Professional Documents
Culture Documents
net/publication/278724743
CITATIONS READS
53 3,631
5 authors, including:
Adam Doupé
Arizona State University
65 PUBLICATIONS 1,191 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Adam Doupé on 19 June 2015.
Patrick Mutchler∗ , Adam Doupé† , John Mitchell∗ , Chris Kruegel‡ and Giovanni Vigna‡
∗ Stanford University
{pcm2d, mitchell}@stanford.edu
† Arizona State University
doupe@asu.edu
‡ University of California, Santa Barbara
{chris, vigna}@cs.ucsb.edu
!"#$%!!&'
()*"#$%!!&'
!"#$%!!&'
Fig. 2: An app leaking an OAuth callback URL. In Step 1 both the
vulnerable app and the malicious app register an app component to
handle URLs matching the protocol scheme my_oauth. In Step 2
Fig. 1: An example of Same Origin Policy limitations for the the OAuth provider completes the protocol and responds with an
JavaScript Bridge. An app exposes an instance of MyObj to the HTTP 302 response to redirect the WebView. In Step 3 the WebView
JavaScript Bridge and loads a HTML page from example.com with passes this URL to shouldOverrideUrlLoading, which uses
an iframe containing content from ads.com. Both example.com and an Implicit Intent to deliver the URL and leaks the URL to the
ads.com have access to a separate Bridge Reference “obj”. These malicious app in Step 4.
Bridge References are separated from each other by Same Origin
Policy (dashed line) but both Bridge References can call methods on
the same Bridge Object through the JavaScript Bridge.
GPS) to foreign apps through Intents. Similarly, a mobile
web app can leak privileged web operations to foreign apps
by blindly responding to Intents. More specifically, if an app
loaded in an iframe. In general, there are four ways that
performs a call to postUrl in response to a foreign Intent
a mobile web app can load untrusted content. An app can
then a malicious app can perform an attack similar to Cross-
allow navigation to untrusted content through normal user
Site Request Forgery. For example, if a mobile web app uses
interaction, it can load trusted content over HTTP, it can load
a POST request to charge the user’s credit card, and this
trusted content that is stored insecurely on the device, or it can
request is exposed to foreign Intents then a malicious app could
load trusted content over HTTPS but use HTTPS incorrectly.
send an Intent to place a fraudulent charge without the user’s
The first three methods of loading untrusted web content knowledge or consent. In order to prevent this vulnerability,
are straightforward but the fourth method demands more developers must ensure that any calls to postUrl that can
explanation. In a traditional browser environment an app has no be triggered by an Intent from a foreign app are confirmed by
control over the browser’s SSL implementation. If the browser the user through some UI action.
finds a problem with its SSL connection then it displays a
warning to the user. WebView, on the other hand, allows IV. A NALYSES
developers to control an app’s behavior in the presence of SSL
certificate errors by overriding the callback onReceived- In this section we describe the methods used to identify
SslError. This even includes proceeding with a resource vulnerabilities in mobile web apps and determine the severity
load without informing the user. Apps that load resources of these vulnerabilities. In order to scale this experiment
over SSL despite invalid certificates lose all of the protection to a dataset of nearly one million apps we designed these
HTTPS gives them against active network adversaries. techniques with efficiency as a priority. This can lead to
some imprecision in our results, however, we note that several
2) Leaky URLs: Apps can leak information through URL properties of mobile web apps make these analyses more
loads that are overridden by navigation control methods. When precise then one might expect. We also note that our methods
an app overrides a URL load and uses an Implicit Intent to were designed to be conservative whenever possible so that we
load that resource, any app can handle that URL load. If a do not incorrectly flag secure apps as vulnerable. We discuss
leaked URL contains private information then that information the limitations of our analyses and their effects on our results
is leaked along with the URL. A developer might think that in more detail in Section V.
it is safe to use an Implicit Intent to deliver a URL to an app
component because the URL matches a custom URL scheme
A. Reachable Web Content
but Android does not provide any protections on custom URL
schemes. An example of this vulnerability was discussed by Mobile web apps that load unsafe web content expose
Chen et al. [15] in relation to mobile OAuth implementations. themselves to attack. We identify apps that load unsafe web
If an app registers a custom URL pattern to receive the final content (e.g., content from untrusted domains or content loaded
callback URL in an OAuth transaction and uses an Implicit over HTTP) in three steps. (1) extract the set of initially
Intent to deliver the URL then a malicious app can register reachable URLs from the app code, (2) extract the navigation
the same URL pattern and steal the OAuth credentials. See control implementations from the app code, and (3) perform
Figure 2 for a visual representation of this vulnerability. a web crawl from the initial URLs while respecting the
navigation control behavior and report any unsafe web content.
3) Exposed Stateful Navigation: Developers must be care- This method mirrors the true navigation behavior of an app.
ful about what app components they expose to Intents from
foreign apps. Existing research has explored apps that leak 1) Initial Resources: To find the set of web resources that a
privileged device operations (e.g, access to the filesystem or mobile web app loads directly we perform a string analysis that
reports the possible concrete values of parameters to navigation statements [31]. Algorithms to compute backwards slices
methods like loadUrl. In order to run quickly, our analysis for sequential programs are well understood, and we use a
is mostly intraprocedural and supports simple string operations known algorithm to compute our slices [11]. This approach
(e.g., concatenation) but does not support more complex string is much more efficient than running an app in an emulator to
operations (e.g., regular expression matching or substring determine if a WebView is allowed to load a page.
replacement). This limits the precision of our analysis but,
based on our analysis, we conclude that mobile web apps will A backwards slice might contain program statements that
often access hard-coded web addresses or build URLs very cannot be executed outside of the Android emulator. For exam-
simply so this simple approach is often very effective. Strings ple, an implementation of shouldOverrideUrlLoading
that cannot be computed by our analysis usually originate might access a hardware sensor or the filesystem. In order to
either far away from a call to a navigation method or even in keep our approach sound but still execute extracted slices, we
an entirely separate app component. Extracting these strings remove any statements that we cannot execute in a stand-alone
would require not only a precise points-to analysis but also Java executable and insert instrumentation to mark data that
an accurate understanding of the inter-component structure these statements can edit as unknown. If during execution a
of an app, taking us beyond the state of the art in scalable statement uses unknown data we halt execution and report that
program analyses. We built our string analysis using Soot, a the result could not be determined.
Java instrumentation and analysis framework that has support A true backwards slice is sometimes unecessary to cor-
for Dalvik bytecode [29, 12]. rectly capture the behavior of a navigation control method.
When possible, our string analysis also reports known We do not care about the behavior of particular statements in
prefixes to unknown values. The prefix can give us information a navigation control method. We only care about the overall
about the loaded content even if we cannot compute the URL. behavior of the method. Two different program statements that
For example, a URL with the concrete prefix http:// tells return the same value are identical for our purposes. Therefore,
us that an app is loading content over an insecure connection we can further simplify our slice by combining “identical”
even if we do not know what content the app is loading. basic blocks. Specifically, if all paths from a particular branch
statement exhibit the same behavior with respect to return
In Android apps, many string constants are not defined statements, calls to navigation methods, and calls to send
in app code. Instead they are defined in a XML docu- Intents then we can replace the branch and all dominated
ments packaged with the app and then referenced by calling statements with their shared behavior. This pruning step makes
Resources.getString or similar methods. A naive string it possible to execute slices that branch based on app state
analysis will fail to find these constants. We parse these XML for reasons other than controlling navigation. Like our string
documents and replace calls to Resources.getString analysis, our slicer was built using Soot.
and similar methods with their equivalent constant string
values before running our analysis. We use apktool [6] to 3) Crawling: Once we have the set of initial URLs and the
unpackage app contents and access these XML documents. extracted navigation control implementations we can identify
the set of resources that an app can reach by performing a
2) Handling Navigation Control: In order to understand web crawl starting from each initial URL and only loading a
how an app can navigate the web and expose itself to un- resource if the extracted navigation control implementations
safe web content we must understand the behavior of any allow it. We are careful to spoof the appropriate headers3 of
implementations of shouldOverrideUrlLoading and our requests to ensure that the web server responds with the
shouldInterceptRequest, the details of which are de- same content that the app would have retrieved.
scribed in Section II-B. Previous work by Chin et al. [17]
categorized implementations as allowing all navigation or no Finally, we must decide if web content reachable through
navigation based on a heuristic and performed a web crawl user interaction is trusted or not. Apps do not explicitly list the
if an implementation was categorized as allowing naviga- set of web domains that they trust so this must be inferred from
tion. This does not capture the full behavior of navigation the behavior of the app. We assume that an app trusts the local
control in Android because many apps will allow navigation private filesystem (file://), all domains of initially loaded web
to some URLs but not others (as our example in Listing 2 content, and all subdomains of trusted domains. If a web crawl
demonstrates). In addition, the authors do not analyze im- reaches content from any untrusted domain then we report a
plementations of shouldInterceptRequest. Below, we security violation.
describe our approach that more precisely handles navigation
control methods by computing the results of these methods for B. Exposed Stateful Navigation
concrete URLs.
Apps that expose postUrl calls to foreign Intents are
We extract an app’s implementations of should-
vulnerable to a CSRF-like attack where foreign apps can
OverrideUrlLoading and shouldIntercept-
force state changes in the backing web application. A call to
Request and create a runnable Java program that, when
postUrl is exposed if it can be reached from an exposed
given a URL to test, reports the behavior of these methods
app component without any user interaction. We find the set
as if they had been called on that URL during normal app
of exposed app components by examining the app’s Manifest
execution. Specifically, we compute and extract a backwards
(see Section II-A). The challenge is how to determine if there
slice of the method with respect to any return statements,
calls to navigation methods, and calls to send Intents. A 3 Specifically, we specify the X-Requested-With header, which Android
backwards slice is the set of all program statements that sets to the unique app id of the app that made the request, and the
can affect the execution of a set of interesting program User-Agent header.
Mobile Web App Feature % Apps
Intent JavaScript Enabled 97
onCreate createDialog JavaScript Bridge 36
shouldOverrideUrlLoading 94
User clicks shouldInterceptRequest 47
onClick postUrl onReceivedSslError 27
postUrl 2
Custom URL Patterns 10
Fig. 3: A path from a foreign Intent to postUrl that is broken by
a UI callback. Clicking the button calls onClick but the call edge TABLE I: The percentage of mobile web apps that contain function-
comes from the OS and is not present in app code. Solid edges are ality we study in this experiment.
found during reachability analysis and dashed edges are not.
1.0
0.5
0.0
Unsafe Nav Unsafe Retrieval Unsafe SSL Exposed POST Leaky URL
Vulnerability Class
no clear trend across all vulnerability classes, but there are 1.0
80 longer call chains than the true positives, which implies that
setting a maximum call chain length could reduce the false
positive rate.
60
J. Mitigation
40
Addressing these varied vulnerabilities is a serious chal-
lenge, but here we offer suggestions to Google Android and
20 mobile OS developers to help reduce the frequency or severity
of vulnerabilities unique to mobile web apps.
0
Unsafe Navigation Unsafe Retrieval Unsafe SSL • Allow developers to specify a whitelist of trusted
domains in a declarative fashion in the app’s
Fig. 6: A comparison of Remote Excecution Exploit rates between Manifest. Today, developers must correctly imple-
apps that have been updated or first published within one year of data ment both shouldOverrideUrlLoading and
collection (June, 2014) and apps that have not been updated recently. shouldInterceptRequest to safely constrain
navigation. This change would ensure that safe navi-
gation control is foolproof.
false positives (reporting a vulnerability when none exists) and • Allow developers to expose Bridge Objects to a
false negatives (failing to report a true vulnerability). Knowing whitelist of domains. Presently, apps depend on cor-
this, we designed our analyses to be conservative and avoid rect navigation control to ensure that untrusted content
false positives. This ensures that our measurements represent does not have access to the JavaScript Bridge. This
a lower bound on the number of WebView vulnerabilities in the would reduce the severity of attacks available to
Android ecosystem. However, there are still some opportunities untrusted web content loaded in a WebView.
for false positives, which we address here. • Display information about the security of the user’s
The string analysis used to identify initial URLs is very connection. Right now there is no way for a concerned
conservative. The analysis is intraprocedural to prevent call user to know the status of his or her connection and
graph imprecision from creating incorrect results and we treat cannot make an informed decision to input sensitive
joins as assignments of unknown values so every reported URL information.
will be a true concrete parameter to a navigation method. The • Display a warning in AndroidStudio on calls to
only risk is if a call to loadUrl is dead code. We manually SslErrorHandler.proceed. A warning is al-
analyzed 50 apps that contained reported initial URLs and ready displayed when apps enable JavaScript and such
found no examples of dead loadUrl calls that had reported a warning would hopefully reduce the number of apps
URL values. that ignore any and all certificate errors.
We only report that an ignores certificate errors if an • Allow developers to declare unique custom URL
implementation of onReceivedSslError calls proceed schemes and ensure that no other installed app reg-
on all code paths. While this approach will fail to report isters the same schemes. In Android 5.0 custom
apps that incorrectly validate certificates, it ensures that every permissions were changed to have a uniqueness re-
reported app contains an insecure implementation of on- quirement [3]. A similar feature for URL schemes
ReceivedSslError. would ensure that apps cannot leak URLs with custom
schemes to foreign apps.
Our analysis of shouldOverrideUrlLoading imple-
mentations is similarly conservative. Because we only report If followed, these recommendations will reduce both the
the result of this method if the slice was able to execute frequency and severity of mobile web app vulnerabilities.
completely and without using unknown data, we can be sure
that any behavior we observe is identical to the behavior in
VI. R ELATED W ORK
the running app.
A number of studies have examined individual vulnera-
The reachability analysis used to identify apps that expose bilities related to the vulnerability classes we study. None
POST requests to foreign apps is the most likely to report false look at datasets of the same scale or are able to discuss
positives. Rather than generating a call graph using points- trends in vulnerable apps. In each case, as explained below,
to sets, we only use the static type of receiver objects and our work expands beyond the prior understanding of these
the class hierarchy to determine virtual method targets. This vulnerabilities.
can lead to spurious call edges and invalid paths from an
exposed app component to a POST request. Apps can also Luo et al. [25], Chin et al. [17], and Georgiev et al. [21]
include logic to validate incoming Intents, which will not be studied attacks on mobile web apps from untrusted content.
captured by our analysis. We manually analyzed 50 apps that Luo et al. [25] manually analyzed a small set of apps for
our reachability analysis reported and found a false positive vulnerabilities but incorrectly assumed that mobile web apps
allow navigation to arbitrary web content and therefore failed manually analyzed a small set of popular apps and found
to explore the effect of navigation control on mobile web several vulnerabilities. They proposed a defense involving
app security. Chin et al. [17] built a static analyzer to find attaching labels to inter-app messages with an origin and
apps that allow navigation to untrusted content. The authors enforcing same-origin policies on the communication channel.
understand the importance of the shouldOverrideUrl-
Loading method but handle it using a simple heuristic that VII. C ONCLUSION
fails to capture its behavior accurately. The authors also do not
While allowing rich interaction between embedded web
consider implementations of shouldInterceptRequest
content and app code, mobile web apps also present security
in their analysis. Georgiev et al. [21] studied the JavaScript
problems beyond those otherwise associated with the mobile
Bridge in mobile web apps developed using PhoneGap and
platform or the web. We selected several vulnerabilities in
analyzed several thousand mobile web apps for vulnerabilities
mobile web apps and developed scalable analyses to identify
but their experiment is limited to apps built using PhoneGap,
these vulnerabilities. We analyzed a large dataset of 998,286
and, like Luo et al. [25], they do not explore the effect of
mobile web apps and found that 28% of the apps contained
navigation control. Within the scope of attacks from untrusted
at least one security vulnerability. Our analyses provide a
web content, our work extends beyond these results by accu-
conservative underestimate of the true vulnerability rate for
rately capturing the effect of navigation control methods when
the most common vulnerabilities in our dataset so this result
identifying apps that navigate to untrusted web content.
represents a lower bound on the number of vulnerable apps
Fahl et al. [19] and Tenduklar et al. [28] analyzed Android in the wild. We explored trends in vulnerable apps and found
apps for errors in their SSL implementations and found that that vulnerabilities are present across the entire app ecosystem,
many apps validated certificates incorrectly. Sounthiraraj et including in libraries and the most popular apps. Finally, we
al. [27] built a dynamic analysis tool to detect apps that listed mitigations that involve changes to the Android APIs that
incorrectly validate SSL certificates. However, these studies will reduce the frequency and severity of these vulnerabilities.
overlook onReceivedSslError as a method of incorrectly
validating SSL certificates and do not measure how freqently R EFERENCES
developers implement it unsafely. Our results are therefore [1] plus.google.com/+AdrianLudwig/posts/1md7ruEwBLF. Acessed: 2015-
orthogonal to these results and combine to demostrate that 1-28.
incorrect use of SSL is a widespread problem in Android apps. [2] About Apache Cordova. cordova.apache.org/#about. Accessed: 2015-
1-28.
Chen et al. [15] manually studied several popular OAuth
[3] Android 5.0 Behavior Changes. developer.android.com/about/versions/
providers for mobile apps and identified how the differences android-5.0-changes.html. Accessed: 2015-1-28.
between the mobile and browser environments can lead to [4] Android Browser Same Origin Policy Bypass.
OAuth vulnerabilities. One vulnerability they describe is how rafayhackingarticles.net/2014/08/android-browser-same-origin-
a leaky URL vulnerability can expose OAuth credentials to policy.html. Acessed: 2015-1-28.
malicious apps. Their work focuses specifically on OAuth and [5] Android Platform Versions. developer.android.com/about/dashboards/
does not consider the more general vulnerability class of leaky index.html. Accessed: 2015-1-28.
URLs or the broader vulnerability classes we consider. [6] Apktool. code.google.com/p/android-apktool. Accessed: 2014-2-14.
[7] Building Web Apps in WebView. developer.android.com/guide/
Several studies have explored exposed app components webapps/webview.html. Accessed: 2015-1-28.
as a mechanism to perform privilege escalation attacks in [8] PhoneGap. phonegap.com/about. Accessed: 2015-1-28.
Android. Davi et al. [18] first demonstrated that inter-app [9] Stack Exchange Data Dump. archive.org/details/stackexchange. Ac-
communication can leak privileged operations to other apps. cessed: 2015-1-28.
Grace et al. [22] and Lu et al. [24] built systems for identifying [10] WebView addJavascriptInterface Remote Code Execution.
apps that leak privileges. Felt et al. [20] proposed a mechanism labs.mwrinfosecurity.com/blog/2013/09/24/webview-
for preventing privilege leaks using IPC inspection, and Bugiel addjavascriptinterface-remote-code-execution. Accessed: 2015-1-28.
et al. [14] provided another solution to prevent privilege [11] BALL , T., AND H ORWITZ , S. Slicing Programs with Arbitrary Control-
leaks at the operating system level. The mechanism for these Flow. In Proceedings of the International Workshop on Automated and
vulnerabilities is similar to the mechanisms behind the exposed Algorithmic Debugging (1993).
POST request vulnerability but represent attacks on the mobile [12] BARTEL , A., K LEIN , J., L E T RAON , Y., AND M ONPERRUS , M.
Dexpler: Converting Android Dalvik Bytecode to Jimple for Static
device and its APIs instead of an attack on a mobile web Analysis with Soot. In Proceedings of the ACM SIGPLAN International
application. Workshop on State of the Art in Java Program Analysis (2012).
Other studies have explored different vulnerabilities in [13] BARTH , A., JACKSON , C., AND M ITCHELL , J. C. Securing Frame
Communication in Browsers.
mobile web apps than we study. Jin et al. [23] built a tool
[14] B UGIEL , S., DAVI , L., D MITRIENKO , A., F ISCHER , T., S ADEGHI , A.-
to analyze mobile web apps developed using PhoneGap for R., AND S HASTRY, B. Towards Taming Privilege-Escalation Attacks
an XSS-like vulnerability where untrusted data retrieved from on Android. In Proceedings of the 19th Symposium on Network and
channels like SMS and barcodes is used to construct scripts Distributed System Security (2012).
that are rendered in a WebView. Wang et al. [30] examined how [15] C HEN , E. Y., P EI , Y., C HEN , S., T IAN , Y., KOTCHER , R., AND
malicious web content can force inter-app communication and TAGUE , P. Oauth demystified for mobile application developers. In
exploit apps (whether they are mobile web apps or traditional Proceedings of the 21st ACM Conference on Computer and Communi-
cations Security (2014).
apps) that register custom URL patterns. This vulnerability can
[16] C HIN , E., F ELT, A. P., G REENWOOD , K., AND WAGNER , D. Ana-
be seen as the inverse of the leaky URL vulnerability, where lyzing Inter-Application Communication in Android. In Proceedings
a untrusted URL load is forced upon an app rather than a of the International Conference on Mobile Systems, Applications, and
trusted URL load leaking to an untrusted app. The authors Services (2011).
[17] C HIN , E., AND WAGNER , D. Bifocals: Analyzing WebView Vulnera-
bilities in Android Applications. In Proceedings of the International
Workshop on Information Security Applications (2013).
[18] DAVI , L., D MITRIENKO , A., S ADEGHI , A.-R., AND W INANDY, M.
Privilege Escalation Attacks on Android. In Proceedings of the 13th
Information Security Conference. 2010.
[19] FAHL , S., H ARBACH , M., M UDERS , T., BAUMG ÄRTNER , L.,
F REISLEBEN , B., AND S MITH , M. Why Eve and Mallory Love
Android: An Analysis of Android SSL (In)Security. In Proceedings of
the 19th ACM Conference on Computer and Communications Security
(2012).
[20] F ELT, A. P., WANG , H. J., M OSHCHUK , A., H ANNA , S., AND C HIN ,
E. Permission Re-Delegation: Attacks and Defenses. In Proceedings
of the 20th USENIX Security Symposium (2011).
[21] G EORGIEV, M., JANA , S., AND S HMATIKOV, V. Breaking and Fix-
ing Origin-Based Acces Control in Hybrid Web/Mobile Application
Frameworks. In Proceedings of the 21st Symposium on Network and
Distributed System Security (2014).
[22] G RACE , M., Z HOU , Y., WANG , Z., AND J IANG , X. Systematic
Detection of Capability Leaks in Stock Android Smartphones. In
Proceedings of the 19th Symposium on Network and Distributed System
Security (2012).
[23] J IN , X., H U , X., Y ING , K., D U , W., Y IN , H., AND P ERI , G. N.
Code injection attacks on html5-based mobile apps: Characterization,
detection and mitigation. In Proceedings of the 2014 ACM SIGSAC
Conference on Computer and Communications Security (2014).
[24] L U , L., L I , Z., W U , Z., L EE , W., AND J IANG , G. Chex: statically
vetting android apps for component hijacking vulnerabilities. In
Proceedings of the 2012 ACM Conference on Computer and Commu-
nications security (2012).
[25] L UO , T., H AO , H., D U , W., WANG , Y., AND Y IN , H. Atacks on
WebView in the Android System. In Proceedings of the 27th Computer
Security Applications Conference (2011).
[26] N IKIFORAKIS , N., I NVERNIZZI , L., K APRAVELOS , A., ACKER , S. V.,
J OOSEN , W., K RUEGEL , C., P IESSENS , F., AND V IGNA , G. You
Are What You Include: Large-scale Evaluation of Remote JavaScript
Inclusions. In Proceedings of the 19th ACM Conference on Computer
and Communications Security (2012).
[27] S OUNTHIRARAJ , D., S AHS , J., G REENWOOD , G., L IN , Z., AND
K HAN , L. Smv-hunter: Large scale, automated detection of ssl/tls man-
in-the-middle vulnerabilities in android apps. In Proceedings of the 19th
Symposium on Network and Distributed System Security (2014).
[28] T ENDULKAR , V., AND E NCK , W. An application package configuration
approach to mitigating android ssl vulnerabilities. In Mobile Security
Technologies (2014).
[29] VALL ÉE -R AI , R., C O , P., G AGNON , E., H ENDREN , L., L AM , P., AND
S UNDARESAN , V. Soot: A Java Bytecode Optimization Framework. In
Proceedings of the Conference of the Centre for Advanced Studies on
Collaborative Research (1999).
[30] WANG , R., X ING , L., WANG , X., AND C HEN , S. Unauthorized Origin
Crossing on Mobile Platforms: Threats and Mitigation. In Proceed-
ings of the 20th ACM Conference on Computer and Communications
Security (2013).
[31] W EISER , M. Program Slicing. In Proceedings of the 5th International
Conference on Software engineering (1981).