HTML5-based mobile applications (or apps) are built by using standard web technologies such as HTML5, JavaScript and CSS. Due to their cross-platform support, HTML5-based mobile apps are getting more and more popular. However, similar to traditional web apps, they are often vulnerable to script-injection attacks. It results in new threats to code integrity and data privacy. Compared to traditional web apps, HTML5-based mobile apps have more possible channels to inject code, e.g., contacts, SMS, files, NFC, and cameras. Even worse, the injected scripts may gain much more powerful privileges from the mobile apps than those in the traditional web apps.
In this paper, we propose an approach to detect injected behaviors in HTML5-based Android apps. Our approach monitors the execution of apps, and generates behavior state machines to describe the apps’ runtime behaviors based on the execution contexts of apps. Once code injection happens, the injected behaviors will be detected based on deviation from the behavior state machine of the original app. We prototyped our approach and evaluated its effectiveness using existing code injection examples. The result demonstrates that the proposed method is effective in code injection detection for real-world HTML5-based Android apps.
P.Albano, A.Castiglione, G.Cattaneo, G.De Maio and A.De Santis, On the construction of a false digital alibi on the Android OS, in: 2011 Third International Conference on Intelligent Networking and Collaborative Systems (INCoS), IEEE, 2011, pp. 685–690.
2.
P.Albano, A.Castiglione, G.Cattaneo and A.De Santis, A novel anti-forensics technique for the Android OS, in: 2011 International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), IEEE, 2011, pp. 380–385.
3.
S.Anand, M.Naik, M.J.Harrold and H.Yang, Automated concolic testing of smartphone apps, in: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, ACM, 2012, Article No. 59.
4.
Android official site, available at: https://www.android.com/, January 2015.
5.
Appcelerator official site, available at: http://www.appcelerator.com/, February 2015.
6.
A.Armando, A.Merlo and L.Verderame, An empirical evaluation of the Android security framework, in: Security and Privacy Protection in Information Processing Systems, Springer, 2013, pp. 176–189.
7.
Bada official site, available at: www.bada.com, September 2014.
8.
D.Barrera, H.G.Kayacik, P.C.van Oorschot and A.Somayaji, A methodology for empirical analysis of permission-based security models and its application to Android, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, ACM, 2010, pp. 73–84.
9.
Blackberry OS official site, available at: http://www.blackberry.com/, November 2014.
10.
S.Bugiel, L.Davi, A.Dmitrienko, T.Fischer and A.-R.Sadeghi, XManDroid: A new Android evolution to mitigate privilege escalation attacks, Technical Report TR-2011-04, Technische Universität Darmstadt, 2011.
11.
I.Burguera, U.Zurutuza and S.Nadjm-Tehrani, CrowDroid: Behavior-based malware detection system for Android, in: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, ACM, 2011, pp. 15–26.
12.
A.Castiglione, R.De Prisco and A.De Santis, Do you trust your phone? in: 10th International Conference, EC-Web 2009, September 2009, Springer.
13.
E.Chin, A.P.Felt, K.Greenwood and D.Wagner, Analyzing inter-application communication in Android, in: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, ACM, 2011, pp. 239–252.
14.
M.Christodorescu, S.Jha and C.Kruegel, Mining specifications of malicious behavior, in: Proceedings of the 1st India Software Engineering Conference, ACM, 2008, pp. 5–14.
15.
cordova-mega-demo, available at: https://play.google.com/store/apps/details?id=au.com.redata.android.demo, April 2015.
16.
L.Davi, A.Dmitrienko, A.-R.Sadeghi and M.Winandy, Privilege escalation attacks on Android, in: Information Security, Springer, 2011, pp. 346–360.
17.
W.Enck, P.Gilbert, S.Han, V.Tendulkar, B.-G.Chun, L.P.Cox, J.Jung, P.McDaniel and A.N.Sheth, TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, ACM Transactions on Computer Systems (TOCS)32(2) (2014), Article No. 5.
18.
W.Enck, M.Ongtang and P.McDaniel, On lightweight mobile phone application certification, in: Proceedings of the 16th ACM Conference on Computer and Communications Security, ACM, 2009, pp. 235–245.
19.
A.Felt and D.Evans, Privacy protection for social networking APIs, in: 2008 Web 2.0 Security and Privacy (W2SP’08), 2008.
20.
A.P.Felt, E.Chin, S.Hanna, D.Song and D.Wagner, Android permissions demystified, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, ACM, 2011, pp. 627–638.
21.
U.Fiore, F.Palmieri, A.Castiglione, V.Loia and A.De Santis, Multimedia-based battery drain attacks for Android devices, in: 2014 IEEE 11th Consumer Communications and Networking Conference (CCNC), IEEE, 2014, pp. 145–150.
D.Gallingani, R.Gjomemo, V.N.Venkatakrishnan and S.Zanero, Static detection and automatic exploitation of intent message vulnerabilities in Android applications.
24.
M.Georgiev, S.Jana and V.Shmatikov, Breaking and fixing origin-based access control in hybrid web/mobile application frameworks, in: NDSS Symposium, Vol. 2014, NIH Public Access, 2014, p. 1.
25.
GWT mobile PhoneGap showcase, available at: https://play.google.com/store/apps/details?id=com.gwtmobile.phonegap, August 2014.
26.
P.Hornyack, S.Han, J.Jung, S.Schechter and D.Wetherall, These aren’t the droids you’re looking for: Retrofitting Android to protect data from imperious applications, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, ACM, 2011, pp. 639–652.
27.
iOS official site, available at: https://www.apple.com/ios/what-is/, November 2014.
28.
X.Jin, X.Hu, K.Ying, W.Du, H.Yin and G.N.Peri, Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2014, pp. 66–77.
29.
X.Jin, T.Luo, D.G.Tsui and W.Du, Code injection attacks on HTML5-based mobile apps, arXiv preprint, 2014, available at: arXiv:1410.7756.
30.
X.Jin, L.Wang, T.Luo and W.Du, Fine-grained access control for HTML5-based mobile applications in Android, in: Proceedings of the 16th Information Security Conference (ISC), 2013.
31.
jQuery mobile official site, available at: http://jquerymobile.com/, March 2014.
32.
J.Jung, A.Sheth, B.Greenstein, D.Wetherall, G.Maganis and T.Kohno, Privacy oracle: A system for finding application leaks with black box differential testing, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM, 2008, pp. 279–288.
33.
M.Nauman, S.Khan and X.Zhang, Apex: Extending Android permission model and enforcement with user-defined runtime constraints, in: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ACM, 2010, pp. 328–332.
34.
PhoneGap demo, available at: https://play.google.com/store/apps/details?id=com.dreamappworld.android.phonegapdemo.free, September 2014.
35.
PhoneGapMega, available at: https://play.google.com/store/apps/details?id=com.camden.phonegapmega, June 2014.
36.
PhoneGap official site, available at: http://phonegap.com/, January 2015.
37.
PhoneGap on Wikipedia, available at: https://en.wikipedia.org/wiki/PhoneGap, June 2014.
38.
PRS Barcode Scanner, available at: https://play.google.com/store/apps/details?id=com.prs.barcodescanner, March 2015.
39.
RewardingYourself, available at: https://play.google.com/store/apps/details?id=com.loyaltymatch.rewardingyourself, May 2014.
40.
RhoMobile official site, available at: http://rhomobile.com/, April 2015.
41.
K.Rieck, T.Holz, C.Willems, P.Düssel and P.Laskov, Learning and classification of malware behavior, in: Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2008, pp. 108–125.
42.
A.Shabtai, U.Kanonov, Y.Elovici, C.Glezer and Y.Weiss, “Andromaly”: A behavioral malware detection framework for Android devices, Journal of Intelligent Information Systems38(1) (2012), 161–190.
43.
Symbian OS official site, available at: http://www.symbian.net/, January 2014.
44.
Tizen official site, available at: https://www.tizen.org/, March 2014.
45.
TripCase, available at: https://play.google.com/store/apps/details?id=com.sabre.tripcase.android, February 2014.
46.
Ubuntu Touch official site, available at: http://www.ubuntu.com/phone, December 2014.
47.
UIWebView in iOS, available at: http://developer.android.com/reference/android/webkit/WebView.html, July 2014.
48.
Vulnerability types distributions in CVE, available at: https://cwe.mitre.org/documents/vuln-trends/index.html, March 2015.
49.
WebView in Android, available at: https://developer.apple.com/library/ios/documentation/UIKit/Reference/UIWebView_Class/, October 2014.
50.
Wiki on LG webOS, available at: https://en.wikipedia.org/wiki/WebOS, January 2015.
51.
Wiki on the buffer overflow, available at: https://en.wikipedia.org/wiki/Buffer_overflow, October 2014.
52.
Wiki on the cross site scripting, available at: https://en.wikipedia.org/wiki/Cross-site_scripting#cite_note-9, February 2015, April 2015.
53.
Wiki on the same-origin policy, available at: https://en.wikipedia.org/wiki/Same-origin_policy, January 2015.
M.Zhang, Y.Duan, H.Yin and Z.Zhao, Semantics-aware Android malware classification using weighted contextual API dependency graphs, in: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2014, pp. 1105–1116.
56.
N.Zhang, K.Yuan, M.Naveed, X.Zhou and X.Wang, Leave me alone: App-level protection against runtime information gathering on Android, in: 2015 IEEE Symposium on Security and Privacy (SP), 2015, pp. 915–930.
57.
Y.Zhou, X.Zhang, X.Jiang and V.W.Freeh, Taming information-stealing smartphone applications (on Android), in: Trust and Trustworthy Computing, Springer, 2011, pp. 93–107.
