How the Attack Works
What Makes an App Vulnerable
First, this app should be based on the HTML5-based technology, i.e., its code (or part of its code) is written in JavaScript. If the app is written using the language native to the platform (e.g. Java for Andrid and Object-C for iOS), it is immune to this type of attacks.
Second, there should exists a channel for the app to receive data from outside. The data can be from outside of the device (such as scanning 2D barcode) or from another app on the same device (such as the Contact list).
Third, the app needs to display the information from outside. The choice of the APIs to display the informatin is critical. Some APIs are safe, but many of them are not.
How the Attack Works
The following video explains how the attack works. For full details, see our paper.
The following diagram depicts how the attack works.
External Data Channels
The following channels can be used by attackers to inject malicious JavaScript code into a victim's device:
- ID channels
- SSID field of Wi-Fi access points
- Device name of Bluetooth devices
- Data channels unique to mobile
- 2D barcode such as QR code
- SMS messages
- Contents in NFC tags
- RDS fields of FM radio
- Metadata channels (Metadata fields in multimedia files)
- Image files such as JPEG
- Audio files such as MP3
- Video files such as MP4
Internal Data Channels
The following channels can be used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps (our study was only conducted on Android; you should be able to find similar channels in other platforms):
- Content Provider
- Contact
- Calendar
- User dictionary
- Call Log
- Browser history and bookmarks
- Sync adapter
- Profile
- Intent
- External storage
Unsafe JavaScript APIs
A number of JavaScript APIs can be used for displaying data. The following table shows whether they are safe against our attacks or not. It also shows the percentage of the apps (among 764 samples that we have studied) that use these APIs at least once. We have highlighted those that are popular and unsafe. An important observation is that the use of safe APIs is not common.
| DOM APIs and Attributes | Safe (✓) or Not (✗)? | Usages |
|---|---|---|
| document.write() | ✗ | 6.80% |
| appendChild() | ✗ | 5.89% |
| innerHTML/outerHTML | ✗ | 6.02% |
| innerText/outerText | ✓ | 1.83% |
| textContent | ✓ | 3.27% |
| jQuery APIs | Safe (✓) or Not (✗)? | Usages |
| html() | ✗ | 16.36% |
| append()/prepend() | ✗ | 17.28% |
| before()/after() | ✗ | 7.33% |
| add() | ✗ | 5.24% |
| replaceAll()/replaceWith() | ✗ | 0.52% |
| text() | ✓ | 4.19% |
Frameworks Affected
PhoneGap is the most popular framework for HTML5-based app development, and our studies are mostly based on PhoneGap apps. There are other frameworks, such as RhoMobile, Appcelerator, etc. We have only tested several of them, and found them similarily vulnerable.
| Frameworks | Vulnerable or Not? |
|---|---|
| PhoneGap | Vulnerable |
| MoSync | Vulnerable |
| RhoMobile | Vulnerable |
| Sencha Touch | Vulnerable |
| Quickconnect | Investigation in progress |
| Appcelerator | Investigation in progress |
| Mulberry | Investigation in progress |
| Flex | Investigation in progress |
| jQuery Mobile | Investigation in progress |
| Mojito | Investigation in progress |
Team
- Advisor: Kevin Du
- Emir Demirdag
- Diana Jackson
- Xing Jin
- Tongbo Luo
- Nagesh Gautam Peri
- Derek Tsui
- Kailiang Ying
Technical Reports
News Coverage
Contact Us
Email: wedu@syr.edu
Tel: (315) 443-9180
Address:
4-206 CST Building
Department of EECS
Syracuse University
Syracuse, NY 13244