Results 1 - 10
of
15
Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps
- in CCS. ACM
"... We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general frame-work, called Amandroid for determining points-to informa-tion for all objects in an Android app in a flow and context-sensitive way across Android apps components. We show that: (a) t ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general frame-work, called Amandroid for determining points-to informa-tion for all objects in an Android app in a flow and context-sensitive way across Android apps components. We show that: (a) this type of comprehensive analysis is completely feasible in terms of computing resources needed with mod-ern hardware, (b) one can easily leverage the results from this general analysis to build various types of specialized se-curity analyses – in many cases the amount of additional coding needed is around 100 lines of code, and (c) the re-sult of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroid’s results with those of prior works whenever we can obtain the executable of those tools. Since Amandroid’s analysis directly handles inter-component control and data flows, it can be used to address security problems that re-sult from interactions among multiple components from ei-ther the same or different apps. Amandroid’s analysis is sound in that it can provide assurance of the absence of the specified security problems in an app with well-specified and reasonable assumptions on Android runtime system and its library.
Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks
"... Abstract—Hybrid mobile applications (apps) combine the features of Web applications and “native ” mobile apps. Like Web applications, they are implemented in portable, platformindependent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources—file ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
(Show Context)
Abstract—Hybrid mobile applications (apps) combine the features of Web applications and “native ” mobile apps. Like Web applications, they are implemented in portable, platformindependent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources—file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app’s Web code. Second, it supplies “bridges ” that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the accesscontrol policies governing Web code and local code, respectively.
Code Injection Attacks on HTML5-based Mobile Apps
"... HTML5-based mobile apps become more and more popu-lar, mostly because they are much easier to be ported across different mobile platforms than native apps. HTML5-based apps are implemented using the standard web technologies, including HTML5, JavaScript and CSS; they depend on some middlewares, such ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
HTML5-based mobile apps become more and more popu-lar, mostly because they are much easier to be ported across different mobile platforms than native apps. HTML5-based apps are implemented using the standard web technologies, including HTML5, JavaScript and CSS; they depend on some middlewares, such as PhoneGap, to interact with the under-lying OS. Knowing that JavaScript is subject to code injection at-tacks, we have conducted a systematic study on HTML5-based mobile apps, trying to evaluate whether it is safe to rely on the web technologies for mobile app development. Our discoveries are quite surprising. We found out that if HTML5-based mobile apps become popular–it seems to go that direction based on the current projection–many of the things that we normally do today may become dangerous, including reading from 2D barcodes, scanning Wi-Fi access points, playing MP4 videos, pairing with Bluetooth devices, etc. This paper describes how HTML5-based apps can be-come vulnerable, how attackers can exploit their vulnerabil-ities through a variety of channels, and what damage can be achieved by the attackers. In addition to demonstrating the attacks through example apps, we have studied 186 Phone-Gap plugins, used by apps to achieve a variety of functionali-ties, and we found that 11 are vulnerable. We also found two real HTML5-based apps that are vulnerable to the attacks. 1.
OAuth Demystified for Mobile Application Developers
"... OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial ob-jective of the protocol was specific: it serves the autho-rization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and ..."
Abstract
-
Cited by 4 (1 self)
- Add to MetaCart
(Show Context)
OAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial ob-jective of the protocol was specific: it serves the autho-rization needs for websites. What motivates our work is the realization that the protocol has been significantly re-purposed and re-targeted over the years: (1) all major iden-tity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to the mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and timely to conduct an in-depth study to demystify OAuth for mobile application developers. Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile develop-ers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The result is really wor-risome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vul-nerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are con-fusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our find-ings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications.
Analyzing Android Browser Apps for file:/ / Vulnerabilities
"... Abstract. Securing browsers in mobile devices is very challenging, be-cause these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Securing browsers in mobile devices is very challenging, be-cause these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:/ / to obtain user’s private files, such as cookies, bookmarks, and browsing histories. Our study shows that this class of attacks is much more prevalent and damaging than previ-ously thought. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vul-nerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:/ / access to private file zones, disabling JavaScript execution in file:/ / URLs, or even blocking external file:/ / URLs. We employ the same system to validate the nine patches received from the developers and find one still failing to block the vulnerability. 1
Attacks on Android Clipboard
"... Abstract. In this paper, we perform a thorough study on the risks imposed by the globally accessible Android Clipboard. Based on the risk assessment, we formulate a series of attacks and categorize them into two groups, i.e., manipulation and stealing. Clipboard data manipulation may lead to common ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In this paper, we perform a thorough study on the risks imposed by the globally accessible Android Clipboard. Based on the risk assessment, we formulate a series of attacks and categorize them into two groups, i.e., manipulation and stealing. Clipboard data manipulation may lead to common code injection attacks, like JavaScript injection and command injection. Furthermore, it can also cause phishing attacks, including web phishing and app phishing. Data stealing happens when sensitive data copied into the clipboard is accessed by malicious applications. For each category of attack, we analyze a large number of candidate apps and show multiple case studies to demonstrate its feasibility. Also, our app analysis process is formulated to benefit future app development and vulnerability detection. After a comprehensive exposure of the risk, we briefly discuss some potential solutions. 1
What Mobile Ads Know About Mobile Users
"... Abstract We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from t ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from the host app by confining ads to dedicated browser instances that correctly apply the same origin policy. We then demonstrate how malicious ads can infer sensitive information about users by accessing external storage, which is essential for media-rich ads in order to cache video and images. Even though the same origin policy prevents confined ads from reading other apps' externalstorage files, it does not prevent them from learning that a file with a particular name exists. We show how, depending on the app, the mere existence of a file can reveal sensitive information about the user. For example, if the user has a pharmacy price-comparison app installed on the device, the presence of external-storage files with certain names reveals which drugs the user has looked for. We conclude with our recommendations for redesigning mobile advertising software to better protect users from malicious advertising.
Unauthorized Cross-App Resource Access on MAC OS X and iOS
"... Abstract On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of c ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain and WebSocket on OS X and URL Scheme on OS X and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the App sandbox on OS X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of OS X and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS X, helping protect vulnerable apps before the problems can be fully addressed. We further discuss the insights from this study and the lessons learnt for building a securer system.
A Large-Scale Study of Mobile Web App Security
"... Mobile apps that use an embedded web browser, or mobile web apps, make up 85 % of the free apps on the Google Play store. The security concerns for developing mobile web apps go beyond just those for developing traditional web apps or mobile apps. In this paper we develop scalable analyses for findi ..."
Abstract
- Add to MetaCart
(Show Context)
Mobile apps that use an embedded web browser, or mobile web apps, make up 85 % of the free apps on the Google Play store. The security concerns for developing mobile web apps go beyond just those for developing traditional web apps or mobile apps. In this paper we develop scalable analyses for finding several classes of vulnerabilities in mobile web apps and analyze a large dataset of 998,286 mobile web apps, representing a complete snapshot of all of the free mobile web apps on the Google Play store as of June 2014. We find that 28 % of the studied apps have at least one vulnerability. We explore the severity of these vulnerabilities and identify trends in the vulnerable apps. We find that severe vulnerabilities are present across the entire Android app ecosystem, even in popular apps and libraries. Finally, we offer several changes to the Android APIs to mitigate these vulnerabilities. I.
Rethinking Security of Web-Based System Applications
"... ABSTRACT Many modern desktop and mobile platforms, including Ubuntu, Google Chrome, Windows, and Firefox OS, support so called Webbased system applications that run outside the Web browser and enjoy direct access to native objects such as files, camera, and geolocation. We show that the access-cont ..."
Abstract
- Add to MetaCart
(Show Context)
ABSTRACT Many modern desktop and mobile platforms, including Ubuntu, Google Chrome, Windows, and Firefox OS, support so called Webbased system applications that run outside the Web browser and enjoy direct access to native objects such as files, camera, and geolocation. We show that the access-control models of these platforms are (a) incompatible and (b) prone to unintended delegation of native-access rights: when applications request native access for their own code, they unintentionally enable it for untrusted third-party code, too. This enables malicious ads and other thirdparty content to steal users' OAuth authentication credentials, access camera on their devices, etc. We then design, implement, and evaluate POWERGATE, a new access-control mechanism for Web-based system applications. It solves two key problems plaguing all existing platforms: security and consistency. First, unlike the existing platforms, POWERGATE correctly protects native objects from unauthorized access. Second, POWERGATE provides uniform access-control semantics across all platforms and is 100% backward compatible. POWERGATE enables application developers to write well-defined native-object access policies with explicit principals such as "application's own local code" and "third-party Web code," is easy to configure, and incurs negligible performance overhead.
