Abstract
Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Mozilla: Same-origin policy, https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Terada, T.: Chrome for Android download function information disclosure, https://code.google.com/p/chromium/issues/detail?id=144820
Terada, T.: Chrome for Android bypassing SOP for local files by symlinks, https://code.google.com/p/chromium/issues/detail?id=144866
Terada, T.: Mfsa 2013-84: Same-origin bypass through symbolic links, http://www.mozilla.org/security/announce/2013/mfsa2013-84.html
W3C: Xmlhttprequest, http://www.w3.org/TR/XMLHttpRequest/
Android: Category browsable, http://developer.android.com/reference/android/content/Intent.html#CATEGORY_BROWSABLE
Android: Intents and Intent Filters, http://developer.android.com/guide/components/intents-filters.html
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proc. ACM MobiSys (2011)
Android: MonkeyRunner, http://developer.android.com/tools/help/monkeyrunner_concepts.html
Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In: Proc. ISOC NDSS (2014)
Wu, D., Chang, R.: Analyzing Android browser apps for file: vulnerabilities (Technical Report) (2014), http://arxiv.org/abs/1404.4553
Selenium: Selenium - web browser automation, http://docs.seleniumhq.org/
Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: Automatic security analysis of smartphone applications. In: Proc. ACM CODASPY (2013)
Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: Networkprofiler: Towards automatic fingerprinting of Android apps. In: Proc. IEEE INFOCOM (2013)
Anand, S., Naik, M., Harrold, M., Yang, H.: Automated concolic testing of smartphone apps. In: Proc. ACM FSE (2012)
Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for Android apps. In: Proc. ACM FSE (2013)
Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the Android system. In: Proc. ACM ACSAC (2011)
Chin, E., Wagner, D.: Bifocals: Analyzing webView vulnerabilities in Android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 129–146. Springer, Heidelberg (2014)
Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Proc. ISOC NDSS (2014)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proc. ISOC NDSS (2012)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In: Proc. ACM CCS (2012)
Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in Android applications. In: Proc. ISOC NDSS (2013)
Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Traon, Y.: Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In: Proc. Usenix Security (2013)
Wu, L., Grace, M., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on Android security. In: Proc. ACM CCS (2013)
Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: Threats and mitigation. In: Proc. ACM CCS (2013)
Terada, T.: Facebook for Android - information diclosure vulnerability, http://seclists.org/bugtraq/2013/Jan/27
Azim, T., Neamtiu, I.: Targeted and depth-first exploration for systematic testing of Android apps. In: Proc. ACM OOPSLA (2013)
Choi, W., Necula, G., Sen, K.: Guided GUI testing of Android apps with minimal restart and approximate learning. In: Proc. ACM OOPSLA (2013)
Hao, S., Liu, B., Nath, S., Halfond, W., Govindan, R.: PUMA: Programmable UI-automation for large scale dynamic analysis of mobile apps. In: Proc. ACM MobiSys (2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Wu, D., Chang, R.K.C. (2014). Analyzing Android Browser Apps for file:// Vulnerabilities. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_20
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)