javascript injection in android applicationsscg.unibe.ch/download/softwarecomposition/2019-05... ·...
TRANSCRIPT
![Page 1: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/1.jpg)
The Problem The Hunt The Loot The End
Javascript Injection in Android Applications
Basil Schoni
Software Composition GroupInstitute of Computer Science
University of Berne
28.05.19
1 / 20
![Page 2: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/2.jpg)
The Problem The Hunt The Loot The End
Table of Contents
1 The Problem
2 The Hunt
3 The Loot
4 The End
2 / 20
![Page 3: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/3.jpg)
The Problem The Hunt The Loot The End
Privacy Implications of Mobile Devices
Phones store a lot of sensitive data:
call history, messages, pictures, e-mails
location, speed, position, audio, video
shopping, banking, medical
3 / 20
![Page 4: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/4.jpg)
The Problem The Hunt The Loot The End
Privacy Implications of Mobile Devices
Phones store a lot of sensitive data:
call history, messages, pictures, e-mails
location, speed, position, audio, video
shopping, banking, medical
3 / 20
![Page 5: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/5.jpg)
The Problem The Hunt The Loot The End
Privacy Implications of Mobile Devices
Phones store a lot of sensitive data:
call history, messages, pictures, e-mails
location, speed, position, audio, video
shopping, banking, medical
3 / 20
![Page 6: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/6.jpg)
The Problem The Hunt The Loot The End
Privacy Implications of Mobile Devices
Phones store a lot of sensitive data:
call history, messages, pictures, e-mails
location, speed, position, audio, video
shopping, banking, medical
3 / 20
![Page 7: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/7.jpg)
The Problem The Hunt The Loot The End
What Is a WebView?
WebViews allow developers to build hybrid apps.
Basically a browser engine that renders webpages
Comfortable way to build OS-agnostic applications
Sandboxed. Possible to define bridges to native app code
Mixing of data and code
4 / 20
![Page 8: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/8.jpg)
The Problem The Hunt The Loot The End
What Is a WebView?
WebViews allow developers to build hybrid apps.
Basically a browser engine that renders webpages
Comfortable way to build OS-agnostic applications
Sandboxed. Possible to define bridges to native app code
Mixing of data and code
4 / 20
![Page 9: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/9.jpg)
The Problem The Hunt The Loot The End
What Is a WebView?
WebViews allow developers to build hybrid apps.
Basically a browser engine that renders webpages
Comfortable way to build OS-agnostic applications
Sandboxed. Possible to define bridges to native app code
Mixing of data and code
4 / 20
![Page 10: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/10.jpg)
The Problem The Hunt The Loot The End
What Is a WebView?
WebViews allow developers to build hybrid apps.
Basically a browser engine that renders webpages
Comfortable way to build OS-agnostic applications
Sandboxed. Possible to define bridges to native app code
Mixing of data and code
4 / 20
![Page 11: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/11.jpg)
The Problem The Hunt The Loot The End
What Is a WebView?
WebViews allow developers to build hybrid apps.
Basically a browser engine that renders webpages
Comfortable way to build OS-agnostic applications
Sandboxed. Possible to define bridges to native app code
Mixing of data and code
4 / 20
![Page 12: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/12.jpg)
The Problem The Hunt The Loot The End
What Is Cross Site Scripting?
Cross Site Scripting is an important security risk for webapplications.
There is some attacker-controllable data input
The data does not get sanitized
The data is made part of an HTML document that isdisplayed to the user
5 / 20
![Page 13: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/13.jpg)
The Problem The Hunt The Loot The End
What Is Cross Site Scripting?
Cross Site Scripting is an important security risk for webapplications.
There is some attacker-controllable data input
The data does not get sanitized
The data is made part of an HTML document that isdisplayed to the user
5 / 20
![Page 14: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/14.jpg)
The Problem The Hunt The Loot The End
What Is Cross Site Scripting?
Cross Site Scripting is an important security risk for webapplications.
There is some attacker-controllable data input
The data does not get sanitized
The data is made part of an HTML document that isdisplayed to the user
5 / 20
![Page 15: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/15.jpg)
The Problem The Hunt The Loot The End
What Is Cross Site Scripting?
Cross Site Scripting is an important security risk for webapplications.
There is some attacker-controllable data input
The data does not get sanitized
The data is made part of an HTML document that isdisplayed to the user
5 / 20
![Page 16: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/16.jpg)
The Problem The Hunt The Loot The End
Table of Contents
1 The Problem
2 The Hunt
3 The Loot
4 The End
6 / 20
![Page 17: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/17.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 18: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/18.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 19: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/19.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 20: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/20.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 21: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/21.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errors
b Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 22: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/22.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 23: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/23.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 24: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/24.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS files
b Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 25: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/25.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklist
c Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 26: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/26.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript code
d Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 27: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/27.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in AST
e Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 28: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/28.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 29: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/29.jpg)
The Problem The Hunt The Loot The End
Pipeline
Getting the data:
1 Download random APKs from AndroZoo
a Selection based on metadata that was filtered by categories
2 Decompile APKs
a Throw out apps that decompiled with errorsb Throw out apps without ’dangerous’ permissions
3 Run analyzer script against decompiled apps
a Find HTML and JS filesb Check filenames against blacklistc Build AST from javascript coded Find search terms in ASTe Put matching code slices in json file
4 Delete apps without matches
7 / 20
![Page 30: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/30.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 31: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/31.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 32: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/32.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 33: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/33.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 34: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/34.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 35: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/35.jpg)
The Problem The Hunt The Loot The End
Pipeline
Analyzing the data:
1 Go through resulting json file
2 Find promising code slices while ignoring noise
3 Follow data from sink to source
4 Find out if source is attacker controllable
5 Confirm vulnerability by exploiting it
8 / 20
![Page 36: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/36.jpg)
The Problem The Hunt The Loot The End
Search Terms
I concentrated on finding sinks, rather than sources.
DOM API sinks
elem.innerHTML = datadocument.write(data)...
Jquery sinks
$(selector).html(data)$(selector).append(data)...
DOM API sources
localStorage.getItem(key)document.referrer...
9 / 20
![Page 37: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/37.jpg)
The Problem The Hunt The Loot The End
Search Terms
I concentrated on finding sinks, rather than sources.
DOM API sinks
elem.innerHTML = datadocument.write(data)...
Jquery sinks
$(selector).html(data)$(selector).append(data)...
DOM API sources
localStorage.getItem(key)document.referrer...
9 / 20
![Page 38: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/38.jpg)
The Problem The Hunt The Loot The End
Search Terms
I concentrated on finding sinks, rather than sources.
DOM API sinks
elem.innerHTML = datadocument.write(data)...
Jquery sinks
$(selector).html(data)$(selector).append(data)...
DOM API sources
localStorage.getItem(key)document.referrer...
9 / 20
![Page 39: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/39.jpg)
The Problem The Hunt The Loot The End
Search Terms
I concentrated on finding sinks, rather than sources.
DOM API sinks
elem.innerHTML = datadocument.write(data)...
Jquery sinks
$(selector).html(data)$(selector).append(data)...
DOM API sources
localStorage.getItem(key)document.referrer...
9 / 20
![Page 40: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/40.jpg)
The Problem The Hunt The Loot The End
Challenges
Along the way, there were some challenges:
Using the proper tools
Filtering out the noise
Practically confirming vulnerabilities
10 / 20
![Page 41: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/41.jpg)
The Problem The Hunt The Loot The End
Challenges
Along the way, there were some challenges:
Using the proper tools
Filtering out the noise
Practically confirming vulnerabilities
10 / 20
![Page 42: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/42.jpg)
The Problem The Hunt The Loot The End
Challenges
Along the way, there were some challenges:
Using the proper tools
Filtering out the noise
Practically confirming vulnerabilities
10 / 20
![Page 43: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/43.jpg)
The Problem The Hunt The Loot The End
Challenges
Along the way, there were some challenges:
Using the proper tools
Filtering out the noise
Practically confirming vulnerabilities
10 / 20
![Page 44: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/44.jpg)
The Problem The Hunt The Loot The End
Table of Contents
1 The Problem
2 The Hunt
3 The Loot
4 The End
11 / 20
![Page 45: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/45.jpg)
The Problem The Hunt The Loot The End
Marine Pollution App
Marine Pollution Protection Pocket Checklist
Application that helps you comply to maritime laws
10’000+ installs
read/write storage, record audio/video, internet, networkstate, phone state
12 / 20
![Page 46: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/46.jpg)
The Problem The Hunt The Loot The End
Marine Pollution App
Marine Pollution Protection Pocket Checklist
Application that helps you comply to maritime laws
10’000+ installs
read/write storage, record audio/video, internet, networkstate, phone state
12 / 20
![Page 47: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/47.jpg)
The Problem The Hunt The Loot The End
Marine Pollution App
Marine Pollution Protection Pocket Checklist
Application that helps you comply to maritime laws
10’000+ installs
read/write storage, record audio/video, internet, networkstate, phone state
12 / 20
![Page 48: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/48.jpg)
The Problem The Hunt The Loot The End
Marine Pollution App
Marine Pollution Protection Pocket Checklist
Application that helps you comply to maritime laws
10’000+ installs
read/write storage, record audio/video, internet, networkstate, phone state
12 / 20
![Page 49: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/49.jpg)
The Problem The Hunt The Loot The End
Marine Pollution App
Sink
function updateQuestionNote(qnum,qnid,qnnote){
str = ’<p class="notesbox">’ + qnnote + ’</p>’;
$(’#mqn’ + qnid).html(str)
$(’#tqn’ + qnid).html(str)
}
Source
$(’#qnotesave’).click(function(e){
saveQuestionNote($(’#notesform #qnotes’).val());
return false;
})
13 / 20
![Page 50: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/50.jpg)
The Problem The Hunt The Loot The End
Car Insurance App
Ing & McKee App
Application that helps you manage your insurance policy andmake insurance claims
100+ installs
write to storage, coarse/fine location, internet, network state
14 / 20
![Page 51: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/51.jpg)
The Problem The Hunt The Loot The End
Car Insurance App
Ing & McKee App
Application that helps you manage your insurance policy andmake insurance claims
100+ installs
write to storage, coarse/fine location, internet, network state
14 / 20
![Page 52: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/52.jpg)
The Problem The Hunt The Loot The End
Car Insurance App
Ing & McKee App
Application that helps you manage your insurance policy andmake insurance claims
100+ installs
write to storage, coarse/fine location, internet, network state
14 / 20
![Page 53: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/53.jpg)
The Problem The Hunt The Loot The End
Car Insurance App
Ing & McKee App
Application that helps you manage your insurance policy andmake insurance claims
100+ installs
write to storage, coarse/fine location, internet, network state
14 / 20
![Page 54: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/54.jpg)
The Problem The Hunt The Loot The End
Car Insurance App
Sink
function updateDrivers(tx, results) {
driverHTML += results(i).firstName;
$("#allDrivers").prepend(driverHTML);
}
Source
function updateToLatestDrivers() {
notesDB.transaction(function (tx) {
tx.executeSql(’SELECT * FROM otherDrivers
where NoteID = ?’,[id], updateDrivers);
})
}15 / 20
![Page 55: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/55.jpg)
The Problem The Hunt The Loot The End
Wikipedia App
Wikipedia
Application that allows you to access and edit Wikipedia
10’000’000+ installs
write to storage, fine location, get/authenticate/manageaccounts, internet, network state, ...
16 / 20
![Page 56: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/56.jpg)
The Problem The Hunt The Loot The End
Wikipedia App
Wikipedia
Application that allows you to access and edit Wikipedia
10’000’000+ installs
write to storage, fine location, get/authenticate/manageaccounts, internet, network state, ...
16 / 20
![Page 57: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/57.jpg)
The Problem The Hunt The Loot The End
Wikipedia App
Wikipedia
Application that allows you to access and edit Wikipedia
10’000’000+ installs
write to storage, fine location, get/authenticate/manageaccounts, internet, network state, ...
16 / 20
![Page 58: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/58.jpg)
The Problem The Hunt The Loot The End
Wikipedia App
Wikipedia
Application that allows you to access and edit Wikipedia
10’000’000+ installs
write to storage, fine location, get/authenticate/manageaccounts, internet, network state, ...
16 / 20
![Page 59: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/59.jpg)
The Problem The Hunt The Loot The End
Wikipedia App
Sink
bridge.registerListener(
"displayLeadSection",
function( payload ) {
var content = document.createElement( "div" );
content.innerHTML = payload.section.text;
document.getElementById( "content" )
.appendChild( content );
}
);
17 / 20
![Page 60: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/60.jpg)
The Problem The Hunt The Loot The End
Table of Contents
1 The Problem
2 The Hunt
3 The Loot
4 The End
18 / 20
![Page 61: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/61.jpg)
The Problem The Hunt The Loot The End
What To Do Next
What I want to do next:
Find more useful vectors for injecting the code
Confirm / reject vulnerability in Wikipedia app
Report findings
Automate the detection of injection vulnerabilites
19 / 20
![Page 62: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/62.jpg)
The Problem The Hunt The Loot The End
What To Do Next
What I want to do next:
Find more useful vectors for injecting the code
Confirm / reject vulnerability in Wikipedia app
Report findings
Automate the detection of injection vulnerabilites
19 / 20
![Page 63: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/63.jpg)
The Problem The Hunt The Loot The End
What To Do Next
What I want to do next:
Find more useful vectors for injecting the code
Confirm / reject vulnerability in Wikipedia app
Report findings
Automate the detection of injection vulnerabilites
19 / 20
![Page 64: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/64.jpg)
The Problem The Hunt The Loot The End
What To Do Next
What I want to do next:
Find more useful vectors for injecting the code
Confirm / reject vulnerability in Wikipedia app
Report findings
Automate the detection of injection vulnerabilites
19 / 20
![Page 65: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/65.jpg)
The Problem The Hunt The Loot The End
What To Do Next
What I want to do next:
Find more useful vectors for injecting the code
Confirm / reject vulnerability in Wikipedia app
Report findings
Automate the detection of injection vulnerabilites
19 / 20
![Page 66: Javascript Injection in Android Applicationsscg.unibe.ch/download/softwarecomposition/2019-05... · Javascript Injection in Android Applications Basil Sch oni Software Composition](https://reader034.vdocuments.net/reader034/viewer/2022042710/5f5f920c2a4877505a0db273/html5/thumbnails/66.jpg)
The Problem The Hunt The Loot The End
Thank You for Your Attention.
Questions?
20 / 20