Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks

Georgiev, Martin; Jana, Suman; Shmatikov, Vitaly

doi:10.14722/ndss.2014.23323

Cited by 64 publications

(61 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, as shown in prior work [19], [26], such a feature also introduces potential security flaws. More specially, it opens a bridge that links web code to^Ğ However, up to now it still remains unclear how adversaries involve the event handler feature in their attack vectors in practice.…”

Section: Introductionmentioning

confidence: 93%

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Yang

Huang

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Recently more and more Android apps integrate the embedded browser, known as "WebView", to render web pages and run JavaScript code without leaving these apps. WebView provides a powerful feature that allows event handlers defined in the native context (i.e., Java in Android) to handle web events that occur in WebView. However, as shown in prior work, this feature suffers from remote attacks, which we generalize as EventOriented Exploit (EOE) in this paper, such that adversaries may remotely access local critical functionalities through event handlers in WebView without any permission or authentication.In this paper, we propose a novel approach, EOEDroid, which can automatically vet event handlers in a given hybrid app using selective symbolic execution and static analysis. If a vulnerability is found, EOEDroid also automatically generates exploit code to help developers and analysts verify the vulnerability. To support exploit code generation, we also systematically study web events, event handlers and their trigger constraints.We evaluated our approach on 3,652 most popular apps. The result showed that our approach found 97 total vulnerabilities in 58 apps, including 2 cross-frame DOM manipulation, 53 phishing, 30 sensitive information leakage, 1 local resources access, and 11 Intent abuse vulnerabilities. We also found a potential backdoor in a high profile app that could be used to steal users' sensitive information, such as IMEI. Even though developers attempted to close it, EOEDroid found that adversaries were still able to exploit it by triggering two events together and feeding event handlers with well designed input.

show abstract

Section: Introductionmentioning

confidence: 93%

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Yang

Huang

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Furthermore, WebView enforces the standard same origin policy [8,42] on the displayed content. An advertising creative displayed in a WebView can interact with the host app through exposed bridge objects [19], but an AdSDK can restrict which bridges are available in its WebViews.…”

Section: Mobile Ad Isolationmentioning

confidence: 99%

What Mobile Ads Know About Mobile Users

Son

Kim

Shmatikov

2016

Proceedings 2016 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Abstract-We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from the host app by confining ads to dedicated browser instances that correctly apply the same origin policy.We then demonstrate how malicious ads can infer sensitive information about users by accessing external storage, which is essential for media-rich ads in order to cache video and images. Even though the same origin policy prevents confined ads from reading other apps' external-storage files, it does not prevent them from learning that a file with a particular name exists. We show how, depending on the app, the mere existence of a file can reveal sensitive information about the user. For example, if the user has a pharmacy price-comparison app installed on the device, the presence of external-storage files with certain names reveals which drugs the user has looked for.We conclude with our recommendations for redesigning mobile advertising software to better protect users from malicious advertising.

show abstract

“…To limit the typical web application threats, WebViews are re-using the wellknown security mechanism from web browsers such as the same-origin policy [10]. Moreover, WebViews are separated from the regular web browsers on Android, e. g., WebViews have their own cache and cookie store.…”

Section: Security Considerations For Cordova Appsmentioning

confidence: 99%

“…Moreover, WebViews are separated from the regular web browsers on Android, e. g., WebViews have their own cache and cookie store. Still, there are subtle differences that make implementing secure Cordova apps even for experienced web application developers a challenge [9,10].…”

Section: Security Considerations For Cordova Appsmentioning

confidence: 99%

“…There have been several works introducing more fine-grained access control mechanism for the cross-language interface in hybrid mobile apps, particularly Cordova, such as NoFrak [10], MobileIFC [22], and others [12,21]. They all identified the breach of the sandbox security and that Cordova fails to restrict access to plugins by untrusted JavaScript code as the major security and privacy concern.…”

Section: Security Considerations For Cordova Appsmentioning

confidence: 99%

See 1 more Smart Citation

On the Static Analysis of Hybrid Mobile Apps

Brucker

Herzberg²

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows. Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful. In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.

show abstract

Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks

Cited by 64 publications

References 13 publications

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

Automated Generation of Event-Oriented Exploits in Android Hybrid Apps

What Mobile Ads Know About Mobile Users

On the Static Analysis of Hybrid Mobile Apps

Contact Info

Product

Resources

About