SlideShare a Scribd company logo

Mobile Browser Content Handling

Denim Group, profile picture
Denim Group

The document discusses the handling of content by mobile browsers and the associated security risks, focusing on URL schemes for iOS and Android applications. It highlights the importance of validating inputs and preventing malicious interactions through these content handlers. Security testers and developers are urged to recognize and mitigate these vulnerabilities to protect user data and device functionality.

Technology
1 of 16
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Mobile Browser Content Handling Potential Risks and Mitigations Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
My Background • Dan Cornell, Founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training © Copyright 2011 Denim Group - All Rights Reserved 1
Mobile Browser Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 2
iPhone/iPad URL Schemes • iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 3
Decoding plist Files • plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 4
iOS URL Handlers • XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 5
Android Intents • Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 6
What’s Up With My Android XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 7
Much Better • Now we can see <intent-filter> tags © Copyright 2011 Denim Group - All Rights Reserved 8
Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 9
Intent Filter Demo – Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 10
Intent Filter Demo – Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 11
I’m a Security Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 12
I’m a Developer. Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 13
Online • Code, slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 14
Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 15

More Related Content

PPTX
How is Your AppSec Program Doing Compared to Others
Denim Group
 
PDF
Designing Secure Mobile Apps
Denim Group
 
PDF
Smart Phones Dumb Apps
Denim Group
 
PDF
Vulnerability Management In An Application Security World
Denim Group
 
PPTX
Android App
OnlineUser4
 
PPTX
How iOS and Android Handle Security Webinar
Denim Group
 
PDF
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
PDF
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
How is Your AppSec Program Doing Compared to Others
Denim Group
 
Designing Secure Mobile Apps
Denim Group
 
Smart Phones Dumb Apps
Denim Group
 
Vulnerability Management In An Application Security World
Denim Group
 
Android App
OnlineUser4
 
How iOS and Android Handle Security Webinar
Denim Group
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Denim Group
 
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 

What's hot (20)

PDF
The Permanent Campaign
Denim Group
 
PDF
Developing Secure Mobile Applications
Denim Group
 
PDF
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
PDF
The Need For Open Software Security Standards In A Mobile And Cloudy World
Denim Group
 
PDF
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
PDF
What Permissions Does Your Database User REALLY Need?
Denim Group
 
PDF
The Magic of Symbiotic Security
Denim Group
 
PDF
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
PPTX
Security testing of mobile applications
GTestClub
 
PPTX
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
IBM Security
 
PPT
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
PPTX
Pentesting iPhone applications
Satish b
 
PDF
CIS14: Mobilize Your Workforce with Secure Identity Services
CloudIDSummit
 
PPTX
Ahmed sallam technical_journey_1992_1999
Ahmed Sallam
 
PPTX
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
PDF
Mobile security - Intense overview
PrivateWave Italia SpA
 
PPTX
SmartTV Security
Ulisses Albuquerque
 
PPT
Emerging Threats and Attack Surfaces
Peter Wood
 
PPTX
Intersect
Fotios Lindiakos
 
PDF
Enterprise Apps Development 101
Kareem ElSayyed
 
The Permanent Campaign
Denim Group
 
Developing Secure Mobile Applications
Denim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Denim Group
 
The Need For Open Software Security Standards In A Mobile And Cloudy World
Denim Group
 
Software Security for Project Managers: What Do You Need To Know?
Denim Group
 
What Permissions Does Your Database User REALLY Need?
Denim Group
 
The Magic of Symbiotic Security
Denim Group
 
Skeletons in the Closet: Securing Inherited Applications
Denim Group
 
Security testing of mobile applications
GTestClub
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
IBM Security
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Tom Gersic
 
Pentesting iPhone applications
Satish b
 
CIS14: Mobilize Your Workforce with Secure Identity Services
CloudIDSummit
 
Ahmed sallam technical_journey_1992_1999
Ahmed Sallam
 
IBM Smarter Business 2012 - IBM Security: Threat landscape
IBM Sverige
 
Mobile security - Intense overview
PrivateWave Italia SpA
 
SmartTV Security
Ulisses Albuquerque
 
Emerging Threats and Attack Surfaces
Peter Wood
 
Intersect
Fotios Lindiakos
 
Enterprise Apps Development 101
Kareem ElSayyed
 
Ad

Viewers also liked (11)

PDF
Security Maturity Models.
Priyanka Aash
 
PDF
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
XEventsHospitality
 
PPT
Industry Analysis
Narender Bansal
 
DOCX
Strategic group map
David Green
 
PPT
Industry Analysis Presentation
jttaylo
 
PPT
9. life cycle strategies
Jigar Lakhani
 
PPT
industrial analysis
Noorulhadi Qureshi
 
PPTX
Strategic group mapping
sanjna walia
 
PDF
Beyaz Şapkalı Hacker Eğitimi Yardımcı Ders Notları
BGA Cyber Security
 
PPT
Product life cycle
Sagar Gadekar
 
PPT
Product life cycle
Vandna Dhiman
 
Security Maturity Models.
Priyanka Aash
 
Global Cyber Security Outlook - Deloitte (Hotel_Digital_Security_Seminar_Sept...
XEventsHospitality
 
Industry Analysis
Narender Bansal
 
Strategic group map
David Green
 
Industry Analysis Presentation
jttaylo
 
9. life cycle strategies
Jigar Lakhani
 
industrial analysis
Noorulhadi Qureshi
 
Strategic group mapping
sanjna walia
 
Beyaz Şapkalı Hacker Eğitimi Yardımcı Ders Notları
BGA Cyber Security
 
Product life cycle
Sagar Gadekar
 
Product life cycle
Vandna Dhiman
 
Ad

Similar to Mobile Browser Content Handling (20)

PDF
Security Testing Mobile Applications
Denim Group
 
PDF
Mobile Application Security Code Reviews
Denim Group
 
PDF
Evaluating iOS Applications
iphonepentest
 
PDF
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
PDF
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
PPTX
Android Security Humla Part 1
Nikhil Kulkarni
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
PPTX
iOS application (in)security
iphonepentest
 
PPTX
Demystifying the Mobile Container - PART I
Relayware
 
PDF
Managing content in_a_mobile_world
QuestexConf
 
PPTX
Android application development fundamentals
indiangarg
 
PDF
Introduction to android - SpringPeople
SpringPeople
 
PPTX
android development training in mumbai
faizrashid1995
 
PPT
Automation In Android & iOS Application Review
Blueinfy Solutions
 
PDF
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
PDF
Securing Android
Marakana Inc.
 
PPTX
Starting mobile development
Mihai Corlan
 
PPTX
What Mobile Development Approach Makes Sense
Dipesh Mukerji
 
PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PPTX
Development mobile app cross device
Phuong Nguyen
 
Security Testing Mobile Applications
Denim Group
 
Mobile Application Security Code Reviews
Denim Group
 
Evaluating iOS Applications
iphonepentest
 
Pentesting Mobile Applications (Prashant Verma)
ClubHack
 
Benchmarking Web Application Scanners for YOUR Organization
Denim Group
 
Android Security Humla Part 1
Nikhil Kulkarni
 
Mobile code mining for discovery and exploits nullcongoa2013
Blueinfy Solutions
 
iOS application (in)security
iphonepentest
 
Demystifying the Mobile Container - PART I
Relayware
 
Managing content in_a_mobile_world
QuestexConf
 
Android application development fundamentals
indiangarg
 
Introduction to android - SpringPeople
SpringPeople
 
android development training in mumbai
faizrashid1995
 
Automation In Android & iOS Application Review
Blueinfy Solutions
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
Securing Android
Marakana Inc.
 
Starting mobile development
Mihai Corlan
 
What Mobile Development Approach Makes Sense
Dipesh Mukerji
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Development mobile app cross device
Phuong Nguyen
 

More from Denim Group (20)

PDF
Long-term Impact of Log4J
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
PDF
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
PDF
Application Asset Management with ThreadFix
Denim Group
 
PDF
OWASP San Antonio Meeting 10/2/20
Denim Group
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
PDF
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
PDF
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
PDF
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
PPTX
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
PDF
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
PDF
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
PDF
AppSec in a World of Digital Transformation
Denim Group
 
PDF
Enumerating Enterprise Attack Surface
Denim Group
 
Long-term Impact of Log4J
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Denim Group
 
Application Asset Management with ThreadFix
Denim Group
 
OWASP San Antonio Meeting 10/2/20
Denim Group
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Denim Group
 
Using Collaboration to Make Application Vulnerability Management a Team Sport
Denim Group
 
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Denim Group
 
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
An Updated Take: Threat Modeling for IoT Systems
Denim Group
 
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Denim Group
 
A New View of Your Application Security Program with Snyk and ThreadFix
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Denim Group
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Denim Group
 
AppSec in a World of Digital Transformation
Denim Group
 
Enumerating Enterprise Attack Surface
Denim Group
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Teaching material agriculture food technology
LiaRayya
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 

Mobile Browser Content Handling

  • 1. Mobile Browser Content Handling Potential Risks and Mitigations Dan Cornell © Copyright 2011 Denim Group - All Rights Reserved
  • 2. My Background • Dan Cornell, Founder and CTO of Denim Group • Software developer by background (Java, .NET, etc) • OWASP San Antonio, Global Membership Committee • Denim Group – Build software with special security, performance, reliability requirements – Help organizations deal with the risk associated with their software • Code reviews and application assessments • SDLC consulting • Secure development training © Copyright 2011 Denim Group - All Rights Reserved 1
  • 3. Mobile Browser Content Handling • Many mobile platforms allow you to designate applications to handle content found in web pages – By URI protocol – By content type • Provide a “premium” experience for users who have the target app installed • Examples: – tel:// URLs initiating phone calls – maps:// URLs to display maps © Copyright 2011 Denim Group - All Rights Reserved 2
  • 4. iPhone/iPad URL Schemes • iOS applications can be set up to “handle” certain URL schemes • Defined in the application’s Info.plist • Binary format: annoying © Copyright 2011 Denim Group - All Rights Reserved 3
  • 5. Decoding plist Files • plutil -convert xml1 Info.plist • Much nicer © Copyright 2011 Denim Group - All Rights Reserved 4
  • 6. iOS URL Handlers • XPath: Look for: /plist/dict/array/dict[key='CFBundleURLSchemes']/array/string • Now you know the URL Schemes the app handles • SANS blog post on this issue in iOS: – http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes- apples- ios/?utm_source%253Drss%2526utm_medium%253Drss%2526utm_campaign%2 53Dinsecure-handling-url-schemes-apples-ios – Too long to type? http://bit.ly/ezqdK9 © Copyright 2011 Denim Group - All Rights Reserved 5
  • 7. Android Intents • Intents are facilities for late-binding messaging between applications – http://developer.android.com/guide/topics/intents/intents-filters.html • One use is to allow applications to register to receive messages from the Browser when certain types of content are received – Like iOS URL Schemes but an even more comprehensive IPC mechanism © Copyright 2011 Denim Group - All Rights Reserved 6
  • 8. What’s Up With My Android XML Files? • Binary encoding • Use axml2xml.pl to convert them to text http://code.google.com/p/android-random/downloads/detail?name=axml2xml.pl © Copyright 2011 Denim Group - All Rights Reserved 7
  • 9. Much Better • Now we can see <intent-filter> tags © Copyright 2011 Denim Group - All Rights Reserved 8
  • 10. Intent Filter Example <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="danco" /> </intent-filter> • Action: What to do? • Data: Scheme is URI “protocol” to handle • Category BROWSABLE: Allow this Action to be initiated by the browser © Copyright 2011 Denim Group - All Rights Reserved 9
  • 11. Intent Filter Demo – Manual Launch, HTML Page © Copyright 2011 Denim Group - All Rights Reserved 10
  • 12. Intent Filter Demo – Anchor Launch, IFrame Launch © Copyright 2011 Denim Group - All Rights Reserved 11
  • 13. I’m a Security Tester. Why Do I Care? • URL handlers are remotely-accessible attack surface • This is a way for you to “reach out and touch” applications installed on a device if you can get a user to navigate to a malicious page • Send in arbitrary URLs via links or (easier) embedded IFRAMEs • Example: iOS Skype application used to automatically launch the Skype application and initiate a call when it encountered a skype:// URL – Apple’s native Phone handle for tel:// URLs would confirm before a call was made © Copyright 2011 Denim Group - All Rights Reserved 12
  • 14. I’m a Developer. Why Do I Care? • See the previous slide. Bad guys care. So should you. Please. • Content passed in via these handlers must be treated as untrusted – Positively validate – Enforce proper logic restrictions • All: – Should a malicious web page be able to cause this behavior? • Make phone call, transmit location, take photo, start audio recording, etc • iOS: – Validate inputs to handleOpenURL: message • Android: – Validate data brought in from Action.getIntent() method © Copyright 2011 Denim Group - All Rights Reserved 13
  • 15. Online • Code, slides and videos online: www.smartphonesdumbapps.com © Copyright 2011 Denim Group - All Rights Reserved 14
  • 16. Questions? Dan Cornell dan@denimgroup.com Twitter: @danielcornell www.denimgroup.com (210) 572-4400 © Copyright 2011 Denim Group - All Rights Reserved 15