Check whether your app has such a risk

To check whether your HTML5-based app is potentially vulnerable, please do the following:

  • Does your app get data from any of the channels that is described in our paper? If so, do you have any filter to remove potential Javascript code from the data?
  • Do you display the data coming from those channels? What APIs are you using? We have listed some safe and unsafe APIs in our paper; check whether the your APIs are on the safe list or unsafe list.

Use safe APIs to display information

If you need to display information coming from untrsuted places, make sure you use safe JavaScript APIs to display it. Check the list in our paper.

  • The safe APIs mostly display the text as it is, so the format tags will also be displayed, rather than being used to format the text. This is the tradeoff that you are making. If that is not what you like, you can try the filter approach.
  • If the APIs that you want to use are not on either safe or unsafe list, you need to look at the documentation, and see whether the APIs can execute the code embeded in the data to be displayed. If you are not sure, do some testing by intentionally feed some JavaScript code into your APIs, and see whether the code can be executed. You can use the sample code that we provided in the paper. It should be noted that we have listed two ways to inject Javascript code, and make sure you test both, because some APIs is safe against one method, and unsafe against ther other.

Apply filters

If, for some reasons, you have to use unsafe APIs to display untrusted information, you need to apply filters to the data, and filter out the JavaScript code embeded in the data. Writing such a filter is quite challenging. In our attacks, we have only shown two ways to embed code in data; there are actually many ways to do that. You can see this XSS Filter Evasion Cheat Sheet for details.

We do not recommend you to write your own filters. The best way is to use some of the existing filters. Here are some resources about filters:

  • OWASP AntiSamy Project: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server.
  • OWASP Enterprise Security API (ESAPI) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. ESAPI also provides AntiSamy's functionality.
  • Coverity Security Library (CSL) is a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other security defects in Java web applications.
  • xssprotect is a Java library for filtering XSS attacks from user input fields.
  • jsoup is a Java HTML parser library. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. It can also clean user-submitted content against a safe white-list, to prevent XSS attacks.

These filters are mostly for web applications (at the server side), not for HTML5-based mobile apps. We are sill trying to find a good filter that can be used to defend against our attacks.

Vulnerable App List

We have implemented a static analysis tool to analyze 15,510 PhoneGap apps collected from the Android Market. The tool flagged 478 apps as vulnerable, with only 2.30% false positive. The real vulnerable app list (467 apps) is provided here vulnerable_app_list

Automatic Scaning tools

You can download our tool MCIFINDER. And here is the instruction to help you run our tool.

Framework-Wide Protection

We have implemented a prototype called NoInjection as a patch to the PhoneGap framework in Android. This implementation is transparent to plugins, as well as to apps. App developers do need to download our revised PhoneGap library (cordova.jar) when compiling their code.

System-Wide Protection (On Progress)

We are also developing system-wide countermeasures to defeat the attack. This solution will not only solve PhoneGap app, but also all the other HTML5-based mobile apps