SlideShare a Scribd company logo

Mobile appsecurity

Download as PPTX, PDF
Mohamad Farhani, profile picture
Mohamad Farhani

The document discusses hybrid mobile application security technologies, focusing on how hybrid apps, built using web technologies like HTML and JavaScript, interact with mobile device resources through a JavaScript bridge. It presents 'HybridGuard,' a framework designed for hybrid app developers to define and enforce principal-based access controls and fine-grained security policies, addressing limitations of existing solutions. The framework enables robust security measures across various platforms and development frameworks without requiring modifications.

Mobile
Related topics:
Mobile App Insights
1 of 35
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
MOBILE APPLICATION SECURITY TECHNOLOGIES Mohamad Farhani Mohamad.farhany@gmail.com
Core code (HTML/Jav aScript) Web-based (Hybrid) Mobile Apps  Business core code is developed in the Web technologies, i.e., HTML/JavaScript  Run in a web container in a native mobile app 1 Core code (HTML/Jav aScript) Core code (HTML/Jav aScript) Core code (HTML/Jav aScript)
Hybrid Apps – Interaction with Mobile Device 2 Credit: www.xrgsystems.com
Hybrid App Architecture  Bridge code is provided to allow the access from the web code to the device 3
JavaScript Bridge in Web-based Apps 4 addJavascriptInterface( new MyObject(), "myinterface"); //core code in JavaScript myinterface.sendSMS(..); MyObject() myinterface
Hybrid Mobile Frameworks  The JavaScript Bridge is typically provided automatically by hybrid mobile development frameworks  E.g., Cordova (PhoneGap), Ionic, Onsen, React Native, and more than 70 others  JavaScript Bridge APIs are provided through plugins  Native implementations and JavaScript interfaces 5
Permission Model in Mobile Apps  Users can grant permissions for a mobile app  to access the device resources such as geolocation, SMS, …  Once a permission is granted (either static or dynamic), there is no way to control how the app uses the permissions 6
Permission in Web-based Mobile Apps  Any JavaScript code can access the exposed JavaScript bridge APIs 7 MyObject() myinterface Local JavaScript Third-party JavaScript
Security in Web-based Mobile Apps  Domain Whitelisting, e.g., in Cordova  Allow code from some whitelisted domains can access  Content Security Policy  Limit the access of JavaScript code based on domain 8 These mechanisms are coarse-grained: Once an access is granted, no more control on that
A Running Attack Scenario  Third-party JavaScript code might misuse the devices resources or leak sensitive information via phone-based channels, e.g., SMS  These cannot be enforced by whitelisted or CSP 9 geolocation, sms //Third-party JavaScript var g = geolocation.getLocation(); sms.send(..,g); Allowed in whitelisted domains and CSP
The state-of-the-art  Existing JavaScript security solutions  Do not cover phone-related channels, e.g., sms  Some hybrid app security solutions focus on a specific platform, e.g., WebView in Android [Georgiev et al., WWW’15], [Tuncay et al., CCS’16]  Some approaches modify the hybrid framework, e.g., PhoneGap [Georgiev et al., NDSS’15], [Jin et al., ISC’15]  Few work can enforce principal-based policies for mobile apps but do not protect the web environment, e.g., [Georgiev et al., WWW’15] 10
Our Motivation  Provide a framework to allow hybrid app developers to define and enforce principal-based access control and fine-grained policies  Do not depend on a specific mobile platform  Work with any hybrid frameworks 11
Outline  Motivation  Our Approach - HybridGuard  Implementation  Evaluation  Concluding Remarks 12
Threat Model  Hybrid Apps are legitimate and trusted by the users  Permissions are granted  Content Security Policy (CSP) is deployed to e.g., present Cross-site Scripting Attacks  In-scope threats - third-party JavaScript code, e.g., advertisements, allowed by the developers in CSP: 1. Benign but under the control of an attacker 2. Malicious by intentions 13
Our Approach  Load a piece of JavaScript code under a principal name, i.e.,:  Replace the original JavaScript inclusion <script src="http://third-party.com/script.js"> by our interface: loadJSwithPrincipal("principal","http://third- party.com/script.js")  Wrap critical JavaScript APIs (Web APIs + JavaScript Bridge APIs)  Enforce policies based on caller’s principals 14
JavaScript Invocation 15
Our Approach – Wrapping JavaScript APIs 16
Our Approach - HybridGuard 17
HybridGuard 18
Wrapping JavaScript (Web/Bridge) APIs 19 sms.send(…); orig_sms_send=sms.send; sms.send = function(){ } if (policyCheck(..)) execute(orig_sms_send,..); else{..} 1. Keep the original reference 2. Redefine the reference 3. Check policy to control the execution Security code is injected before any other JavaScript code to monitor them
Principal Management and Tracking  Based on “run-to-completion” execution model of JavaScript  We maintain a shadow stack to track the execution of each principal  We catch dynamic generated code and event handlers  Load these code under the same principal that generates them 20
Load and Run JavaScript Code under A Principal var var makeFunction runAs shadowStack.push(“google”); run(f); shadowStack.pop(); flush_dynamic_content(“google”);
Principal Tracking Example 22
Principal-based Permission  Wrap the JavaScript Bridge APIs  Grant access to these APIs based on principal  E.g.:  "trusted" principal can have full access to all resources  "local" principal can have access to resources A, B  "remote" principal can have access to resources C 23
Principal-based Permission Example  Each resource  Principal access control  Read  Write  Create 24
Stateful and Fine-grained Security Policies  Based on  Behavior of the code  Principal of the code  E.g.:  Disallow the sms.send if the untrusted principal has accessed the geolocation API 25
More Fine-grained Policy Patterns  Resource bounds Policy  Limit the number of accesses to a resource  E.g.,: limit the number of sms send  Whitelist Policies  A resource access is allowed only under some conditions  E.g.,: allow sms send to some predefined receipts  History-based Policies  Policies depending on the previous execution status  E.g.,: no SMS sending after contact list is read  Any custom policies, e.g., preventing UI attacks 26
Complete Mediation  Web APIs: We apply the secure wrapper implementations for JavaScript in the literature  Ensure that our monitor implementation is tamper-proof from potentially malicious code  JavaScript bridge APIs  Direct access to native APIs is disallowed  We rely on app developers to identify bridge APIs and wrap them with our interface 27
HybridGuard Security 28
HybridGuard Security  Unlabeled code always runs at the lowest privilege level  A principal-tracking failure could lead to conservative rejection, but never a policy violation 29
Evaluation  We have performed a small-scale evaluation on around 10 Android hybrid apps from Google Play  Decompile the code and inject our framework manually  We developed several hybrid apps invoking various plugins  Our framework is integrated and tested on Android and iOS 30
Policy Examples on Resources 31
Tested Hybrid Apps and Policies 32
Concluding Remarks  We present HybridGuard  A robust framework to specify and enforce principal- based and fine-grained security policies  HybridGuard is developed in JavaScript  can be deployed on various mobile platforms and hybrid development frameworks without modifying them  We provide a wide range security policies that the app developer can use to mitigate potential attacks 33
Thank you! Mohamad Farhani Mohamad.farhany@gmail.com MOBILE APPLICATION SECURITY TECHNOLOGIES

More Related Content

PDF
42crunch-API-security-workshop
42Crunch
 
PDF
SecDevOps for API Security
42Crunch
 
PDF
API Security: the full story
42Crunch
 
PDF
APIDays Paris Security Workshop
42Crunch
 
PDF
2018 android-security-udacity-morrison chang
mjchang
 
PDF
Android pentesting
Mykhailo Antonishyn
 
PPTX
Android pentesting
Mykhailo Antonishyn
 
PPTX
Sandboxing in .NET CLR
Mikhail Shcherbakov
 
42crunch-API-security-workshop
42Crunch
 
SecDevOps for API Security
42Crunch
 
API Security: the full story
42Crunch
 
APIDays Paris Security Workshop
42Crunch
 
2018 android-security-udacity-morrison chang
mjchang
 
Android pentesting
Mykhailo Antonishyn
 
Android pentesting
Mykhailo Antonishyn
 
Sandboxing in .NET CLR
Mikhail Shcherbakov
 

Similar to Mobile appsecurity (20)

PPTX
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
PDF
CNIT 128 8: Mobile development security
Sam Bowne
 
PPTX
A Two-Tier Sandbox Architecture for Untrusted JavaScript
Phú Phùng
 
PPTX
How iOS and Android Handle Security Webinar
Denim Group
 
PPTX
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
PPTX
Web security: Securing untrusted web content at browsers
Phú Phùng
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
PDF
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
PDF
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
PPTX
Building a Mobile Security Program
Denim Group
 
PPTX
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
PPTX
Fragments-Plug the vulnerabilities in your App
Appsecco
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PPTX
Phu appsec13
drewz lin
 
PDF
Rethinking-Security-of-Web-Based-System-Apps
Martin Georgiev
 
PPTX
Secure web messaging in HTML5
Krishna T
 
PDF
Designing Secure Mobile Apps
Denim Group
 
PPTX
Mobile Apps Develpment - A Comparison
Lataant Software Technologies
 
PDF
Securing Your Mobile Applications
Greg Patton
 
PDF
Mobile Enterprise Application Platform
Nugroho Gito
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security
 
CNIT 128 8: Mobile development security
Sam Bowne
 
A Two-Tier Sandbox Architecture for Untrusted JavaScript
Phú Phùng
 
How iOS and Android Handle Security Webinar
Denim Group
 
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Web security: Securing untrusted web content at browsers
Phú Phùng
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
Mobile security chess board - attacks & defense
Blueinfy Solutions
 
Building a Mobile Security Program
Denim Group
 
OWASP Mobile TOP 10 2014
Islam Azeddine Mennouchi
 
Fragments-Plug the vulnerabilities in your App
Appsecco
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Phu appsec13
drewz lin
 
Rethinking-Security-of-Web-Based-System-Apps
Martin Georgiev
 
Secure web messaging in HTML5
Krishna T
 
Designing Secure Mobile Apps
Denim Group
 
Mobile Apps Develpment - A Comparison
Lataant Software Technologies
 
Securing Your Mobile Applications
Greg Patton
 
Mobile Enterprise Application Platform
Nugroho Gito
 
Ad

Recently uploaded (9)

DOC
EIU毕业证学历认证,贝尔维尤学院毕业证国外毕业证
soeknca
 
DOC
SIUE毕业证学历认证,阿祖萨太平洋大学毕业证学位证书复制
gfjhfrefeef
 
PDF
Date Right Stuff - Invite only, conservative dating app
KrishnaveniMohan1
 
PDF
Kids, Screens & Emotional Development by Meenakshi Khakat
Meenakshi Khakat
 
PPTX
Introduction to Packet Tracer Course Overview - Aug 21 (1).pptx
RoyPabilona1
 
PDF
2025 Guide to Buy Verified Cash App Accounts You Can Trust.pdf
pvaonit Admin
 
DOC
NIU毕业证学历认证,阿比林基督大学毕业证留学生学历
gfjhfrefeef
 
PDF
Best 4 Sites for Buy Verified Cash App Accounts – BTC Only.pdf
Pvaonit
 
PPTX
Social Media People PowerPoint Templates.pptx
sawodnar
 
EIU毕业证学历认证,贝尔维尤学院毕业证国外毕业证
soeknca
 
SIUE毕业证学历认证,阿祖萨太平洋大学毕业证学位证书复制
gfjhfrefeef
 
Date Right Stuff - Invite only, conservative dating app
KrishnaveniMohan1
 
Kids, Screens & Emotional Development by Meenakshi Khakat
Meenakshi Khakat
 
Introduction to Packet Tracer Course Overview - Aug 21 (1).pptx
RoyPabilona1
 
2025 Guide to Buy Verified Cash App Accounts You Can Trust.pdf
pvaonit Admin
 
NIU毕业证学历认证,阿比林基督大学毕业证留学生学历
gfjhfrefeef
 
Best 4 Sites for Buy Verified Cash App Accounts – BTC Only.pdf
Pvaonit
 
Social Media People PowerPoint Templates.pptx
sawodnar
 
Ad

Mobile appsecurity

  • 1. MOBILE APPLICATION SECURITY TECHNOLOGIES Mohamad Farhani Mohamad.farhany@gmail.com
  • 2. Core code (HTML/Jav aScript) Web-based (Hybrid) Mobile Apps  Business core code is developed in the Web technologies, i.e., HTML/JavaScript  Run in a web container in a native mobile app 1 Core code (HTML/Jav aScript) Core code (HTML/Jav aScript) Core code (HTML/Jav aScript)
  • 3. Hybrid Apps – Interaction with Mobile Device 2 Credit: www.xrgsystems.com
  • 4. Hybrid App Architecture  Bridge code is provided to allow the access from the web code to the device 3
  • 5. JavaScript Bridge in Web-based Apps 4 addJavascriptInterface( new MyObject(), "myinterface"); //core code in JavaScript myinterface.sendSMS(..); MyObject() myinterface
  • 6. Hybrid Mobile Frameworks  The JavaScript Bridge is typically provided automatically by hybrid mobile development frameworks  E.g., Cordova (PhoneGap), Ionic, Onsen, React Native, and more than 70 others  JavaScript Bridge APIs are provided through plugins  Native implementations and JavaScript interfaces 5
  • 7. Permission Model in Mobile Apps  Users can grant permissions for a mobile app  to access the device resources such as geolocation, SMS, …  Once a permission is granted (either static or dynamic), there is no way to control how the app uses the permissions 6
  • 8. Permission in Web-based Mobile Apps  Any JavaScript code can access the exposed JavaScript bridge APIs 7 MyObject() myinterface Local JavaScript Third-party JavaScript
  • 9. Security in Web-based Mobile Apps  Domain Whitelisting, e.g., in Cordova  Allow code from some whitelisted domains can access  Content Security Policy  Limit the access of JavaScript code based on domain 8 These mechanisms are coarse-grained: Once an access is granted, no more control on that
  • 10. A Running Attack Scenario  Third-party JavaScript code might misuse the devices resources or leak sensitive information via phone-based channels, e.g., SMS  These cannot be enforced by whitelisted or CSP 9 geolocation, sms //Third-party JavaScript var g = geolocation.getLocation(); sms.send(..,g); Allowed in whitelisted domains and CSP
  • 11. The state-of-the-art  Existing JavaScript security solutions  Do not cover phone-related channels, e.g., sms  Some hybrid app security solutions focus on a specific platform, e.g., WebView in Android [Georgiev et al., WWW’15], [Tuncay et al., CCS’16]  Some approaches modify the hybrid framework, e.g., PhoneGap [Georgiev et al., NDSS’15], [Jin et al., ISC’15]  Few work can enforce principal-based policies for mobile apps but do not protect the web environment, e.g., [Georgiev et al., WWW’15] 10
  • 12. Our Motivation  Provide a framework to allow hybrid app developers to define and enforce principal-based access control and fine-grained policies  Do not depend on a specific mobile platform  Work with any hybrid frameworks 11
  • 13. Outline  Motivation  Our Approach - HybridGuard  Implementation  Evaluation  Concluding Remarks 12
  • 14. Threat Model  Hybrid Apps are legitimate and trusted by the users  Permissions are granted  Content Security Policy (CSP) is deployed to e.g., present Cross-site Scripting Attacks  In-scope threats - third-party JavaScript code, e.g., advertisements, allowed by the developers in CSP: 1. Benign but under the control of an attacker 2. Malicious by intentions 13
  • 15. Our Approach  Load a piece of JavaScript code under a principal name, i.e.,:  Replace the original JavaScript inclusion <script src="http://third-party.com/script.js"> by our interface: loadJSwithPrincipal("principal","http://third- party.com/script.js")  Wrap critical JavaScript APIs (Web APIs + JavaScript Bridge APIs)  Enforce policies based on caller’s principals 14
  • 17. Our Approach – Wrapping JavaScript APIs 16
  • 18. Our Approach - HybridGuard 17
  • 20. Wrapping JavaScript (Web/Bridge) APIs 19 sms.send(…); orig_sms_send=sms.send; sms.send = function(){ } if (policyCheck(..)) execute(orig_sms_send,..); else{..} 1. Keep the original reference 2. Redefine the reference 3. Check policy to control the execution Security code is injected before any other JavaScript code to monitor them
  • 21. Principal Management and Tracking  Based on “run-to-completion” execution model of JavaScript  We maintain a shadow stack to track the execution of each principal  We catch dynamic generated code and event handlers  Load these code under the same principal that generates them 20
  • 22. Load and Run JavaScript Code under A Principal var var makeFunction runAs shadowStack.push(“google”); run(f); shadowStack.pop(); flush_dynamic_content(“google”);
  • 24. Principal-based Permission  Wrap the JavaScript Bridge APIs  Grant access to these APIs based on principal  E.g.:  "trusted" principal can have full access to all resources  "local" principal can have access to resources A, B  "remote" principal can have access to resources C 23
  • 25. Principal-based Permission Example  Each resource  Principal access control  Read  Write  Create 24
  • 26. Stateful and Fine-grained Security Policies  Based on  Behavior of the code  Principal of the code  E.g.:  Disallow the sms.send if the untrusted principal has accessed the geolocation API 25
  • 27. More Fine-grained Policy Patterns  Resource bounds Policy  Limit the number of accesses to a resource  E.g.,: limit the number of sms send  Whitelist Policies  A resource access is allowed only under some conditions  E.g.,: allow sms send to some predefined receipts  History-based Policies  Policies depending on the previous execution status  E.g.,: no SMS sending after contact list is read  Any custom policies, e.g., preventing UI attacks 26
  • 28. Complete Mediation  Web APIs: We apply the secure wrapper implementations for JavaScript in the literature  Ensure that our monitor implementation is tamper-proof from potentially malicious code  JavaScript bridge APIs  Direct access to native APIs is disallowed  We rely on app developers to identify bridge APIs and wrap them with our interface 27
  • 30. HybridGuard Security  Unlabeled code always runs at the lowest privilege level  A principal-tracking failure could lead to conservative rejection, but never a policy violation 29
  • 31. Evaluation  We have performed a small-scale evaluation on around 10 Android hybrid apps from Google Play  Decompile the code and inject our framework manually  We developed several hybrid apps invoking various plugins  Our framework is integrated and tested on Android and iOS 30
  • 32. Policy Examples on Resources 31
  • 33. Tested Hybrid Apps and Policies 32
  • 34. Concluding Remarks  We present HybridGuard  A robust framework to specify and enforce principal- based and fine-grained security policies  HybridGuard is developed in JavaScript  can be deployed on various mobile platforms and hybrid development frameworks without modifying them  We provide a wide range security policies that the app developer can use to mitigate potential attacks 33

Editor's Notes

  • #12: , [Franzen et al., IMPS’11]