Skip to main content
SpringerLink
Log in

Event-Based Remote Attacks in HTML5-Based Mobile Apps

  • Conference paper
  • First Online:
Book cover Computer Security (IOSEC 2019, MSTEC 2019, FINSEC 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11981))

Abstract

HTML5-based mobile apps become increasingly popular as they leverage standard web technologies such as HTML5, JavaScript, CSS for saving development cost. Like web apps, they are built using JavaScript frameworks (e.g. jQuery) for making mobile websites responsive, faster, etc. Attackers may fire the events integrated into the frameworks for reusing sensitive APIs included in apps. Once the internal functions are accessed successfully, it may cause serious consequences (e.g. resource access). Its main advantage is that it is not required to inject malicious payloads for accessing to the system resources into apps. We define this vector of attacks as event-based remote attacks.

In this paper, we present a systematic study about the event-based remote attacks. In addition, we introduce a static detection approach to detect vulnerable apps that can be exploited to launch such remote attacks. For the measurement, we performed the approach on a dataset of 2,536 HTML5-based mobile apps. It eventually flagged out 53 vulnerable apps, including 45 true positives.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Phone Gap: Build amazing mobile apps powered by open web tech. https://phonegap.com

  2. Ionic: Ionic helps developers build and ship beautiful cross-platform hybrid apps. https://ionicframework.com/

  3. React Native: React Native Build native mobile apps using JavaScript and React. https://facebook.github.io/react-native/

  4. Framework 7: Full featured framework for building iOS & Android apps. https://framework7.io/

  5. Onsen UI: The most beautiful and efficient way to develop HTML5 hybrid and mobile web apps. https://onsen.io/

  6. Rhomobile. https://www.zebra.com/us/en/products/software/mobilecomputers/rhomobile-suite.html

  7. Top JavaScript mobile frameworks 2018. https://www.redbytes.in/javascript-frameworks-for-mobile-app-development/

  8. Top JavaScript mobile frameworks 2018. https://conceptainc.com/blog/best-javascript-frameworks-mobile-development/

  9. Top JavaScript mobile frameworks 2019. https://www.mindinventory.com/blog/mobile-app-development-framework-2019/

  10. AngularJS events. https://docs.angularjs.org/api/ng/directive

  11. jQuery Mobile events. https://api.jquerymobile.com/category/events/

  12. XSS attacks. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

  13. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  14. Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27659-5_22

    Chapter  Google Scholar 

  15. Jin, X., et al.: Code injection attacks on HTML5-based mobile apps: characterization, detection, mitigation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77 (2014)

    Google Scholar 

  16. Mao, J., Wang, R., Chen, Y., Jia, Y.: Detecting injected behaviors in HTML5-based Android applications. J. High Speed Netw. 22(1), 15–34 (2016)

    Article  Google Scholar 

  17. Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8 (2014)

    Google Scholar 

  18. Lau, P.T.: Scan code injection flaws in html5-based mobile applications. In: Proceedings of the 11th IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 81–88 (2018)

    Google Scholar 

  19. Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29

    Chapter  Google Scholar 

  20. Chen Y.L., Lee, H.M., Jeng, A.B., Wei, T.E.: DroidCIA: a novel detection method of code injection attacks on HTML5-based mobile apps. In: Trustcom/BigDataSE/ISPA, pp. 1014–1021 (2015)

    Google Scholar 

  21. Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: HybridGuard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Security and Privacy Workshops (SPW), pp. 147–156 (2017)

    Google Scholar 

  22. Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: IEEE Symposium on Security and Privacy (SP), pp. 742–755 (2018)

    Google Scholar 

  23. Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in android hybrid apps. In: Network and Distributed System Security Symposium (NDSS) (2018)

    Google Scholar 

  24. Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting javascript bridge in android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 143–166. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_7

    Chapter  Google Scholar 

  25. Choi, H., Kim, Y.: Large-Scale analysis of remote code injection attacks in Android apps. In: Security and Communication Networks (2018)

    Google Scholar 

  26. Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Not. 49(6), 259–269 (2014)

    Article  Google Scholar 

  27. Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  28. Li, L., et al.: IccTA: detecting inter-component privacy leaks in Android apps. In: Proceedings of the 37th International Conference on Software Engineering, pp. 280–291 (2015)

    Google Scholar 

  29. Li, L., et al.: Understanding android app piggybacking: a systematic study of malicious code grafting. IEEE Trans. Inform. Forensics Secur. 12, 1269–1284 (2017)

    Article  Google Scholar 

  30. Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196 (2013)

    Google Scholar 

  31. Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)

    Google Scholar 

  32. Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of Android applications in DroidSafe. In: Network and Distributed System Security Symposium (NDSS) (2015)

    Google Scholar 

  33. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Network and Distributed System Security Symposium (NDSS), p. 12 (2007)

    Google Scholar 

  34. Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)

    Google Scholar 

  35. Stock B., Lekies S., Mueller T., Spiegel P., Johnss M.: Precise client-side protection against dom-based cross-site scripting. In: USENIX Security Symposium, pp. 655–670 (2014)

    Google Scholar 

  36. Son, S., McKinley, K., S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1181–1192 (2013)

    Google Scholar 

  37. Shar, L.K., Tan, H.B., K., Briand, L.C.: Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 642–651 (2013)

    Google Scholar 

  38. Thomé, J., Shar, L.K., Bianculli, D., Briand, L.C.: An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving. In: IEEE Transactions on Software Engineering (2018)

    Google Scholar 

  39. Lau, P.T.: Static detection of event-driven races in HTML5-based mobile apps. In: Ganty, P., Kaâniche, M. (eds.) VECoS 2019. LNCS, vol. 11847, pp. 32–46. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35092-5_3

    Chapter  Google Scholar 

  40. TAJS framework. https://github.com/cs-au-dk/TAJS

  41. PhoneGap APIs. https://cordova.apache.org/plugins/

  42. jQuery binding APIs. https://api.jquery.com/category/events/event-handler-attachment/

  43. Third-party tools in PhoneGap. https://phonegap.com/tool/page12/

Download references

Author information

Authors and Affiliations

  1. Faculty of Computer Engineering, University of Information Technology, Ho Chi Minh City, Vietnam

    Phi Tuong Lau

Authors
  1. Phi Tuong Lau
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Phi Tuong Lau .

Editor information

Editors and Affiliations

  1. Industrial Systems Institute/Research Center ATHENA, Patras, Greece

    Apostolos P. Fournaris

  2. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Manos Athanatos

  3. University of Patras, Patras, Greece

    Konstantinos Lampropoulos

  4. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    Sotiris Ioannidis

  5. Foundation for Research and Technology - Hellas (FORTH), Heraklion, Greece

    George Hatzivasilis

  6. University of Milan, Milan, Italy

    Ernesto Damiani

  7. Norwegian Computing Center, Oslo, Norway

    Habtamu Abie

  8. Fondazione Bruno Kessler, Trento, Italy

    Silvio Ranise

  9. University of Genoa, Genoa, Italy

    Luca Verderame

  10. Fondazione Bruno Kessler, Trento, Italy

    Alberto Siena

  11. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lau, P.T. (2020). Event-Based Remote Attacks in HTML5-Based Mobile Apps. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-42051-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-42050-5

  • Online ISBN: 978-3-030-42051-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation