Analyzing Android Browser Apps for file:// Vulnerabilities

  • Daoyuan Wu
  • Rocky K. C. Chang
Conference paper

DOI: 10.1007/978-3-319-13257-0_20

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8783)
Cite this paper as:
Wu D., Chang R.K.C. (2014) Analyzing Android Browser Apps for file:// Vulnerabilities. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham

Abstract

Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as FileCross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Daoyuan Wu
    • 1
  • Rocky K. C. Chang
    • 1
  1. 1.Department of ComputingThe Hong Kong Polytechnic UniversityHung HomHong Kong

Personalised recommendations