nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Droids in Disarray: Detecting Frame Confusion in Hybrid Android Apps

verfasst von : Davide Caputo, Luca Verderame, Simone Aonzo, Alessio Merlo

Erschienen in: Data and Applications Security and Privacy XXXIII

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Frame Confusion is a vulnerability affecting hybrid applications which allows circumventing the isolation granted by the Same-Origin Policy. The detection of such vulnerability is still carried out manually by application developers, but the process is error-prone and often underestimated. In this paper, we propose a sound and complete methodology to detect the Frame Confusion on Android as well as a publicly-released tool (i.e., FCDroid) which implements such methodology and allows to detect the Frame Confusion in hybrid applications, automatically. We also discuss an empirical assessment carried out on a set of 50K applications using FCDroid, which revealed that a lot of hybrid applications suffer from Frame Confusion. Finally, we show how to exploit Frame Confusion on a news application to steal the user’s credentials.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Is My Phone Listening in? On the Feasibility and Detectability of Mobile Eavesdropping

Nächstes Kapitel Geo-Graph-Indistinguishability: Protecting Location Privacy for LBS over Road Networks

http://gs.statcounter.com/os-market-share/mobile/worldwide.

https://cordova.apache.org/docs/en/latest/guide/appdev/security/index.html#iframes-and-the-callback-id-mechanism.

https://www.owasp.org/index.php/Man-in-the-middle_attack.

FCDroid is available at https://www.fcdroid.com.

https://repo.xposed.info/.

https://www.gnu.org/software/wget/.

https://www.owasp.org/index.php/DOM_Based_XSS.

The complete list of experimental results is available at https://www.fcdroid.com/results.

https://play.google.com/store/apps/details?id=com.estsoft.android.ytn.

We responsibly disclosed our finding to the app developers in January 2019.

Thomas, D.R., Beresford, A.R., Coudray, T., Sutcliffe, T., Taylor, A.: The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 126–138. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26096-9_13CrossRef

AndroidRank: Androidrank market data (2018). https://www.androidrank.org/

Aonzo, S., Merlo, A., Tavella, G., Fratantonio, Y.: Phishing attacks on modern android. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), Toronto, Canada, October 2018

Backes, M., Gerling, S., Styprekowsky, P.V.: A Local Cross-Site Scripting Attack against Android Phones, pp. 1–6. Saarland University (2011). http://www.infsec.cs.uni-saarland.de/projects/android-vuln/

Bai, J., Wang, W., Qin, Y., Zhang, S., Wang, J., Pan, Y.: BridgeTaint: a bi-directional dynamic taint tracking method for JavaScript bridges in Android hybrid applications. IEEE Trans. Inf. Forensics Secur. 14(3), 677–692 (2019). https://doi.org/10.1109/TIFS.2018.2855650CrossRef

Bao, W., Yao, W., Zong, M., Wang, D.: Cross-site scripting attacks on android hybrid applications. In: Proceedings of the 2017 International Conference on Cryptography, Security and Privacy - ICCSP 2017, pp. 56–61. ACM Press, New York (2017). https://doi.org/10.1145/3058060.3058076, http://dblp.uni-trier.de/db/conf/iccsp/iccsp2017.html

Bhavani, A.B.: Cross-site scripting attacks on Android WebView. Int. J. Comput. Sci. Netw. 2(2), 1–5 (2013)

Chen, Y.L., Lee, H.M., Jeng, A.B., Wei, T.E.: DroidCIA: a novel detection method of code injection attacks on HTML5-based mobile apps. In: 2015 Proceedings of 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, vol. 1, pp. 1014–1021 (2015). https://doi.org/10.1109/Trustcom.2015.477

Chin, E., Wagner, D.: Bifocals: analyzing WebView vulnerabilities in Android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 138–159. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_9CrossRef

10.

Content Security Policy: Content security policy (2016). http://content-security-policy.com, https://developers.google.com/web/fundamentals/security/csp/

11.

Apache Cordova: (2018). https://cordova.apache.org/

12.

Cortesi, A., Hils, M., Kriechbaumer, T., Contributors: mitmproxy: a free and open source interactive HTTPS proxy (Version 4.0) (2010). https://mitmproxy.org/

13.

Erlend, O.: RetireJS - Scanner detecting the use of JavaScript libraries with known vulnerabilities (2019). https://retirejs.github.io/retire.js/

14.

Gruver, B.: Smali - Assembler/Disassembler for the dex format (2019). http://github.com/JesusFreke/smali/

15.

Hu, J.: A tale of two cities : how WebView induces bugs to Android applications, vol. 1, pp. 702–713 (2018). https://doi.org/10.1145/3238147.3238180

16.

JavascriptInterface: (2019). https://developer.android.com/reference/android/webkit/JavascriptInterface

17.

Jin, X., Hu, X., Ying, K., Du, W., Yin, H., Peri, G.N.: Code injection attacks on HTML5-based mobile apps. In: Proceedings of 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS 2014, pp. 66–77 (2014). https://doi.org/10.1145/2660267.2660275

18.

Lee, S., Dolby, J., Ryu, S.: HybriDroid: static analysis framework for Android hybrid applications. In: Proceedings of 31st IEEE/ACM Int. Conference on Automated Software Engineering - ASE 2016, pp. 250–261 (2016). http://dl.acm.org/citation.cfm?doid=2970276.2970368

19.

Li, L., et al.: Static analysis of android apps: a systematic literature review. Inf. Softw. Technol. 88, 67–95 (2017). https://doi.org/10.1016/j.infsof.2017.04.001CrossRef

20.

Li, T., et al.: Unleashing the walking dead : understanding cross-app remote infections on mobile WebViews. In: CCS, pp. 829–844 (2017). https://doi.org/10.1145/3133956.3134021, https://acmccs.github.io/papers/p829-liA.pdf

21.

Li, Y., Yang, Z., Guo, Y., Chen, X.: DroidBot: a lightweight UI-guided test input generator for android. In: Proceedings of 2017 IEEE/ACM 39th International Conference on Software Engineering Companion, ICSE-C 2017, pp. 23–26 (2017). https://doi.org/10.1109/ICSE-C.2017.8

22.

Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference on - ACSAC 2011, p. 343 (2011). https://doi.org/10.1145/2076732.2076781

23.

Neugschwandtner, M., Lindorfer, M., Platzer, C.: A view to a kill: WebView exploitation. In: LEET (2013). http://publik.tuwien.ac.at/files/PubDat_223415.pdf

24.

Das Patnaik, N., Sabyasachi Sahoo, S.: JSPrime (2013). https://dpnishant.github.io/jsprime/

25.

OWASP: using components with known vulnerabilities (2017). https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities

26.

Adobe PhoneGap: (2018). https://phonegap.com/

27.

Rizzo, C., Cavallaro, L., Kinder, J.: BabelView: evaluating the impact of code injection attacks in mobile Webviews (2017). http://arxiv.org/abs/1709.05690

28.

Sedol, S., Johari, R.: Survey of cross-site scripting attack in Android Apps. Int. J. Inf. Comput. Technol. 4(11), 1079–1084 (2014)

29.

w3: Sandbox attribute (2018). https://www.w3.org/wiki/Html/Elements/iframe

30.

WebSetting: (2019). https://developer.android.com/reference/android/webkit/websettings

31.

WebView: (2019). https://play.google.com/store/apps/details?id=com.google.android.webview&hl=en

32.

WebViewSafeBrowsing: (2018). https://developer.android.com/guide/webapps/managing-webview

33.

WebViewSecurity: (2017). https://android-developers.googleblog.com/2017/06/whats-new-in-webview-security.html

34.

Wiśniewski, R., Tumbleson, C.: Apktool A tool for reverse engineering Android apk files (2018). http://ibotpeaches.github.io/Apktool/

35.

Yan, R., Xiao, X., Hu, G., Peng, S., Jiang, Y.: New deep learning method to detect code injection attacks on hybrid applications. J. Syst. Softw. 137, 67–77 (2018). https://doi.org/10.1016/j.jss.2017.11.001CrossRef

Titel: Droids in Disarray: Detecting Frame Confusion in Hybrid Android Apps
verfasst von: Davide Caputo
Luca Verderame
Simone Aonzo
Alessio Merlo
Verlag: Springer International Publishing
Buch: Data and Applications Security and Privacy XXXIII
Print ISBN: 978-3-030-22478-3

Electronic ISBN: 978-3-030-22479-0

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-22479-0_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner