First, this app should be based on the HTML5-based technology, i.e., its code (or part of its code) is written in JavaScript. If the app is written using the language native to the platform (e.g. Java for Andrid and Object-C for iOS), it is immune to this type of attacks.
Second, there should exists a channel for the app to receive data from outside. The data can be from outside of the device (such as scanning 2D barcode) or from another app on the same device (such as the Contact list).
Third, the app needs to display the information from outside. The choice of the APIs to display the informatin is critical. Some APIs are safe, but many of them are not.
The following video explains how the attack works. For full details, see our paper.
The following diagram depicts how the attack works.
The following channels can be used by attackers to inject malicious JavaScript code into a victim's device:
The following channels can be used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps (our study was only conducted on Android; you should be able to find similar channels in other platforms):
A number of JavaScript APIs can be used for displaying data. The following table shows whether they are safe against our attacks or not. It also shows the percentage of the apps (among 764 samples that we have studied) that use these APIs at least once. We have highlighted those that are popular and unsafe. An important observation is that the use of safe APIs is not common.
DOM APIs and Attributes | Safe (✓) or Not (✗)? | Usages |
---|---|---|
document.write() | ✗ | 6.80% |
appendChild() | ✗ | 5.89% |
innerHTML/outerHTML | ✗ | 6.02% |
innerText/outerText | ✓ | 1.83% |
textContent | ✓ | 3.27% |
jQuery APIs | Safe (✓) or Not (✗)? | Usages |
html() | ✗ | 16.36% |
append()/prepend() | ✗ | 17.28% |
before()/after() | ✗ | 7.33% |
add() | ✗ | 5.24% |
replaceAll()/replaceWith() | ✗ | 0.52% |
text() | ✓ | 4.19% |
PhoneGap is the most popular framework for HTML5-based app development, and our studies are mostly based on PhoneGap apps. There are other frameworks, such as RhoMobile, Appcelerator, etc. We have only tested several of them, and found them similarily vulnerable.
Frameworks | Vulnerable or Not? |
---|---|
PhoneGap | Vulnerable |
MoSync | Vulnerable |
RhoMobile | Vulnerable |
Sencha Touch | Vulnerable |
Quickconnect | Investigation in progress |
Appcelerator | Investigation in progress |
Mulberry | Investigation in progress |
Flex | Investigation in progress |
jQuery Mobile | Investigation in progress |
Mojito | Investigation in progress |
Email: wedu@syr.edu
Tel: (315) 443-9180
Address:
4-206 CST Building
Department of EECS
Syracuse University
Syracuse, NY 13244