Presented By – Nikhil PAwar

Slides:

Advertisements

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Advertisements

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

Developing downloadable mobile apps using HTML5 and PhoneGap Apache Callback Ron Perry, CTO, Worklight Inc.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

A problem in IMS Learning Design To promote interoperability, few services Local tool frameworks like LAMS have much richer tool environment –Easy provisioning.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

Development of mobile applications using PhoneGap and HTML 5

Native vs hybrid vs web mobile Application

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Norman SecureSurf Protect your users when surfing the Internet.

UNIT-V The MVC architecture and Struts Framework.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

By Mihir Joshi Nikhil Dixit Limaye Pallavi Bhide Payal Godse.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Prevent Cross-Site Scripting (XSS) attack

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Introduction CIS 136 Building Mobile Apps 1. What is a mobile app? 2  Computer program  Designed for small devices  Smartphones  Tablets  Other handhelds.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Chapter 8 Browsing and Searching the Web. Browsing and Searching the Web FAQs: – What’s a Web page? – What’s a URL? – How does a browser work? – How do.

Secure Credential Manager Claes Nilsson - Sony Ericsson

CS378 - Mobile Computing Intents. Allow us to use applications and components that are part of Android System – start activities – start services – deliver.

1 Geospatial and Business Intelligence Jean-Sébastien Turcotte Executive VP San Francisco - April 2007 Streamlining web mapping applications.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

Mobile web Sebastian Lopienski IT Technical Forum 29 June 2012.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,

Wireless and Mobile Security

Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

 Can access all API’s made available by OS vendor.  SDK’s are platform-specific.  Each mobile OS comes with its own unique tools and GUI toolkit.

Secure Mobile Development with NetIQ Access Manager

If you are thinking about developing mobile application for your customer, this is an important aspect to consider the platform.

丁建文國立高雄應用科大資管系副教授兼任計網中心軟體發展組組長跨平台行動應用軟體開發技術 : HTML5 & Mobile JavaScript Framework 暨南大學.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

INTRODUCING HYBRID APP KAU with MICT PARK IT COMPANIES Supported by KOICA

Phonegap API & Phonegap Bridge CIS 136 Building Mobile Apps 1.

Mary Ganesan and Lora Strother Campus Tours Using a Mobile Device.

What mobile ads know about mobile users

ArcGIS for Server Security: Advanced

PhoneGap, Processing.

Android Mobile Application Development

What Mobile Ads know about mobile users

Introduction to Information and Communication Technologies

What are they? The Package Repository Client is a set of Tcl scripts that are capable of locating, downloading, and installing packages for both Tcl and.

WWW and HTTP King Fahd University of Petroleum & Minerals

Android System Security

Mobile App Development

Apache Cordova Overview

Activities and Intents

Security mechanisms and vulnerabilities in .NET

Automatic Mobile App Generation

CMPE419 Mobile Application Development

SharePoint Cloud hosted Apps

Northbound API Dan Shmidt | January 2017

Analyzing WebView Vulnerabilities in Android Applications

The Application Lifecycle

Model-View-Controller Patterns and Frameworks

Phonegap Bridge Configuration file

SharePoint Online Authentication Patterns

Technical Capabilities

ARCHITECTURE OVERVIEW

CMPE419 Mobile Application Development

Exploring DOM-Based Cross Site Attacks

Running C# in the browser

Web Application Development Using PHP

Security and JavaScript

Presentation transcript:

Presented By – Nikhil PAwar Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android Presented By – Nikhil PAwar

Publication and Authors. ACM Conference on Computer and Communications Security 2016. Güliz Seray Tuncay - UIUC Soteris Demetriou – UIUC Carl A. Gunter - UIUC

Hand Raiser. How many of you are familiar with how websites or web apps work? How many are familiar with JavaScript and HTML5? Lastly Android and iPhone Users?

Mobile App Technology Stacks.

Embedded Browser. Web Container for showing web pages in app context. 85% of the apps in the Google Play store contain at least one embedded browser. Use Cases Displaying web Content Displaying Ads Reuse of web code Hybrid Apps

Webview. A Chromeless/Safariless browser window that’s typically configured to run full screen. A View that displays web pages. Earlier packaged with the OS now ships as a separate downloadable system application. UIWebView : iPhone : Apple’s WebKit. WebView : Android : Chromium : Apple’s webkit

App – web code interaction.

App – web code interaction.

BRIDGES???

App – web code interaction (Channels).

Webview with JavaScript Interfaces. Register a Java object with a specific WebView instance, mWebView. The WebView API allows inserting Java objects into WebViews using the addJavaScriptInterface() method. JavaScript loaded in the WebView can have access to application’s internal Java code, giving web code the ability to interact more tightly with an app, and in some cases get access to system resources.

Webview with JavaScript Event handlers. The WebView API allows developers to handle the alert, prompt and confirm JavaScript events, by registering the onJsAlert(), onJsPrompt() and onJsConfirm() Java callback methods. Whenever the JavaScript side calls any of these event methods, their respective handler will be called, if it is overridden. The developer is free to implement any logic in these event handlers. Used in some hybrid frameworks to connect the web side to the local side

Webview with HTML 5 APIs. The rise of HTML5 has brought in a set of APIs that can give web applications the ability to access device hardware via JavaScript. E.g. Geolocation and getUserMedia, which enable access to GPS and to media devices such as camera and microphone Developer needs to make use of onGeolocationShowPrompt (for geolocation), and onPermissionRequest (for media devices) to grant or deny permission to the requests.

prevalence of webview api.

Ideal Scenario.

Threat Model.

Threat Model.

Threat Model.

Threat Model.

Prior Studies Shortcomings. Limited scope : since they mainly target hybrid apps. Incomplete : since they focus only on protecting permission protected resources (e.g. camera, microphone) Rely on whitelisting policies that always block unknown domains. Ad hoc : since they focus only on a subset of resource access channels.

CASE Study : USPS APP. Developer loaded pages from untrusted domains in the browser instead of the WebView Flawed navigation control logic The developer checks if the loaded URL contains “usps.com” rather than checking if the host’s domain name matches “usps.com”

CASE STUDY : CVS CAREMARK APP. Developers registered two different javascript interfaces with the WebView viz. ‘native’ and ‘WebJSInterface’ Native was meant to be used for internal use only, that is by trusted CVS domains while “WebJSInterface” was meant to be used in a more generic context and by untrusted domains But both of these interfaces belong to the same WebView instance.

TEST ATTACK on CVS CAREMARK APP. The attack domain was able to retrieve personal information (like the user’s name, health care ID, email address, pharmacy preference, and location). Also was able to execute app functions such as using the camera on the victim device for barcode scanning functionality and retrieving images of user’s prescription drugs.

CASE STUDY : JOB SEARCH. Has over 550 lines of code to contain flaws of webview But then the app offers the user the choice of adding web sites as a part of their profile and allowing the user to navigate to these sites! Attack using the JS interface by navigating to test "malicious" website exploiting a vulnerable interface. In this interface, the app offers the device’s unique ID, enabling/disabling Google play.

NEED for change. Redirection to malicious websites OR presence of malicious code in iframes on a non alien origin. Lack on access control mechanism on foreign code of unknown origin. Current disorganized and complex nature of interactions between web origins and applications creates confusion for developers. Faulty implementation of navigation control logic or multiple WebViews with different levels of exposure.

Enter DRACO. Draco, a fine grained, origin-based access control system for WebViews, with Draconian Policy Language (DPL), which allows app developers to declare policy rules dictating how different components within a WebView should be exposed to different web origins. A Draco Runtime System (DRS), which takes policy rules on system and internal app resources (i.e., JavaScript bridges) as an input from the developer and enforces them dynamically when a resource request is made by a web origin.

DPL Grammar.

Additional Features. Supports wild cards for origins in DPL, in order to allow creation of rules that can be applied to any origin. DPL also allows app developers to provide a description message for the user. This can be useful in cases the DPL rule governs resources at a very fine-granularity (e.g. at the method level) which might be challenging for the user to understand. A key aspect of the design of DRS is to avoid any modifications in the Android OS to make DRS easier to both deploy and update. In particular, DRS is built on top of the WebView system app on Android.

Solutions.

Architecture.

RUNTIME DSA Unit.

POLICY AND PERMISSION PARSING.

IN-app RUNTIME.

Summary. How many of you are familiar with how websites or web apps work? How many are familiar with JavaScript and HTML5? Lastly Android and iPhone Users?

Acknowledgement. Darshan Mhatre Divyansh Bhatnagar

References. https://seclab.illinois.edu/wp-content/uploads/2016/10/draco-ccs- 2016.pdf https://myshadesofgray.wordpress.com/2014/04/15/hybrid- applications-and-android-native-browser/ http://developer.telerik.com/featured/what-is-a-webview/

Thank You.