XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps

Code Injection Attacks on HTML5-basedMobile AppsXing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du

Department of Electrical Engineering & Computer ScienceSyracuse University .

1

(a)(c)(b)(d)(g)(f)(e)(h)

2OutlineBackGroundOverview of HTML5-based Mobile AppOverview of PhoneGap ArchitectureRisks in JavaScriptCode Injection Attacks on HTML5-based mobile appsOverview of the AttackChannels of the AttackExamples (WIFI, NFC, MP3)Length limitationReal Vulnerable CasesFuture Work

3Overview of HTML5-based Mobile AppPhoneGapDeviceAccelerometerCameraCompassContactsFileGeolocationNotification

WebViewHTMLCSSJavaScriptXXaddJavascriptInterface()Advantage: Can be easily ported between different platforms

4Overview of PhoneGap Architecture

5Risks in JavaScriptData and code can be mixed together. var text="Hello!alert('hello')"; document.write(text);

Once it runs, the data will be displayed, and the JavaScript code will also be executed.6Overview of the Attack

7Overview of the Attack

3128Channels of XDS AttackID Channels (WiFi, Bluetooth)Data Channels Unique to Mobile Devices (NFC, Barcode, SMS)Metadata Channels (MP3, MP4, Image)For the channels we have identified in this paper, we categorized them into three categories. The first one is the ID channels, we can embed code into some identities, e.g., the WiFi SSID, Bluetooth name. The second one is data channels unique to mobile devices, including NFC, Barcode and SMS. The third one is the metadata channels. Media data, e.g., MP3, MP4, Image, they use metadata to describe the detail information of the files, including artist, album, model. We can also successfully inject code into these metadataFields. Next I will pick one example in each category to show how the attack works.9Example 1(WiFi)

Non PhoneGap WiFi-Finder PhoneGap WiFi-Finder10Example 2(NFC)

Non PhoneGap NFC App PhoneGap NFC App11Example 3(mp3)

PhoneGap Mp3 App Non PhoneGap Mp3 Apphttp://www.cis.syr.edu/~wedu/attack12Length Limitation of Channels

13Overcome the limitation Use External JS files: ( will be filter out by innerHTML)

Split JS code into pieces: (need to use jQuery) 1 2 3 4 5

14Real vulnerable casesDownloaded 764 PhoneGap apps from Google PlayFind several vulnerable apps satisfy two attack conditions:read external data from the channels that we have identifieduse vulnerable APIs or attributes to display information from the channels

15Real Vulnerable Cases

Non PhoneGap App PhoneGap App Information sent to Sever

16Real vulnerable CasesThe code injected in the QR code 17Future WorkLarge Scale analysis of HTML5-based mobile apps

Solution to address the attackThanks! Q & A