Wednesday, April 9, 2014

Dangerous Ways Computer Worms Are Spreading Among Smartphones, Apps Under A New Type of Attack

Scanning 2D barcodes, finding free Wi-Fi access points, sending SMS messages, listening to music, and watching MP4 videos: these are very common activities that we do using our smartphones. Can you imagine that simply doing these things can get your smarphones infected with "worms" that can not only steal personal information from your phone, but also infect your friends's phones.

Credit: Wikipedia

Sound scary? It will not be long before worms like this spread among smartphones. What makes the attacks feasible is an emerging technology called HTML5-based app development, and it has been rapidly gaining popularity in the mobile industry. When the adoption of this technology reaches certain threshold, attacks like this will become quite common, unless we do something to stop it. A recent Gartner report says that by 2016, fifty percent of the mobile apps will be using HTML5-based technologies.

What platforms are affected?

All major mobile systems will be affected, including Android, iOS, Blackberry, Windows Phone, etc., because they all support HTML5-based mobile apps.

A notorious problem of the HTML5-based technology is that malicious code can be easily injected into the program and get executed. That is why the Cross-Site Scripting (XSS) attack is still one of the most common attacks in the Web. 

XSS attacks can only target at web applications through a single channel (i.e. the Internet), but with the adoption of the same technology in mobile devices, we have found out that a similar type of attack can not only be launched against mobile apps, it can attack from many channels, including 2D barcode, Wi-Fi scanning, Bluetooth pairing, MP3 songs, MP4 videos, SMS messages, NFC tags, Contact list, etc. As long as an HTML5-based app displays information obtained from outside or from another app, it may be a potential victim.

What Makes an App Vulnerable

First, this app should be based on the HTML5-based technology, i.e., its code (or part of its code) is written in JavaScript. If the app is written using the language native to the platform (e.g. Java for Andrid and Object-C for iOS), it is immune to this type of attacks.

Second, there should exists a channel for the app to receive data from outside. The data can be from outside of the device (such as scanning 2D barcode) or from another app on the same device (such as the Contact list).

Third, the app needs to display the information from outside. The choice of the APIs to display the informatin is critical. Some APIs are safe, but many of them are not.
How the Attack Works

The following video explains how the attack works. For full details, see their paper.

The following diagram depicts how the attack works.
External Data Channels

The following channels can be used by attackers to inject malicious JavaScript code into a victim's device:

ID channels
SSID field of Wi-Fi access points
Device name of Bluetooth devices
Data channels unique to mobile
2D barcode such as QR code
SMS messages
Contents in NFC tags
RDS fields of FM radio
Metadata channels (Metadata fields in multimedia files)
Image files such as JPEG
Audio files such as MP3
Video files such as MP4
Internal Data Channels

The following channels can be used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps (our study was only conducted on Android; you should be able to find similar channels in other platforms):

Content Provider
User dictionary
Call Log
Browser history and bookmarks
Sync adapter
External storage

Unsafe JavaScript APIs

A number of JavaScript APIs can be used for displaying data. The following table shows whether they are safe against our attacks or not. It also shows the percentage of the apps (among 764 samples that we have studied) that use these APIs at least once. We have highlighted those that are popular and unsafe. An important observation is that the use of safe APIs is not common.

Frameworks Affected

PhoneGap is the most popular framework for HTML5-based app development, and our studies are mostly based on PhoneGap apps. There are other frameworks, such as RhoMobile, Appcelerator, etc. We have only tested several of them, and found them similarily vulnerable.

Frameworks Vulnerable or Not?
PhoneGap: Vulnerable
MoSync: Vulnerable
RhoMobile: Vulnerable
Sencha Touch: Vulnerable
Quickconnect: Investigation in progress
Appcelerator: Investigation in progress
Mulberry: Investigation in progress
Flex: Investigation in progress
jQuery Mobile: Investigation in progress
Mojito: Investigation in progress

Want to read more?
How the Attack Works
Demonstration of the Attack
Guidelines for App Developers
Guidelines for Users

Contacts and sources:

Keith Kobland
Syracuse University

No comments:

Post a Comment