Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, 2015 1 MoST’15, in conjunction.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University Information Security.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
By Hiranmayi Pai Neeraj Jain
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
Ethical Hacking by Shivam.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Web server security Dr Jim Briggs WEBP security1.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OWASP Mobile Top 10 Why They Matter and What We Can Do
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Presentation By Deepak Katta
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Topic 5: Basic Security.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
1. Same-origin Policy For JS JS on a site can read data only from the same site Protects a user’s confidential data from other sites.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
VULN SCANNING Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
What mobile ads know about mobile users
Database and Cloud Security
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
NodeJS Security Using PassportJS and HelmetJS:
TOPIC: Web Security (Part-4)
World Wide Web policy.
Android System Security
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
CSC 495/583 Topics of Software Security Web Browser Security (2)
Stealing Credentials.
Motivation and Problem Statement
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Cross Site Request Forgery (CSRF)
The Heartbleed Bug and Attack
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
SHELLSHOCK ATTACK.
Presentation transcript:

Indirect File Leaks in Mobile Applications Daoyuan Wu and Rocky K. C. Chang The Hong Kong Polytechnic University May 21, MoST’15, in conjunction with S&P’15

Prologue Mobile apps are gaining significant popularity. Much of sensitive user information is stored inside mobile apps. – Facebook’s cookie files – Evernote’s private notes – Tencent QQ’s chat logs Sandbox-based app isolation is employed to … 2

Indirect File Leak (IFL) attacks 3

Contributions Four new mobile IFL attacks – Can affect both Android and iOS – Are exploitable not only locally but also remotely A number of zero-day IFL vulnerabilities – In popular Android and iOS apps – Also a serious SOP issue in the latest iOS 8 system A comparison of Android and iOS’s susceptibility 4

An Overview of Our IFL Attacks The sopIFL attacks – Bypass the same-origin policy on browsing interfaces The aimIFL attacks – Execute unauthorized JavaScript directly on target files The cmdIFL attacks – Execute unauthorized commands on cmd interpreters The serverIFL attacks – Send unauthorized file extraction requests to embedded app server deputies 5

1. The sopIFL attacks Via breaking the SOP enforcement on: –  file:// ( SOPf1 ) – file://a.html  file://b.txt ( SOPf2 ) Our prior work [47] showed that many Android browsers fail to enforce SOPf2. Our this paper shows that even the latest iOS 8 does not properly enforce SOPf2 (also iOS 7). 6 [47] D. Wu and R. Chang. Analyzing Android browser apps for file:// vulnerabilities. In Proc. Springer ISC, 2014.

The root problem on SOPf2 The legacy SOP cannot adequately cover the local schemes, such as file://. According to the typical web SOP principle, – Legal for a file A (at file:///dir1/a.html) to access another file B (at file:///dir2/b.txt). – Because the two origins share the same scheme, domain (i.e., or localhost), and port. But in practice, – This legal behavior fails to meet the security requirements for file://, especially in the mobile env. – We call for an enhanced SOP for local schemes, such as adding the “path” element. 7

The sopIFL attacks affect many iOS apps Causes: – The by-default vulnerable SOPf2 on iOS – One common app design practice in iOS apps 8

iOS’s “open with” feature sopIFL Case Study: Evernote 9 Evernote’s cookie file is stolen

sopIFL Case Study: Mail.Ru Just send an with a crafted attachment! 10 Mail.Ru’s database file is stolen

sopIFL Case Study: QQ 11

2. The aimIFL attacks Inject and execute unauthorized JavaScripts directly on target files to steal files. – Also leverage browsing interfaces as deputies – But no SOP violation anymore Two types (based on who loads the target file): – aimIFL-1 : the adversary loads Need to come up ways to load – aimIFL-2 : the victim app loads (as an app feature) No need to worry about how to load 12

Apps vulnerable to the aimIFL attacks 13

The aimIFL-1 attacks via file:// 14

The aimIFL-1 attacks via file:// (Baidu’s most valuable vuln. report) 15

The aimIFL-1 attacks via content:// (Qihoo 360’s highest bug bounty award) 16

3. The cmdIFL attacks Exploit command interpreters as deputies inside victim apps to execute unauthorized commands for file leaks 17

The Case of Terminal Emulator 18

4. The serverIFL attacks Send unauthorized file extraction requests to embedded app server deputies inside victim apps to obtain private files. 19

Android VS iOS in terms of the impact of IFL attacks Implication 1: The common practice in iOS apps to open (untrusted) files in their own app domain could lead to more pervasive and powerful sopIFL attacks on iOS than Android. Implication 2: The randomized app data directory on iOS makes it difficult to conduct the aimIFL-1 attacks on iOS. 20

Android VS iOS in terms of the impact of IFL attacks Implication 3: Apple’s strict app review prevents iOS apps from executing bash commands. An adversary therefore cannot find targets to launch the cmdIFL attacks on iOS. Implication 4: iOS generally does not allow background server behavior, which reduces the chance of the serverIFL attacks on iOS. 21

Thank you! Questions? 22 Daoyuan Wu from HK PolyU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.