What Makes an App Vulnerable

First, this app should be based on the HTML5-based technology, i.e., its code (or part of its code) is written in JavaScript. If the app is written using the language native to the platform (e.g. Java for Andrid and Object-C for iOS), it is immune to this type of attacks.

Second, there should exists a channel for the app to receive data from outside. The data can be from outside of the device (such as scanning 2D barcode) or from another app on the same device (such as the Contact list).

Third, the app needs to display the information from outside. The choice of the APIs to display the informatin is critical. Some APIs are safe, but many of them are not.

How the Attack Works

The following diagram depicts how the attack works. For full details, see our paper. (put the paper links here later)

Attacks

External Data Channels

The following channels can be used by attackers to inject malicious JavaScript code into a victim's device:

  • ID channels
    • SSID field of Wi-Fi access points
    • Device name of Bluetooth devices
  • Data channels unique to mobile
    • 2D barcode such as QR code
    • SMS messages
    • Contents in NFC tags
    • RDS fields of FM radio
  • Metadata channels (Metadata fields in multimedia files)
    • Image files such as JPEG
    • Audio files such as MP3
    • Video files such as MP4

Internal Data Channels

The following channels can be used by another app on the same device to inject malicious JavaScript code into a vulnerable HTML5-based apps (our study was only conducted on Android; you should be able to find similar channels in other platforms):

  • Content Provider
    • Contact
    • Calendar
    • User dictionary
    • Call Log
    • Browser history and bookmarks
    • Sync adapter
    • Profile
  • Intent
  • External storage

Frameworks Affected

PhoneGap is the most popular framework for HTML5-based app development, and our studies are mostly based on PhoneGap apps. There are other frameworks, such as RhoMobile, Appcelerator, etc. We have only tested several of them, and found them similarily vulnerable.

Frameworks Vulnerable or Not?
PhoneGap Vulnerable
MoSync Vulnerable
RhoMobile Vulnerable
Sencha Touch Vulnerable
AppMobi Vulnerable
Appcelerator Investigation in progress
Widgetpad Investigation in progress
Corona Investigation in progress
jQuery Mobile Investigation in progress
Mojito Investigation in progress

Unsafe JavaScript APIs

A number of JavaScript APIs can be used for displaying data. The following table shows whether they are safe against our attacks or not. It also shows the percentage of the apps (among 15,510 samples that we have studied) that use these APIs at least once. We have highlighted those that are popular and unsafe. An important observation is that 93% of apps use at least one unsafe APIs/attributes at least one time and the unsafe innerHTML attribute alone is used by 91% of apps.

DOM APIs and Attributes Safe (✓) or Not (✗)? Usages
document.write() 12.95%
innerHTML 90.90%
outerHTML 54.41%
innerText 62.01%
outerText 0.13%
textContent 65.97%
value 83.11%
jQuery APIs Safe (✓) or Not (✗)? Usages
html() 66.42%
append() 71.04%
prepend 22.36%
before() 54.88%
after() 14.89%
replaceAll() 56.78%
text() 62.05%
val() 62.82%