Scan Code Injection Flaws in HTML5-Based Mobile Applications

Abstract

HTML5-based mobile apps are becoming popular in the development of a cross-platform mobile. They are also built using web technologies, including HTML5, CSS, and JavaScript, so it may face with code injection attacks like web apps. However, code injection attacks are exploited in web apps and in mobile web apps are distinguished. The code injection attacks in web apps are often exploited by attackers throughout the cross-site scripting. In HTML5-based mobile apps, attackers can deploy attacks by various code injection channels such as inter-apps, inter-components, inter-devices communication, and local device resources such as WiFi, SMS, Contact. The plugin APIs are implemented for the code injection channels are defined as the sensitive plugin APIs. The previous approaches aimed at modeling known sensitive plugin APIs, and applying the data flow analysis to detect sensitive information flows from such modeled sensitive plugin APIs to vulnerable APIs. However, their method can miss code injection flaws caused by unknown sensitive plugin APIs. Besides, analyzing information flows in JavaScript is challenging. We found that the previous approaches are not able to analyze various contexts of callback functions. In this paper, we developed a static analysis tool called SCANCIF to scan code injection flaws. SCANCIF identifies the sensitive plugin APIs based on code injection tags, and analyzes flows of information based on modeling contexts of callback functions passed in function calls. We evaluated our approach on a data set of 3,204 HTML5-based mobile apps, as a result, SCANCIF scanned 220 vulnerable apps. We manually reviewed them and found 4 new code injection channels.