Detecting broken security in hybrid Android apps (completed)

Starting Date: Summer 2016
Prerequisites: Java, Python; some experience with Android and Java bytecode
Will results be assigned to University:

Many modern Android applications make use of a webview – a component providing easy access to the rendering engine and JavaScript interpreter of a full browser. The content shown by a webview can be loaded from a local resource or a remote server via HTTP and integrates seamlessly with the app. Webviews are popular with developers, and hybrid application frameworks such as Apache Cordova rely on them heavily.

The web content can be tailored specifically to the app, and JavaScript can be allowed to read or write user data and access the device within the permissions granted to the app. Effectively, this circumvents the normal protection offered by the browser sandbox. This can lead to a security vulnerability if an attacker is able to inject JavaScript code by hijacking the network connection.

The difficulty for the adversary to mount an attack on the webview interface depends on how the application loads the contents of the webview:

  • Remote content loaded from any address is the easiest to exploit and requires the attacker to trick the user or app to visit a manipulated web page. For instance, some apps can be instructed to load a target URL in their webview by embedding a specially crafted intent URI in a malicious website which is then visited by the victim in a regular mobile browser.
  • Remote content (from a fixed address) via plaintext HTTP requires an attacker with the ability to forge TCP packets, such that malicious contents are loaded into the webview.
  • Remote content via TLS without certificate checks requires the ability to mount a man-in-the-middle attack.
  • Remote content via TLS with certificate checks requires an attacker to manipulate the data on the server (or to forge certificates, where the app does not use certificate pinning).
  • Static local content requires an attacker to have full control over the application image. Such an adversary would already be at the privilege level of the app, so an attack would be pointless.

The goal of this project is to build a fast static analysis to judge the difficulty for an attacker to manipulate a hybrid Android app and report vulnerable apps out of a large corpus of real-world apps from the Android app store. You will build on tools such as AndroGuard and Soot to implement the analysis and can start from an existing implementation for detecting broken certificate checking in Android (see the 2012 paper by Fahl et al.).