DroidCIA: A Novel Detection Method of Code Injection Attacks on HTML5-Based Mobile Apps

Smartphones have become more and more popular recently. There are many different smartphone systems, such as Android, iOS, etc. Based on HTML5, now developers can have a convenient framework to develop cross-platform HTML5- based mobile apps. Unfortunately, HTML5-based apps are also susceptible to cross-site scripting attacks like most web applications. Attackers can inject malicious scripts from many different injection channels. In this paper, we propose a new way to detect a known malicious script injected by using HTML5 text box input type along with "document.getElementById("TagID").value". This new text box injection channel was not detected by other researchers so far because they only analyzed JavaScript APIs, but overlooked HTML files which captured text box input type information. Later, we applied this new method to a vulnerable app set with 8303 cases obtained from Google Play. We detected a total of 351 vulnerable apps with accuracy 99%, which included 347 detected also by other researchers as well as 4 extra vulnerable apps that belonged to this text box injection channel. We also implemented a Code Injection Attack detection tool named DroidCIA that automated the drawing of JavaScript API call graph and the combination of API with HTML information.

[1]  David A. Wagner,et al.  Bifocals: Analyzing WebView Vulnerabilities in Android Applications , 2013, WISA.

[2]  John H. Reif,et al.  Depth-First Search is Inherently Sequential , 1985, Inf. Process. Lett..

[3]  Wenliang Du,et al.  Touchjacking Attacks on Web in Android, iOS, and Windows Phone , 2012, FPS.

[4]  Magnus Madsen,et al.  Modeling the HTML DOM and browser API in static analysis of JavaScript web applications , 2011, ESEC/FSE '11.

[5]  Frank Tip,et al.  Efficient construction of approximate call graphs for JavaScript IDE services , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[6]  Jing Yu,et al.  Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS , 2013, 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing.

[7]  Vitaly Shmatikov,et al.  Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks , 2014, NDSS.

[8]  Dongwan Shin,et al.  Supporting visual security cues for WebView-based Android apps , 2013, SAC '13.

[9]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[10]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[11]  Wenliang Du,et al.  Fine-Grained Access Control for HTML5-Based Mobile Applications in Android , 2013, ISC.

[12]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[13]  Rui Wang,et al.  Unauthorized origin crossing on mobile platforms: threats and mitigation , 2013, CCS.