When Web Meets Mobile: Novel Security Threats and Defenses in Web/Mobile Hybrid Apps

Nowadays, mobile app developers are enjoying the benefits of the amalgamation of web and mobile platforms. Developers can easily and smoothly integrate all sorts of web services in their mobile apps by embedding a browser-like UI component, called “WebView”, which can render web content and run JavaScript code within mobile apps (call hybrid apps for convenience). WebView is easy to use and popular. A recent study showed ~80% of Android apps used WebView. WebView is also as powerful as regular browsers (e.g., Chrome/Chromium), and well supports web features and behaviors. In regular browsers, there exist several sensitive web behaviors that are often the root reason of critical security issues. In past years, they have been well studied, and a variety of mature defense solutions have been deployed. However, these sensitive web behaviors are seldom understood and scrutinized in WebView, which provides a totally new working environment. Different from regular browsers, WebView offers mobile developers freedom to customize their WebView instances by enabling several unique programming features. For example, WebView allows mobile code to control and customize web behaviors through WebView setting and event handler APIs. Considering these WebView features may heavily impact above sensitive web behaviors, it is unclear whether the corresponding defense solutions are still effective in WebView. Motivated by above security concerns, in this dissertation, we conduct the systematic security study of several sensitive web behaviors (e.g., web events, web messaging, and the utilization of iframes and popups) in WebView of the Android platform, which is open and the biggest mobile operating system (OS). As a consequence, we discover several novel security vulnerabilities and fundamental design flaws. To demonstrate the security implications, we devise several concrete attacks. Through these attacks, untrusted code (e.g., ads) loaded in WebView can open holes on existing defense solutions, and obtain risky privileges and abilities, such as stealing users’ private data (e.g., GPS location), unauthorizedly accessing sensitive hardware (e.g., microphone), and performing phishing attacks. Then, we study and assess the security impacts of these security issues on real-world hybrid apps. For this purpose, we develop novel tools that can automatically apply program analysis techniques to vet Android apps. By analyzing a large number of most popular apps collected from the official Android marketplace, we find the vulnerabilities are prevalent. Many high-profile apps are verified to be impacted, such as Facebook, Instagram, Facebook Messenger, Google News, Skype, Uber, Yelp, and U.S. Bank. To mitigate these security issues from the root, we design multi-level defense solutions that enhance the security of WebView. Our evaluation on real-world apps shows our mitigation solutions are effective and scalable, with negligible overhead

BabelView:Evaluating the Impact of Code Injection Attacks in Mobile Webviews

A Webview embeds a full-fledged browser in a mobile application and allows the application to expose a custom interface to JavaScript code. This is a popular technique to build so-called hybrid applications, but it circumvents the usual security model of the browser: any malicious JavaScript code injected into the Webview gains access to the interface and can use it to manipulate the device or exfiltrate sensitive data. In this paper, we present an approach to systematically evaluate the possible impact of code injection attacks against Webviews using static information flow analysis. Our key idea is that we can make reasoning about JavaScript semantics unnecessary by instrumenting the application with a model of possible attacker behavior -- the BabelView. We evaluate our approach on 11,648 apps from various Android marketplaces, finding 2,677 vulnerabilities in 1,663 apps. Taken together, the apps reported as vulnerable have over 835 million installations worldwide. We manually validated a random sample of 66 apps and estimate that our fully automated analysis achieves a precision of 90% at a recall of 66%

Stronger secrecy for network-facing applications through privilege reduction

Despite significant effort in improving software quality, vulnerabilities and bugs persist in applications. Attackers remotely exploit vulnerabilities in network-facing applications and then disclose and corrupt users' sensitive information that these applications process. Reducing privilege of application components helps to limit the harm that an attacker may cause if she exploits an application. Privilege reduction, i.e., the Principle of Least Privilege, is a fundamental technique that allows one to contain possible exploits of error-prone software components: it entails granting a software component the minimal privilege that it needs to operate. Applying this principle ensures that sensitive data is given only to those software components that indeed require processing such data. This thesis explores how to reduce the privilege of network-facing applications to provide stronger confidentiality and integrity guarantees for sensitive data. First, we look into applying privilege reduction to cryptographic protocol implementations. We address the vital and largely unexamined problem of how to structure implementations of cryptographic protocols to protect sensitive data even in the case when an attacker compromises untrusted components of a protocol implementation. As evidence that the problem is poorly understood, we identified two attacks which succeed in disclosing of sensitive data in two state-of-the-art, exploit-resistant cryptographic protocol implementations: the privilege-separated OpenSSH server and the HiStar/DStar DIFC-based SSL web server. We propose practical, general, system-independent principles for structuring protocol implementations to defend against these two attacks. We apply our principles to protect sensitive data from disclosure in the implementations of both the server and client sides of OpenSSH and of the OpenSSL library. Next, we explore how to reduce the privilege of language runtimes, e.g., the JavaScript language runtime, so as to minimize the risk of their compromise, and thus of the disclosure and corruption of sensitive information. Modern language runtimes are complex software involving such advanced techniques as just-in-time compilation, native-code support routines, garbage collection, and dynamic runtime optimizations. This complexity makes it hard to guarantee the safety of language runtimes, as evidenced by the frequency of the discovery of vulnerabilities in them. We provide new mechanisms that allow sandboxing language runtimes using Software-based Fault Isolation (SFI). In particular, we enable sandboxing of runtime code modification, which modern language runtimes depend on heavily for achieving high performance. We have applied our sandboxing techniques to the V8 Javascript engine on both the x86-32 and x86-64 architectures, and found that the techniques incur only moderate performance overhead. Finally, we apply privilege reduction within the web browser to secure sensitive data within web applications. Web browsers have become an attractive target for attackers because of their widespread use. There are two principal threats to a user's sensitive data in the browser environment: untrusted third-party extensions and untrusted web pages. Extensions execute with elevated privilege which allows them to read content within all web applications. Thus, a malicious extension author may write extension code that reads sensitive page content and sends it to a remote server he controls. Alternatively, a malicious page author may exploit an honest but buggy extension, thus leveraging its elevated privilege to disclose sensitive information from other origins. We propose enforcing privilege reduction policies on extension JavaScript code to protect web applications' sensitive data from malicious extensions and malicious pages. We designed ScriptPolice, a policy system for the Chrome browser's V8 JavaScript language runtime, to enforce flexible security policies on JavaScript execution. We restrict the privileges of a variety of extensions and contain any malicious activity whether introduced by design or injected by a malicious page. The overhead ScriptPolice incurs on extension execution is acceptable: the added page load latency caused by ScriptPolice is so short as to be virtually indistinguishable by users