What Makes an App Vulnerable

First, this app should be based on the HTML5-based technology, i.e., its code (or part of its code) is written in JavaScript. If the app is written using the language native to the platform (e.g. Java for Andrid and Object-C for iOS), it is immune to this type of attacks.

Second, there should exists a channel for the app to receive data from outside. The data can be from outside of the device (such as scanning 2D barcode) or from another app on the same device (such as the Contact list).

Third, the app needs to display the information from outside. The choice of the APIs to display the informatin is critical. Some APIs are safe, but many of them are not.

How the Attack Works

The following video explains how the attack works. For full details, see our paper.

The following diagram depicts how the attack works.


External Data Channels

The following channels can be used by attackers to inject malicious JavaScript code into a victim's device:

  • ID channels
    • SSID field of Wi-Fi access points
    • Device name of Bluetooth devices
  • Data channels unique to mobile
    • 2D barcode such as QR code
    • SMS messages
    • Contents in NFC tags
    • RDS fields of FM radio
  • Metadata channels (Metadata fields in multimedia files)
    • Image files such as JPEG
    • Audio files such as MP3
    • Video files such as MP4

Internal Data Channels

The following channels can be used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps (our study was only conducted on Android; you should be able to find similar channels in other platforms):

  • Content Provider
    • Contact
    • Calendar
    • User dictionary
    • Call Log
    • Browser history and bookmarks
    • Sync adapter
    • Profile
  • Intent
  • External storage

Unsafe JavaScript APIs

A number of JavaScript APIs can be used for displaying data. The following table shows whether they are safe against our attacks or not. It also shows the percentage of the apps (among 764 samples that we have studied) that use these APIs at least once. We have highlighted those that are popular and unsafe. An important observation is that the use of safe APIs is not common.

DOM APIs and Attributes Safe (✓) or Not (✗)? Usages
document.write() 6.80%
appendChild() 5.89%
innerHTML/outerHTML 6.02%
innerText/outerText 1.83%
textContent 3.27%
jQuery APIs Safe (✓) or Not (✗)? Usages
html() 16.36%
append()/prepend() 17.28%
before()/after() 7.33%
add() 5.24%
replaceAll()/replaceWith() 0.52%
text() 4.19%

Frameworks Affected

PhoneGap is the most popular framework for HTML5-based app development, and our studies are mostly based on PhoneGap apps. There are other frameworks, such as RhoMobile, Appcelerator, etc. We have only tested several of them, and found them similarily vulnerable.

Frameworks Vulnerable or Not?
PhoneGap Vulnerable
MoSync Vulnerable
RhoMobile Vulnerable
Sencha Touch Vulnerable
Quickconnect Investigation in progress
Appcelerator Investigation in progress
Mulberry Investigation in progress
Flex Investigation in progress
jQuery Mobile Investigation in progress
Mojito Investigation in progress


group picture
  • Advisor: Kevin Du
  • Emir Demirdag
  • Diana Jackson
  • Xing Jin
  • Tongbo Luo
  • Nagesh Gautam Peri
  • Derek Tsui
  • Kailiang Ying

Technical Reports

News Coverage

Contact Us

Email: wedu@syr.edu
Tel: (315) 443-9180 Address:
4-206 CST Building
Department of EECS
Syracuse University
Syracuse, NY 13244