nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

Event-Based Remote Attacks in HTML5-Based Mobile Apps

verfasst von : Phi Tuong Lau

Erschienen in: Computer Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

HTML5-based mobile apps become increasingly popular as they leverage standard web technologies such as HTML5, JavaScript, CSS for saving development cost. Like web apps, they are built using JavaScript frameworks (e.g. jQuery) for making mobile websites responsive, faster, etc. Attackers may fire the events integrated into the frameworks for reusing sensitive APIs included in apps. Once the internal functions are accessed successfully, it may cause serious consequences (e.g. resource access). Its main advantage is that it is not required to inject malicious payloads for accessing to the system resources into apps. We define this vector of attacks as event-based remote attacks.

In this paper, we present a systematic study about the event-based remote attacks. In addition, we introduce a static detection approach to detect vulnerable apps that can be exploited to launch such remote attacks. For the measurement, we performed the approach on a dataset of 2,536 HTML5-based mobile apps. It eventually flagged out 53 vulnerable apps, including 45 true positives.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Deploying Fog-to-Cloud Towards a Security Architecture for Critical Infrastructure Scenarios

Nächstes Kapitel Horizontal Attacks Against ECC: From Simulations to ASIC

Phone Gap: Build amazing mobile apps powered by open web tech. https://phonegap.com

Ionic: Ionic helps developers build and ship beautiful cross-platform hybrid apps. https://ionicframework.com/

React Native: React Native Build native mobile apps using JavaScript and React. https://facebook.github.io/react-native/

Framework 7: Full featured framework for building iOS & Android apps. https://framework7.io/

Onsen UI: The most beautiful and efficient way to develop HTML5 hybrid and mobile web apps. https://onsen.io/

Rhomobile. https://www.zebra.com/us/en/products/software/mobilecomputers/rhomobile-suite.html

Top JavaScript mobile frameworks 2018. https://www.redbytes.in/javascript-frameworks-for-mobile-app-development/

Top JavaScript mobile frameworks 2018. https://conceptainc.com/blog/best-javascript-frameworks-mobile-development/

Top JavaScript mobile frameworks 2019. https://www.mindinventory.com/blog/mobile-app-development-framework-2019/

10.

AngularJS events. https://docs.angularjs.org/api/ng/directive

11.

jQuery Mobile events. https://api.jquerymobile.com/category/events/

12.

XSS attacks. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

13.

Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014)

14.

Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27659-5_22CrossRef

15.

Jin, X., et al.: Code injection attacks on HTML5-based mobile apps: characterization, detection, mitigation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77 (2014)

16.

Mao, J., Wang, R., Chen, Y., Jia, Y.: Detecting injected behaviors in HTML5-based Android applications. J. High Speed Netw. 22(1), 15–34 (2016)CrossRef

17.

Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8 (2014)

18.

Lau, P.T.: Scan code injection flaws in html5-based mobile applications. In: Proceedings of the 11th IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 81–88 (2018)

19.

Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29CrossRef

20.

Chen Y.L., Lee, H.M., Jeng, A.B., Wei, T.E.: DroidCIA: a novel detection method of code injection attacks on HTML5-based mobile apps. In: Trustcom/BigDataSE/ISPA, pp. 1014–1021 (2015)

21.

Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: HybridGuard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Security and Privacy Workshops (SPW), pp. 147–156 (2017)

22.

Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: IEEE Symposium on Security and Privacy (SP), pp. 742–755 (2018)

23.

Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in android hybrid apps. In: Network and Distributed System Security Symposium (NDSS) (2018)

24.

Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting javascript bridge in android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 143–166. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_7CrossRef

25.

Choi, H., Kim, Y.: Large-Scale analysis of remote code injection attacks in Android apps. In: Security and Communication Networks (2018)

26.

Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Not. 49(6), 259–269 (2014)CrossRef

27.

Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: Network and Distributed System Security Symposium (NDSS) (2014)

28.

Li, L., et al.: IccTA: detecting inter-component privacy leaks in Android apps. In: Proceedings of the 37th International Conference on Software Engineering, pp. 280–291 (2015)

29.

Li, L., et al.: Understanding android app piggybacking: a systematic study of malicious code grafting. IEEE Trans. Inform. Forensics Secur. 12, 1269–1284 (2017)CrossRef

30.

Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196 (2013)

31.

Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)

32.

Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of Android applications in DroidSafe. In: Network and Distributed System Security Symposium (NDSS) (2015)

33.

Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Network and Distributed System Security Symposium (NDSS), p. 12 (2007)

34.

Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)

35.

Stock B., Lekies S., Mueller T., Spiegel P., Johnss M.: Precise client-side protection against dom-based cross-site scripting. In: USENIX Security Symposium, pp. 655–670 (2014)

36.

Son, S., McKinley, K., S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1181–1192 (2013)

37.

Shar, L.K., Tan, H.B., K., Briand, L.C.: Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 642–651 (2013)

38.

Thomé, J., Shar, L.K., Bianculli, D., Briand, L.C.: An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving. In: IEEE Transactions on Software Engineering (2018)

39.

Lau, P.T.: Static detection of event-driven races in HTML5-based mobile apps. In: Ganty, P., Kaâniche, M. (eds.) VECoS 2019. LNCS, vol. 11847, pp. 32–46. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35092-5_3CrossRef

40.

TAJS framework. https://github.com/cs-au-dk/TAJS

41.

PhoneGap APIs. https://cordova.apache.org/plugins/

42.

jQuery binding APIs. https://api.jquery.com/category/events/event-handler-attachment/

43.

Third-party tools in PhoneGap. https://phonegap.com/tool/page12/

Titel: Event-Based Remote Attacks in HTML5-Based Mobile Apps
verfasst von: Phi Tuong Lau
Verlag: Springer International Publishing
Buch: Computer Security
Print ISBN: 978-3-030-42050-5

Electronic ISBN: 978-3-030-42051-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-42051-2_4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"