A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.

Slides:

Advertisements

Similar presentations

Advertisements

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

Mobile App Development Using: Presented by Tyler Richey Images from

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Cosc 4755 Blackberry and Android Embedding the browser in your app.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Mobile Malware John Mitchell CS 155 Spring Outline Mobile malware – Common cases involve command and control, information theft Identifying malware.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

CS378 - Mobile Computing Web - WebView and Web Services.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Building Native Mapping Apps with PhoneGap: Advanced Techniques

CS378 - Mobile Computing Web - WebView and Web Services.

Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Asst Prof. Saeed Ahmadi Software Engineering CSF Kabul University 1.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

WEB SCIENCE. What is the difference between the Internet and the World Wide Web? Internet is the entire network of connected computers and routers used.

Networking: Part 1 (Web Content). Networking with Android Android provides A full-featured web browser based on Chromium, the open source browser engine.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

JavaScript, jQuery, and Mashups Incorporating JavaScript, jQuery, and other Mashups into existing pages.

Lecture 9: AJAX, Javascript review..  AJAX  Synchronous vs. asynchronous browsing.  Refreshing only “part of a page” from a URL.  Frameworks: Prototype,

JS Basics 1 Lecture JavaScript - Basics. JS Basics 2 What is JavaScript JavaScript is a “simple”, interpreted, programming language with elementary object-

Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡

SERVICE DESK PERSPECTIVE MyBYU / Mobile App / Mobile Browser.

Google App Engine in Google Apps Deploying Google App Engine applications to Google Apps +

Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Lesson 16. Practical Application 1 We can take advantage of JavaScript and the DOM, to set up a form so that the first text box of a form automatically.

Understanding JavaScript and Coding Essentials Lesson 8.

Bundles, Minification Andres Käver, IT Kolledž

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

PRESENTERS: AMOL KOKJE, STEVEN OSBURN, SUNIT VERMA, TOSHA SHAH, KALP PARIKH Vetting Mobile Apps.

Chapter 6 Murach's JavaScript and jQuery, C6© 2012, Mike Murach & Associates, Inc.Slide 1.

What web developers need to know when building Metro style apps Scott Dickens Principal Program Manager Lead Microsoft Corporation DEV352.

© 2016 Cengage Learning®. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. Android Boot Camp.

Cosc 5/4730 Embedding the browser in your app. Embedding the browser For many applications, you may not nothing more then the web browser – But you want.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Developing for Chromecast Cast Companion Library & Custom Receiver Application.

Web designing company in Bangalore Web designing company in Bangalore Quuick- Web Designing, Web Development, Mobile App Development & Android App Development.

CS 155 Spring 2016 Mobile Malware John Mitchell.

Mobile Device and Platform Security – Part II

Presented By – Nikhil PAwar

PhoneGap, Processing.

Build in Objects In JavaScript, almost "everything" is an object.

Android Application Web 1.

CSE 154 Lecture 11: AJAx.

Not a Language but a series of techniques

Are these ads safe? Detecting hidden attacks through the mobile app-web interface Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan.

WebView and Web Services

Mobile App ux/ ui design In High Quality.

CSE 154 Lecture 11: AJAx.

Session V HTML5 APIs - AJAX & JSON

Target Fragmentation in Android Apps

Analyzing WebView Vulnerabilities in Android Applications

CSE 154 Lecture 22: AJAX.

Asynchronous Javascript And XML

Events Comp 205 Fall 2017.

HTML5 AJAX & JSON APIs

Mobile Device and Platform Security – Part II

Client-Server Model: Requesting a Web Page

Introduction to JavaScript

CIS 136 Building Mobile Apps

Presentation transcript:

A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna

The big picture

Hundreds of thousands of vulnerable apps

Definitions

A Large-Scale Study of Mobile Web App Security

A mobile web app is… … an app that embeds a fully functional web browser as a UI element.

A Large-Scale Study of Mobile Web App Security

1,172,610 Android apps

998,286 w/ WebViews

A Large-Scale Study of Mobile Web App Security

1.Loading untrusted web content 2.Leaking URLs to foreign apps 3.Exposing state changing navigation to foreign apps

1.Loading untrusted web content 2.Leaking URLs to foreign apps 3.Exposing state changing navigation to foreign apps

“You should restrict the web-pages that can load inside your WebView with a whitelist.” - Facebook

“…only loading content from trusted sources into WebView will help protect users.” - Adrian Ludwig, Google

Goal: Find apps that load untrusted content in WebViews

1. Navigate to untrusted content

// In app code myWebView.loadUrl(“foo.com”);

// In app code myWebView.load(“foo.com”); click!

// In app code myWebView.load(“foo.com”); click!

// In app code myWebView.loadUrl(“foo.com”); click! // In JavaScript window.location = “foo.com”;

public boolean shouldOverrideUrlLoading( WebView view, String url){ // False -> Load URL in WebView // True -> Prevent the URL load }

public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }

What does untrusted mean?

2. Load content with HTTP

3. Use HTTPS unsafely

public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ // handler.cancel() -> cancel the load // handler.proceed() -> ignore the error }

public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }

public void onReceivedSslError( WebView view, SslErrorHandler handler, SslError error){ handler.proceed(); }

Results

Vulnerability% Relevant% Vulnerable Unsafe Nav HTTP Unsafe HTTPS 27 29

Popularity

Outdated Apps

29% unsafe nav Libraries

29% unsafe nav Libraries 51% HTTP

29% unsafe nav Libraries 51% HTTP 53% unsafe HTTPS

Takeaways

Apps must not load untrusted content into WebViews

Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis

Takeaways Apps must not load untrusted content into WebViews Able to identify violating apps using static analysis Vulnerabilities are present in the entire app ecosystem

Questions?