ISC 2014: Information Security pp 345-363 | Cite as
Analyzing Android Browser Apps for file:// Vulnerabilities
Abstract
Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.
Keywords
External File Custom Engine Symbolic Link Concolic Testing Android VersionPreview
Unable to display preview. Download preview PDF.
References
- 1.Mozilla: Same-origin policy, https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
- 2.Terada, T.: Chrome for Android download function information disclosure, https://code.google.com/p/chromium/issues/detail?id=144820
- 3.Terada, T.: Chrome for Android bypassing SOP for local files by symlinks, https://code.google.com/p/chromium/issues/detail?id=144866
- 4.Terada, T.: Mfsa 2013-84: Same-origin bypass through symbolic links, http://www.mozilla.org/security/announce/2013/mfsa2013-84.html
- 5.W3C: Xmlhttprequest, http://www.w3.org/TR/XMLHttpRequest/
- 6.Android: Category browsable, http://developer.android.com/reference/android/content/Intent.html#CATEGORY_BROWSABLE
- 7.Android: Intents and Intent Filters, http://developer.android.com/guide/components/intents-filters.html
- 8.Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proc. ACM MobiSys (2011)Google Scholar
- 9.Android: MonkeyRunner, http://developer.android.com/tools/help/monkeyrunner_concepts.html
- 10.Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android apps. In: Proc. ISOC NDSS (2014)Google Scholar
- 11.Wu, D., Chang, R.: Analyzing Android browser apps for file: vulnerabilities (Technical Report) (2014), http://arxiv.org/abs/1404.4553
- 12.Selenium: Selenium - web browser automation, http://docs.seleniumhq.org/
- 13.Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: Automatic security analysis of smartphone applications. In: Proc. ACM CODASPY (2013)Google Scholar
- 14.Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: Networkprofiler: Towards automatic fingerprinting of Android apps. In: Proc. IEEE INFOCOM (2013)Google Scholar
- 15.Anand, S., Naik, M., Harrold, M., Yang, H.: Automated concolic testing of smartphone apps. In: Proc. ACM FSE (2012)Google Scholar
- 16.Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: An input generation system for Android apps. In: Proc. ACM FSE (2013)Google Scholar
- 17.Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on webview in the Android system. In: Proc. ACM ACSAC (2011)Google Scholar
- 18.Chin, E., Wagner, D.: Bifocals: Analyzing webView vulnerabilities in Android applications. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 129–146. Springer, Heidelberg (2014)CrossRefGoogle Scholar
- 19.Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Proc. ISOC NDSS (2014)Google Scholar
- 20.Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proc. ISOC NDSS (2012)Google Scholar
- 21.Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In: Proc. ACM CCS (2012)Google Scholar
- 22.Zhou, Y., Jiang, X.: Detecting passive content leaks and pollution in Android applications. In: Proc. ISOC NDSS (2013)Google Scholar
- 23.Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Traon, Y.: Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In: Proc. Usenix Security (2013)Google Scholar
- 24.Wu, L., Grace, M., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on Android security. In: Proc. ACM CCS (2013)Google Scholar
- 25.Wang, R., Xing, L., Wang, X., Chen, S.: Unauthorized origin crossing on mobile platforms: Threats and mitigation. In: Proc. ACM CCS (2013)Google Scholar
- 26.Terada, T.: Facebook for Android - information diclosure vulnerability, http://seclists.org/bugtraq/2013/Jan/27
- 27.Azim, T., Neamtiu, I.: Targeted and depth-first exploration for systematic testing of Android apps. In: Proc. ACM OOPSLA (2013)Google Scholar
- 28.Choi, W., Necula, G., Sen, K.: Guided GUI testing of Android apps with minimal restart and approximate learning. In: Proc. ACM OOPSLA (2013)Google Scholar
- 29.Hao, S., Liu, B., Nath, S., Halfond, W., Govindan, R.: PUMA: Programmable UI-automation for large scale dynamic analysis of mobile apps. In: Proc. ACM MobiSys (2014)Google Scholar