Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks

NDSS symposium Pub Date : 2014-02-01 DOI:10.14722/NDSS.2014.23323

Martin Georgiev, S. Jana, Vitaly Shmatikov

{"title":"Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks","authors":"Martin Georgiev, S. Jana, Vitaly Shmatikov","doi":"10.14722/NDSS.2014.23323","DOIUrl":null,"url":null,"abstract":"Hybrid mobile applications (apps) combine the features of Web applications and \"native\" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies \"bridges\" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.","PeriodicalId":74253,"journal":{"name":"NDSS symposium","volume":"1 1","pages":"1-15"},"PeriodicalIF":0.0000,"publicationDate":"2014-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"95","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"NDSS symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/NDSS.2014.23323","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 95

Abstract

Hybrid mobile applications (apps) combine the features of Web applications and "native" mobile apps. Like Web applications, they are implemented in portable, platform-independent languages such as HTML and JavaScript. Like native apps, they have direct access to local device resources-file system, location, camera, contacts, etc. Hybrid apps are typically developed using hybrid application frameworks such as PhoneGap. The purpose of the framework is twofold. First, it provides an embedded Web browser (for example, WebView on Android) that executes the app's Web code. Second, it supplies "bridges" that allow Web code to escape the browser and access local resources on the device. We analyze the software stack created by hybrid frameworks and demonstrate that it does not properly compose the access-control policies governing Web code and local code, respectively. Web code is governed by the same origin policy, whereas local code is governed by the access-control policy of the operating system (for example, user-granted permissions in Android). The bridges added by the framework to the browser have the same local access rights as the entire application, but are not correctly protected by the same origin policy. This opens the door to fracking attacks, which allow foreign-origin Web content included into a hybrid app (e.g., ads confined in iframes) to drill through the layers and directly access device resources. Fracking vulnerabilities are generic: they affect all hybrid frameworks, all embedded Web browsers, all bridge mechanisms, and all platforms on which these frameworks are deployed. We study the prevalence of fracking vulnerabilities in free Android apps based on the PhoneGap framework. Each vulnerability exposes sensitive local resources-the ability to read and write contacts list, local files, etc.-to dozens of potentially malicious Web domains. We also analyze the defenses deployed by hybrid frameworks to prevent resource access by foreign-origin Web content and explain why they are ineffectual. We then present NoFrak, a capability-based defense against fracking attacks. NoFrak is platform-independent, compatible with any framework and embedded browser, requires no changes to the code of the existing hybrid apps, and does not break their advertising-supported business model.

查看原文本刊更多论文

在混合Web/移动应用框架中破坏和修复基于源的访问控制

混合移动应用程序(app)结合了Web应用程序和“本地”移动应用程序的特性。与Web应用程序一样，它们是用可移植的、独立于平台的语言(如HTML和JavaScript)实现的。与原生应用一样，它们可以直接访问本地设备资源——文件系统、位置、摄像头、联系人等。混合应用程序通常使用混合应用程序框架(如PhoneGap)开发。该框架的目的是双重的。首先，它提供了一个嵌入式Web浏览器(例如，Android上的WebView)来执行应用程序的Web代码。其次，它提供“桥接”，允许Web代码脱离浏览器并访问设备上的本地资源。我们分析了由混合框架创建的软件栈，并证明了它不能正确地组成分别管理Web代码和本地代码的访问控制策略。Web代码由同源策略管理，而本地代码由操作系统的访问控制策略管理(例如，Android中用户授予的权限)。框架向浏览器添加的网桥具有与整个应用程序相同的本地访问权限，但没有受到相同源策略的正确保护。这为跟踪攻击打开了大门，这种攻击允许将来自国外的Web内容包含在混合应用程序中(例如，限制在iframes中的广告)钻过这些层并直接访问设备资源。压裂漏洞是通用的:它们影响所有混合框架、所有嵌入式Web浏览器、所有桥接机制以及部署这些框架的所有平台。我们研究了基于PhoneGap框架的免费Android应用中跟踪漏洞的普遍性。每个漏洞都将敏感的本地资源——读写联系人列表、本地文件等的能力——暴露给数十个潜在的恶意Web域。我们还分析了混合框架为防止外来Web内容访问资源而部署的防御措施，并解释了它们无效的原因。然后，我们介绍了NoFrak，这是一种基于能力的针对水力压裂攻击的防御。NoFrak是独立于平台的，与任何框架和嵌入式浏览器兼容，不需要改变现有混合应用程序的代码，也不会破坏其广告支持的商业模式。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

NDSS symposium

自引率

0.00%

发文量