Check whether your app has such a risk
To check whether your HTML5-based app is potentially vulnerable, please do the following:
- Do you display the data coming from those channels? What APIs are you using? We have listed some safe and unsafe APIs in our paper; check whether the your APIs are on the safe list or unsafe list.
Use safe APIs to display information
- The safe APIs mostly display the text as it is, so the format tags will also be displayed, rather than being used to format the text. This is the tradeoff that you are making. If that is not what you like, you can try the filter approach.
We do not recommend you to write your own filters. The best way is to use some of the existing filters. Here are some resources about filters:
- OWASP AntiSamy Project: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server.
- OWASP Enterprise Security API (ESAPI) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. ESAPI also provides AntiSamy's functionality.
- Coverity Security Library (CSL) is a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other security defects in Java web applications.
- xssprotect is a Java library for filtering XSS attacks from user input fields.
- jsoup is a Java HTML parser library. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. It can also clean user-submitted content against a safe white-list, to prevent XSS attacks.
These filters are mostly for web applications (at the server side), not for HTML5-based mobile apps. We are sill trying to find a good filter that can be used to defend against our attacks.
Vulnerable App List
We have implemented a static analysis tool to analyze 15,510 PhoneGap apps collected from the Android Market. The tool flagged 478 apps as vulnerable, with only 2.30% false positive. The real vulnerable app list (467 apps) is provided here vulnerable_app_list
Automatic Scaning tools
We have implemented a prototype called NoInjection as a patch to the PhoneGap framework in Android. This implementation is transparent to plugins, as well as to apps. App developers do need to download our revised PhoneGap library (cordova.jar) when compiling their code.
System-Wide Protection (On Progress)
We are also developing system-wide countermeasures to defeat the attack. This solution will not only solve PhoneGap app, but also all the other HTML5-based mobile apps