Only a fraction of mobile apps are currently written in HTML5 – but
if 50 percent of applications are written in the markup language by
2016, as experts predict, then a whole lot of smartphones could soon be
at risk of a new Cross-Device Scripting (XDS) attack that researchers
have been investigating.
In the paper, “XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps,”Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang Du, researchers with
Syracuse University, explore how anyone running vulnerable HTML5-based
apps on their smartphones – including iPhones, Blackberry’s and
Android-based devices – is at risk of malicious code injection.
Attackers can inject the malicious code through a number of different
commonly used channels, including Wi-Fi scanning, SMS messaging,
scanning of 2D barcodes, Bluetooth pairing, and even through the playing
of MP3 audio or MP4 videos, Du told SCMagazine.com on Monday.
So, if a compromised 2D barcode was scanned using an HTML5-based app,
then that app would be compromised. However, playing a compromised MP3
file in an app running in the device’s native programming language –
Android-based devices use JavaScript and iOS devices use Objective-C –
would result in no compromise.
The injection via Wi-Fi scanning is particularly interesting because
it does not require a user to connect to the attacker’s network, just to
locate it using a vulnerable HTML5-based app, Du said, explaining an
attacker can circumvent the 32 byte length limitation and inject more
effective malicious code by using multiple Wi-Fi access points.
Another particularly nasty element to the attack is that it will send
malicious code to contacts via SMS if granted access to a user’s
address book, Du said, explaining that any of those contacts running an
HTML5-based SMS app will become at risk of being compromised.
After injecting the malicious code, an attacker has access to just
about anything the compromised mobile application has access to, Du
said. Right now that may really only include access to SMS messages,
location data and address books, given the HTML5-based apps currently in
use, but that is bound to change as the programming language is more
widely adopted.
“HTML5 allows [developers] to write one version of code that can be
used across platforms,” Du said, explaining that the time-saving
technology has already proven attractive to developers and is being
taught in schools. “Today [it may not be as] relevant, but two years
from now, if many people have these kinds of [HTML5-based] apps, it’s
likely that this will spread, and that’s where the problems will come.”
Du could not reveal the name of one vulnerable app that he said has
been downloaded by more than a million users, but he explained that his
team has alerted the app developer of the HTML5 issues and that the
company is exploring a fix.
Meanwhile, the Syracuse University researchers are also still
exploring ways to mitigate this threat, Du said, but as of now, he
suggested using one of the safer application programming interfaces
(API) listed in the research as a good start.
Download the advisory : XDS attacks Advisory by Syracuse University Research Team
mSeclabs - Smartphones at risk of malicious code injection through HTML5-based apps | Mobile Security Research Labs
Posts
