Are my apps vulnerable?

alert window To help users check whether the HTML5-based apps on their devices is vulnerable or not, we provide several test that users can perform on their apps. In each test, we provide sample data that contain a benign 'worm" inside. This worm does no damage; it only displays a warning message if activated. When your app uses the data, and you see a popup alert window that looks like the one on the right, your app is vulnerable. However, if your apps simply displays "... onerror=alert('Your\u0020app\u0020is\u0020vulnerable')", then that means the malicious code is displayed and not activated, so your app is safe.

If your app scans 2D barcode

alert window

If your app scans 2D barcode, you can use it to scan the QR code displayed on the right side. We have embeded a benign "worm" inside the QR code, but other than displaying a warning message, it does not do any damage. If you see a popup alert window saying that "Your app is vulnerable", your app is vulnerable.



If your app plays mp3 or mp4

If your app plays mp3 music, you can download this mp3 song to your device, and play it using the app. We have embeded a benign "worm" inside the mp3 music (in its Artist and Album name fields). If you see a popup alert window saying that "Your app is vulnerable", your app is vulnerable.

The similar idea applies to the mp4 video. If your app plays mp4 videos, you can download and play this mp4 video and see whether you can get a popup alert window.

If you app displays SMS messages

If your app displays SMS messages, you can send the following text message to yourself, and then use your app to display it. If you see a popup alert window saying that "Your app is vulnerable", your app is vulnerable.

<img src=x onerror=alert('Your\u0020app\u0020is\u0020vulnerable')>


If you app displays Contact

If your app displays information from the Contact. You can add a new person to the Contact using the following string as the person's name. Then use your app to display the information about this new person. If you see a popup alert window saying that "Your app is vulnerable", your app is vulnerable.

<img src=x onerror=alert('Your\u0020app\u0020is\u0020vulnerable')>


If you app reads from Calendar

If your app reads and displays information from the Calendar, you can use the approach similar to the above to add the string to your Calendar and use your app to display it. See whether you can get a popup alert window.