Web-to-Application Injection Attacks on Android: Characterization and Detection

Vulnerable Android applications (or apps) are traditionally exploited via malicious apps. In this paper, we study an underexplored class of Android attacks which do not require the user to install malicious apps, but merely to visit a malicious website in

  • PDF / 550,333 Bytes
  • 22 Pages / 439.37 x 666.142 pts Page_size
  • 106 Downloads / 232 Views

DOWNLOAD

REPORT

Abstract. Vulnerable Android applications (or apps) are traditionally exploited via malicious apps. In this paper, we study an underexplored class of Android attacks which do not require the user to install malicious apps, but merely to visit a malicious website in an Android browser. We call them web-to-app injection (or W2AI) attacks, and distinguish between different categories of W2AI side-effects. To estimate their prevalence, we present an automated W2AIScanner to find and confirm W2AI vulnerabilities. We analyze real apps from the official Google Play store and found 286 confirmed vulnerabilities in 134 distinct applications. This findings suggest that these attacks are pervasive and developers do not adequately protect apps against them. Our tool employs a novel combination of static analysis, symbolic execution and dynamic testing. We show experimentally that this design significantly enhances the detection accuracy compared with an existing state-of-the-art analysis.

1

Introduction

In this paper, we present a detailed study of an underexplored class of application vulnerabilities on Android that allow a malicious web attacker to exploit app vulnerabilities. It can be a significant threat as the remote attacker has full control on the web-to-app communication channel and no malicious apps are needed on the device. A successful attack can exploit web APIs (WebView) and native APIs on Android. The Android platform provides a web-to-app communication bridge which enables web-to-app interaction. The web-to-app bridge is used in Android to facilitate installed applications to be invoked directly via websites. This feature has many benign uses. It is used by many popular applications on the official Google App Store, e.g., the Google Maps app can seamlessly switch to the Phone app when phone numbers of businesses displayed on Google Maps are clicked, without explicitly starting the Phone app. The web-to-app bridge exposes Android apps to unvetted websites when the user visits them in a browser. Without proper sanitization on the URI or “extra parameters” derived from the URI, a vulnerable app ends up using these values This work has been supported in part by Huawei. c Springer International Publishing Switzerland 2015  G. Pernul et al. (Eds.): ESORICS 2015, Part II, LNCS 9327, pp. 577–598, 2015. DOI: 10.1007/978-3-319-24177-7 29

578

B. Hassanshahi et al.

to start a malicious web page in a WebView or abuse Android native APIs. While it is known that the web-to-app bridge can lead to vulnerabilities [34], in this work, we study whether existing apps are susceptible to attacks from this channel in any significant way, and if so, to what extent. We systematically study and classify attacks which we call Web-to-App Injection (W2AI). Web-to-App Injection attacks are different from other recently disclosed vulnerabilities. Such vulnerabilities arise either in the implementations of hybrid mobile application frameworks, or in application code written on top of such frameworks which access external device interfaces (e.g. came

Data Loading...

Recommend Documents
Attacks on Android-Based Smartphones and Impact of Vendor Customization on Android OS Security

146 32 29MB

Injecting Power Attacks with Voltage Glitching and Generation of Clock Attacks for Testing Fault Injection Attacks

192 78 22MB

Robust Android Malware Detection System Against Adversarial Attacks Using Q-Learning

169 79 5MB

On the Robustness of Rating Aggregators Against Injection Attacks

162 66 22MB

Android Vault Application Behavior Analysis and Detection

205 23 65MB

Reducing the Forensic Footprint with Android Accessibility Attacks

146 29 6MB

Effective Android Malware Detection Based on Deep Learning

225 7 61MB

Emulation Versus Instrumentation for Android Malware Detection

215 107 9MB

Malware Detection with Confidence Guarantees on Android Devices

225 45 306KB

On defending against label flipping attacks on malware detection systems

171 50 2MB

WLTDroid: Repackaging Detection Approach for Android Applications

180 90 54MB

Android Malware Detection via Behavior-Based Features

205 34 24MB