iOS apps to open (untrusted) files in their own app domain could lead to more pervasive and powerful sopIFL attacks on iOS than Android. Implication 2: The randomized app data directory on iOS makes it difficult to conduct the aimIFL-1 attacks on iOS. 20

21 Android VS iOS in terms of the impact of IFL attacks Implication 3: Apple’s strict app review prevents iOS apps from executing bash commands. An adversary therefore cannot find targets to launch the cmdIFL attacks on iOS. Implication 4: iOS generally does not allow background server behavior, which reduces the chance of the serverIFL attacks on iOS. 21

22 Thank you! Questions? 22 https://daoyuan14.github.io/ Daoyuan Wu from HK PolyU daoyuan0x@gmail.com

Download ppt "Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Ethical Hacking by Shivam.

Ethical Hacking by Shivam.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.

Similar presentations

Ads by Google