Due to the portability advantage, html5-basedmobile apps are getting more and more popular. Unfortunately, the web technology used by html5-basedmobile apps has a dangerous feature, which allows data and code to be ...
详细信息
ISBN:
(纸本)9781450329576
Due to the portability advantage, html5-basedmobile apps are getting more and more popular. Unfortunately, the web technology used by html5-basedmobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection attacks possible. In this paper, we have conducted a systematic study on this risk in html5-basedmobile apps. We found a new form of code injection attack, which inherits the fundamental cause of Cross-Site Scripting attack (XSS), but it uses many more channels to inject code than XSS. These channels, unique to mobile devices, include Contact, SMS, Barcode, MP3, etc. To assess the prevalence of the code injection vulnerability in html5-basedmobile apps, we have developed a vulnerability detection tool to analyze 15,510 PhoneGap apps collected from Google Play. 478 apps are flagged as vulnerable, with only 2.30% false-positive rate. We have also implemented a prototype called NoInjection as a Patch to PhoneGap in Android to defend against the attack.
Due to the high occupancy volume of smartphones in mode society, more and more developers join the smartphone app market and develop various mobileapplications that could benefit out life in many ways. However, smart...
详细信息
Due to the high occupancy volume of smartphones in mode society, more and more developers join the smartphone app market and develop various mobileapplications that could benefit out life in many ways. However, smartphone apps are often blamed for insecurities due to smartphone technologies as well as inexperienced app developers. In this thesis work, we study smartphone app security vulnerabilities due to either improper implementations or improper use of smartphone technologies. More specifically, we study potential security vulnerabilities in three categories of apps: apps which use the secure socket layer(SSL) protocol for secure communication, apps which use the WebView technology, and apps which are html5-based. For each category of apps, we analyze the underlying technologies to show the cause of vulnerabilities, and develop instruction materials for each of the three validation attacks we have implemented and turn them into security teaching labs. These security teaching labs aim to help students to understand the theoretical attack concepts in and accurate and understandable way and cultivate the hacking mindset.
暂无评论