Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation

Xing Jin, Xunchao Hu, Kailiang Ying, Wenliang Du, Heng Yin, Gautam Nagesh Peri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

106 Scopus citations

Abstract

Due to the portability advantage, HTML5-based mobile apps are getting more and more popular. Unfortunately, the web technology used by HTML5-based mobile apps has a dangerous feature, which allows data and code to be mixed together, making code injection attacks possible. In this paper, we have conducted a systematic study on this risk in HTML5-based mobile apps. We found a new form of code injection attack, which inherits the fundamental cause of Cross-Site Scripting attack (XSS), but it uses many more channels to inject code than XSS. These channels, unique to mobile devices, include Contact, SMS, Barcode, MP3, etc. To assess the prevalence of the code injection vulnerability in HTML5-based mobile apps, we have developed a vulnerability detection tool to analyze 15,510 PhoneGap apps collected from Google Play. 478 apps are flagged as vulnerable, with only 2.30% false-positive rate. We have also implemented a prototype called NoInjection as a Patch to PhoneGap in Android to defend against the attack.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages66-77
Number of pages12
ISBN (Electronic)9781450329576, 9781450329576, 9781450331470, 9781450331500, 9781450331517, 9781450331524, 9781450331531, 9781450331548, 9781450331555, 9781450332392
DOIs
StatePublished - Nov 3 2014
Event21st ACM Conference on Computer and Communications Security, CCS 2014 - Scottsdale, United States
Duration: Nov 3 2014Nov 7 2014

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Other

Other21st ACM Conference on Computer and Communications Security, CCS 2014
CountryUnited States
CityScottsdale
Period11/3/1411/7/14

Keywords

  • Code injection
  • HTML5-based mobile application
  • Static analysis

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation'. Together they form a unique fingerprint.

  • Cite this

    Jin, X., Hu, X., Ying, K., Du, W., Yin, H., & Peri, G. N. (2014). Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 66-77). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/2660267.2660275