Abstract
HTML5-based mobile apps become increasingly popular as they leverage standard web technologies such as HTML5, JavaScript, CSS for saving development cost. Like web apps, they are built using JavaScript frameworks (e.g. jQuery) for making mobile websites responsive, faster, etc. Attackers may fire the events integrated into the frameworks for reusing sensitive APIs included in apps. Once the internal functions are accessed successfully, it may cause serious consequences (e.g. resource access). Its main advantage is that it is not required to inject malicious payloads for accessing to the system resources into apps. We define this vector of attacks as event-based remote attacks.
In this paper, we present a systematic study about the event-based remote attacks. In addition, we introduce a static detection approach to detect vulnerable apps that can be exploited to launch such remote attacks. For the measurement, we performed the approach on a dataset of 2,536 HTML5-based mobile apps. It eventually flagged out 53 vulnerable apps, including 45 true positives.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Phone Gap: Build amazing mobile apps powered by open web tech. https://phonegap.com
Ionic: Ionic helps developers build and ship beautiful cross-platform hybrid apps. https://ionicframework.com/
React Native: React Native Build native mobile apps using JavaScript and React. https://facebook.github.io/react-native/
Framework 7: Full featured framework for building iOS & Android apps. https://framework7.io/
Onsen UI: The most beautiful and efficient way to develop HTML5 hybrid and mobile web apps. https://onsen.io/
Rhomobile. https://www.zebra.com/us/en/products/software/mobilecomputers/rhomobile-suite.html
Top JavaScript mobile frameworks 2018. https://www.redbytes.in/javascript-frameworks-for-mobile-app-development/
Top JavaScript mobile frameworks 2018. https://conceptainc.com/blog/best-javascript-frameworks-mobile-development/
Top JavaScript mobile frameworks 2019. https://www.mindinventory.com/blog/mobile-app-development-framework-2019/
AngularJS events. https://docs.angularjs.org/api/ng/directive
jQuery Mobile events. https://api.jquerymobile.com/category/events/
XSS attacks. https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014)
Jin, X., Wang, L., Luo, T., Du, W.: Fine-grained access control for HTML5-based mobile applications in android. In: Desmedt, Y. (ed.) ISC 2013. LNCS, vol. 7807, pp. 309–318. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27659-5_22
Jin, X., et al.: Code injection attacks on HTML5-based mobile apps: characterization, detection, mitigation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 66–77 (2014)
Mao, J., Wang, R., Chen, Y., Jia, Y.: Detecting injected behaviors in HTML5-based Android applications. J. High Speed Netw. 22(1), 15–34 (2016)
Shehab, M., AlJarrah, A.: Reducing attack surface on Cordova-based hybrid mobile apps. In: Proceedings of the 2nd International Workshop on Mobile Development Lifecycle, pp. 1–8 (2014)
Lau, P.T.: Scan code injection flaws in html5-based mobile applications. In: Proceedings of the 11th IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pp. 81–88 (2018)
Hassanshahi, B., Jia, Y., Yap, R.H.C., Saxena, P., Liang, Z.: Web-to-application injection attacks on android: characterization and detection. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 577–598. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_29
Chen Y.L., Lee, H.M., Jeng, A.B., Wei, T.E.: DroidCIA: a novel detection method of code injection attacks on HTML5-based mobile apps. In: Trustcom/BigDataSE/ISPA, pp. 1014–1021 (2015)
Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: HybridGuard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: Security and Privacy Workshops (SPW), pp. 147–156 (2017)
Yang, G., Huang, J., Gu, G., Mendoza, A.: Study and mitigation of origin stripping vulnerabilities in hybrid-postmessage enabled mobile applications. In: IEEE Symposium on Security and Privacy (SP), pp. 742–755 (2018)
Yang, G., Huang, J., Gu, G.: Automated generation of event-oriented exploits in android hybrid apps. In: Network and Distributed System Security Symposium (NDSS) (2018)
Yang, G., Mendoza, A., Zhang, J., Gu, G.: Precisely and scalably vetting javascript bridge in android hybrid apps. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 143–166. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_7
Choi, H., Kim, Y.: Large-Scale analysis of remote code injection attacks in Android apps. In: Security and Communication Networks (2018)
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Not. 49(6), 259–269 (2014)
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: Network and Distributed System Security Symposium (NDSS) (2014)
Li, L., et al.: IccTA: detecting inter-component privacy leaks in Android apps. In: Proceedings of the 37th International Conference on Software Engineering, pp. 280–291 (2015)
Li, L., et al.: Understanding android app piggybacking: a systematic study of malicious code grafting. IEEE Trans. Inform. Forensics Secur. 12, 1269–1284 (2017)
Zhou, W., Zhou, Y., Grace, M., Jiang, X., Zou, S.: Fast, scalable detection of piggybacked mobile applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 185–196 (2013)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)
Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of Android applications in DroidSafe. In: Network and Distributed System Security Symposium (NDSS) (2015)
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Network and Distributed System Security Symposium (NDSS), p. 12 (2007)
Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1193–1204 (2013)
Stock B., Lekies S., Mueller T., Spiegel P., Johnss M.: Precise client-side protection against dom-based cross-site scripting. In: USENIX Security Symposium, pp. 655–670 (2014)
Son, S., McKinley, K., S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1181–1192 (2013)
Shar, L.K., Tan, H.B., K., Briand, L.C.: Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 642–651 (2013)
Thomé, J., Shar, L.K., Bianculli, D., Briand, L.C.: An integrated approach for effective injection vulnerability analysis of web applications through security slicing and hybrid constraint solving. In: IEEE Transactions on Software Engineering (2018)
Lau, P.T.: Static detection of event-driven races in HTML5-based mobile apps. In: Ganty, P., Kaâniche, M. (eds.) VECoS 2019. LNCS, vol. 11847, pp. 32–46. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35092-5_3
TAJS framework. https://github.com/cs-au-dk/TAJS
PhoneGap APIs. https://cordova.apache.org/plugins/
jQuery binding APIs. https://api.jquery.com/category/events/event-handler-attachment/
Third-party tools in PhoneGap. https://phonegap.com/tool/page12/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Lau, P.T. (2020). Event-Based Remote Attacks in HTML5-Based Mobile Apps. In: Fournaris, A., et al. Computer Security. IOSEC MSTEC FINSEC 2019 2019 2019. Lecture Notes in Computer Science(), vol 11981. Springer, Cham. https://doi.org/10.1007/978-3-030-42051-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-42051-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42050-5
Online ISBN: 978-3-030-42051-2
eBook Packages: Computer ScienceComputer Science (R0)