Slide 1

Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri Department of Electrical Engineering & Computer Science Syracuse University Slide 2 (a) (c) (b)(d) (g)(f)(e)(h) Slide 3 News Covered Slide 4 Outline HTML5-based Mobile App and Risk Code Injection Attacks on HTML5-based mobile apps Detection of Code Injection Attacks on HTML5-based mobile apps Mitigation of Code Injection Attacks on HTML5-based mobile apps Slide 5 HTML5-based Mobile App and Risk Slide 6 Cross Platform Application Development Windows Phone How Can I develop applications for all the platforms? Slide 7 Overview of HTML5-based Mobile App PhoneGap Device Accelerometer Camera Compass Contacts File Geolocation Notification WebView HTML CSS JavaScript addJavascriptInterface() Advantage: Can be easily ported between different platforms Disadvantage: Need to build the bridge between JavaScript and native resources Slide 8 Overview of PhoneGap Architecture Slide 9 Risks in HTML5-based Mobile App (JavaScript) Data and code can be mixed together. var text="Hello! alert('hello') "; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed. Slide 10 Code Injection Attacks on HTML5-based Mobile App Slide 11 Cross-Site Scripting Attack (XSS) Slide 12 Overview of our Attack Much broader attack surface Slide 13 Condition1: Attack Channels NFC SMS MP3 Slide 14 Condition2: Display APIs(Triggering Code) In our sample set (15,510 apps), 93% of apps use at least one unsafe APIs/attributes at least one time Slide 15 Vulnerable Code Example document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } function unrealted() { alert(Unrelated functio); } document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0, onSuccess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } function unrealted() { alert(Unrelated functio); } Condition 1 (channel: barcode) Condition 2 (Vulnerable API:html) Slide 16 Achieving Damage 1 2 3 1.Directly Attack System Resources 2.Propagate to other Apps 3.Propagate to other Devices Slide 17 Real Vulnerable App Example Malicious QR code Vulnerable App (Android, iOS, Windows Phone) Being Traced Slide 18 Real Vulnerable App Example The malicious code injected in the QR codeUse HTML5 Geolocation API to get Location Alert location information for demonstration purpose Real damage, send location information to remote server Slide 19 Detection of Code Injection Attacks on HTML5-based Mobile App Slide 20 Derive Data Flow Problem Data Retrieved Using PhoneGap API Vulnerable Display APIs Sink Source Slide 21 Challenges C1: Mixture of application and framework code C2: Difficulties in static analysis on JavaScript C3: Dynamic loaded content document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSuccess, onError); } C3 C2 C1 Slide 22 Framework Modeling Goal: connect data flow within PhoneGap Framework PhoneGap Framework Model Data Flow window = { plugins: { barcodeScanner:{ scan: function scan (mode,suc,err) { exec(suc, err, scan,[mode]); }}}} exec:function exec(suc,err,plugin,op,arg){ var dat = fake; suc(dat); err(dat); } Windows.plugins.barcodeScanner. scan(0, onSuccess, onError); Slide 23 Static Taint Analysis on Slice Goal: Accurate detect taint slice by backward slice from vulnerable APIs document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSucc ess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } document.addEventListener("deviceready", onDeviceReady, false); function onDeviceReady() { window.plugins.barcodeScanner.scan(0,onSucc ess, onError); } function onSuccess(result) { $("#display").html(result.text); } function onError(contactError) { alert('onError!'); } window.plugins.barcodeScanner.scan (Source) window.plugins.barcodeScanner.scan (Source) OnSuccess().html() (Sink).html() (Sink) Slide 24 Evaluation 15,510 apps from the official Google Play Market Hardware spec: Intel Core i7-2600 3.4 GHz with 16 GB RAM. Average processing time : 15.38 sec/app 478/15,510 flagged as vulnerable False positive rate: 2.30% (because of dead code) Performance Accuracy Slide 25 Case Study (The most powerful ones) Selected 20 apps (most powerful ones) Slide 26 Other Static Analysis in Android Privilege escalation (Permission) Component Hijacking (Intent) SSL/TLS StowawayChexSMV-HUNTER Pscout Woodpecker ContentScope MalloDroid ComDroidAppSealerCryptoLint Slide 27 Mitigation of Code Injection Attacks on HTML5-based Mobile App Slide 28 Mitigation PhoneGap App PhoneGap Framework (Java) Plugins (Java) Plugins (Java) Camera Contact SMS Bridge Plugin Manager Plugin Manager Filter (jsoup) Filter (jsoup) JSMessage Queue JSMessage Queue WebView HTML5 CSS JavaScript HTML5 CSS JavaScript addJavascript -interface ResourcesResources Slide 29 WiFi Demo (SSID Length Limitation) (need to usejQuery) 32 Each SSID < 32 Slide 30 Demo (Video) www.cis.syr.edu/~wedu/android/JSCodeInjection/index.html Slide 31 Conclusion Presented a systematic study of Code Injection Attacks on HTML5- based mobile Apps Designed and implemented a tool to automatic detect the vulnerabilities in HTML5-based mobile App Implemented a prototype (NoInjection) as a patch to the PhoneGap framework in Android to mitigate the attack Slide 32 Thanks! Q & A Would you scan this?