Upload File

xing jin, tongbo luo, derek g. tsui, wenliang du department of electrical engineering & computer...

  • Home
  • Documents
  • Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University
19
Code Injection Attacks on HTML5-based Mobile Apps Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University .

Upload: esther-wragge

Post on 28-Mar-2015

228 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

  • Slide 1

Slide 2 Xing Jin, Tongbo Luo, Derek G. Tsui, Wenliang Du Department of Electrical Engineering & Computer Science Syracuse University. Slide 3 (a) (c) (b)(d) (g)(f)(e)(h) Slide 4 Outline BackGround Overview of HTML5-based Mobile App Overview of PhoneGap Architecture Risks in JavaScript Code Injection Attacks on HTML5-based mobile apps Overview of the Attack Channels of the Attack Examples (WIFI, NFC, MP3) Length limitation Real Vulnerable Cases Future Work Slide 5 Overview of HTML5-based Mobile App PhoneGap Device Accelerometer Camera Compass Contacts File Geolocation Notification WebView HTML CSS JavaScript X X addJavascriptInterface() Advantage: Can be easily ported between different platforms Slide 6 Overview of PhoneGap Architecture Slide 7 Risks in JavaScript Data and code can be mixed together. var text="Hello! alert('hello') "; document.write(text); Once it runs, the data will be displayed, and the JavaScript code will also be executed. Slide 8 Overview of the Attack Slide 9 3 1 2 Slide 10 Channels of XDS Attack ID Channels (WiFi, Bluetooth) Data Channels Unique to Mobile Devices (NFC, Barcode, SMS) Metadata Channels (MP3, MP4, Image) Slide 11 Example 1(WiFi) Non PhoneGap WiFi-Finder PhoneGap WiFi-Finder Slide 12 Example 2(NFC) Non PhoneGap NFC App PhoneGap NFC App Slide 13 Example 3(mp3) PhoneGap Mp3 App Non PhoneGap Mp3 App http://www.cis.syr.edu/~wedu/attack Slide 14 Length Limitation of Channels Slide 15 Overcome the limitation Use External JS files: ( will be filter out by innerHTML) Split JS code into pieces: (need to use jQuery) 1 2 3 4 5 Slide 16 Real vulnerable cases Downloaded 764 PhoneGap apps from Google Play Find several vulnerable apps satisfy two attack conditions: read external data from the channels that we have identified use vulnerable APIs or attributes to display information from the channels Slide 17 Real Vulnerable Cases Non PhoneGap App PhoneGap App Information sent to Sever Slide 18 Real vulnerable Cases The code injected in the QR codeSlide 19 Future Work Large Scale analysis of HTML5-based mobile apps Solution to address the attack Slide 20 Thanks! Q & A


Code Injection Attacks on HTML5-based Mobile Appswedu/Research/paper/xds_attack.pdf · Code Injection Attacks on HTML5-based Mobile Apps Xing Jin, Tongbo Luo, Derek G. Tsui, and Wenliang

WA TB7 Ava Tsui Wing Kwan - Assignment 2.docx

Chinese Odyssey Teacher’s Guide - Cheng & Tsui

KWAI CHUNG TSING YI «C ƒç · PDF fileSun Chuen YUEN CHAU KOK SHEUNG KWAI CHUNG Û¥X ... Ha Kok Tsui LAI PIK SHAN SZE PAK AU Sham Shui Kok TAI SHAN Sze Pak Tsui Hai Kam Tsui Wu

CHENG TSUI INTEGRATED HEALTH CENTER

Hasil Tsui 2012 Final

1 When Does Randomization Fail to Protect Privacy? Wenliang (Kevin) Du Department of EECS, Syracuse University

Wenliang Du Syracuse University Vicky Singh Syracuse University Hao Syracuse University

Designing Kong Kong: Tsim Sha Tsui terminus design illustrations

Cultural Dymensions (Tsui 2006)!!

 · Lap-Chee Tsui (le$), Francis ... SEPTEMBER 1989 the end, a collaborative ps of Tsui John Riordan at.orontds ... It was at that point that Tsui joined with Collins,

Ming Norman Tsui Portfolio

Week 2_Dr. Paul Tsui

Organizational Sustainability Final Presentation Team Members Andrew Gillespie, Bhavana Gupta, John Horstman, Tongbo Huang, Jared Pryor

Henry Tsui 2007 th Presentation Version 2.0

Chinese Measure Word diCtionary - Cheng & Tsui

Tai Kok Tsui Sports Centre - hongkonggames.hk · Table Tennis Competition Location Map of Competition Venue Tai Kok Tsui Sports Centre Address: 7/F, Tai Kok Tsui Municipal Services

1 Deriving Private Information from Randomized Data Zhengli Huang Wenliang (Kevin) Du Biao Chen Syracuse University

Sam Tsui Lady Gaga Medley - pisnicky-akordy.cz

Tsui CV Mar 2016 · Title Microsoft Word - Tsui CV Mar 2016.docx Created Date 3/19/2016 7:47:01 AM

Drug Induced Arrhythmia Dr. SH TSUI 15 June 2005

profolio of Andy Tsui

The service quality of Yuan-Tsui~ Final report

SOCIAL STUDIES Chinese History And Culture ... - Cheng & Tsui

My Story - Time Passing by: Ariel Tsui

Securing Wireless Sensor Networks Wenliang (Kevin) Du Department of Electrical Engineering and Computer Science Syracuse University

Thursday 21 January 2021, 14:00 – 15:00 CET...Heidelberg Cement Tongbo Sui Vice President of Sinoma International, DG Sinoma Research Institute Sinoma Dr. Tongbo SUI, born in November

Of the Hour - Alice Tsui

Grayscale Image Matting And Colorization Tongbo Chen, Yan Wang, Volker Schillings, Christoph Meinel FB IV-Informatik, University of Trier, Trier 54296,

Chinese Odyssey Volume 5 - Cheng & Tsui

E-Cath according to Tsui - newmedica.com.my · E-Cath, a joint development ... 2 Ip, Tsui, The catheter-over-needle assembly ... E-Cath according to Tsui Plexus anaesthesia The systems

MAR 3721 - Carlos Valdez - Tiffany Tsui

Organometallic Chemistry Introduction Paula Diaconescu TA: Wenliang Huang E-mail: [email protected]; [email protected]@[email protected]

Kuesioner TSUI 2014 S1

Convex Multitask Learning with Flexible Task Clusters Wenliang