Y9^kPUfZ9l7 k L@gkR8 - JSSEC · Studio SAP Mobile Platform IBM MobileFirst Platform 13...
Transcript of Y9^kPUfZ9l7 k L@gkR8 - JSSEC · Studio SAP Mobile Platform IBM MobileFirst Platform 13...
2
7H7lċÓ�ĩ
�ĩďŊ• �ĎŰ2002Ñ• ŖĄŠŰ1000r�• zĎâŰć|ŭĄĩŮ�Fp]jpHJE• Ø϶ôŰĴ40¯ŭ8ºijŮ
zĎ�Í• ŢĦ_jPT]=qdzĎŰŢĦQql�UI]mqdoqA• ŢĦðîzĎŰ7_kŢĦ�FqZqF9UŭPHPŮŢĦ• óľzĎŰTmqWpB�½į
5
7LPT − òï/È1'�ÎŔŖĢ4äí�1
5�`I
jZK�
cZ)C
���¾¤5�
´¿º�¥»�
WebhW)C
jZ+
BQ`I
jZ�ps�BQ
¨ ¤½¿�c�BQ
SD�¿¥^�@rBQ
SMSb��BQ
�´¸:1BQ
Bluetoothc�BQ
GPSBQ
6
ŖĢ4È1
Þ¿ŖĢ�ŀ�21
• òïĽ!.0Þ¿4§ĝ�21• òïĽ!.0Þ¿4ñ�5�21• òïĽ!.0Þ¿4�Ŧ�21
đĿŖĢ�ŀ�21
• òïĽ!.0đĿ4�ģ�21
ŖĢ
R!
R!
T'
7
fZ9l7_k!�1Attack Surface
Web API Server DB Server
[Y��¢³
¬�¨�¼� �
£¿�
�¯¹�¿�·¾
»¿³½¿�/ ¸�®¸¹
OS
Application¸ �¶´µ¹
WiFiBluetooth
NFC
�¾�¿GPS
9
Y9^kPU7_kűHTML5ůX9R8^
¨�¢�®�¿¥
HTML�¾¢¾¡
�¯¹A�}HTML5x&U
¨�¢�®�¯¹0,xe*©¿¥���BQ��J�Q
¯¸��¾x¨�¢�®BQ�8.
10
Cross PlatformQql"H;7
61%
35%
31%
18%
15%
13%
12%
9%
4%
3%
0% 10% 20% 30% 40% 50% 60% 70%
PhoneGap/Cordova
Xamarin
Unity
Qt
Adobe Air
Appcelerator
Corona
Marmelade
Codename One
Live Code
Using this tool Prioritize this tool
Vision Mobile Analysis of Cross-Platform Development, July 2015
11
Cordova�PhoneGap
Őġ!
PhoneGap#Adobeĩ"_nOAT¯!
�NqfL��
Cordova�´¯>q_pMqJ¤
by
2011ÑAdobeĩ�Nitobiĩ4ŕ¨PhoneGap#�Cordova�!
2009ÑNitobiĩ�PhoneGap4ŢĦ>q_pMqJňµ
�"Ĺĉ "�Ď�CordovaŢĦ!§¡
12
¬<pNq_j9KMEAP�MADP"E7fIgql���èģ
PhoneGap
Monaca
Sencha
MS Visual Studio
SAP Mobile Platform
IBM MobileFirstPlatform
�� ���������������������������
13
Cordova]mqdoqAŭiOS/AndroidŮ
�Àºª �
HTML5CSS
JavaScript
WebView
¨�¢�®¼� �
7_kCqHip[PCqI
¨�¢�®API
AndroidiOS
14
Cordova]mqdoqAŭWindows/Windows PhoneŮ
HTML5CSS
JavaScript
Chakra + EdgeHTML
7_kCqHip[PCqI
¸¾��³API
WindowsjpN9d
(WinRT)
16
'2016 OWASP Mobile Top 10 Candidate
Improper Platform Usage
OSBQ���¶¹¢�|�P�|]JnAndroid�¾¢¾¤�«¿² �·¾|gdomKeychain|]Jzyn
Insecure Data Storage
$xzo£¿�k�|�J�6�vzo£¿�FDzyn
Insecure Communication
©¾¥����|gdo��oSSLª¿�·¾|�Jm>��t�wozoc�zyn
Insecure Authentication
[Y�G|���� �·¾OG|�lzyn
Insufficient Cryptography
�_t��~r£¿�{(vwm�%z>���Jn
Insecure Authorization
[��G|��n�¸��¾¤��¥x|[��G�m/�®¸��¾�zyn
Client Code Quality �¿¥»°º|&U�lnª ��¿ª¿¼¿�<" �G|gdozyn
Code Tampering ª�¦¹��º|;u��¹�¿���º| ?m�Mz´µ¹|;u�zyn
Reverse Engineering ª�¦¹��ºp�|�¿��¿¥2�m�J¸�®¸¹��º�¹�³|7�zyn
Extraneous Functionality
ivª �¥�|#��m¹¹¿��¯¹{���w}oszo�´¾¤|Ezyn
17
Y9^kPU7_k"L@gkR8áÜ
• XPToqAś�– WebView/ŭbqI"Œ)ř)�
XHR�"AjaxŮ–X9R8^/ŭAndroid/iOSŮ
• WebView–^j:G<pIp"ŁÔÝ
• CordovaĄ�– Cordova"ŁÔÝ
• _jB9p–_jB9p"ŁÔÝ
• kZqJ<pIW7kpB–nIPA"ĚĖ-EqU"ñ�5
• MqJEqU–MqJEqU"ŁÔÝ
Cordova
7_kCqHip[PCqI
¨�¢�®X\{��&U
JavaScript{��&U
WebView
®¸���¾�¾|S-4
¨ ¤½¿�c�
¹ª¿��¾�§�¹¾�
¯¸��¾&U
¯¸��¾
19
Same-Origin Policy
Same-Origin Policy
Cordova�Đęħ!�ģ�1iOS"UIWebView-Android"WebView#file://_nTEl�Origin� ��0Same-Origin Policy#ŝģ�2 ��.���Content-Security Policy"çË�ÚŊ� 1�
����iOS 9 + Cordova iOS 4.0/�ģ��1�WKWebView�4ģ�1À�WebView"u�/Same-Origin Policy�ŝģ�21�+�FqZq�!CORS`POq4~v�1ÚŊ��1�
XPToqAś�!Î�1L@gkR8fSl
20
Access Origin�Allow Navigation
Access Origin
ŎË]69l(config.xmlŮ!�ōŚ�1��ĂZqIip.0Æ»�S]=lT# * ŭ�'�ŏªŮ "�ĕß�ÚŊ�<video>NB-WebSocketİ#�ť�2 ��+�Content Security Policy"�ģ�êÄ�21�
Allow Navigation
Cordova iOS/Android 4.0�s!Ð��2�L@gkR8fSl�Android#cordova-plugin-whitelist"Ð��ÚŊŭS]=lT�ķ)ř)ėŮ�WebView�ŞĬªĿ bqI4�ť�1�S]=lT#file:///ŢÅ�21ŭĭă�!Æ»�1ŮURL!V\DqHip4ŏª�1�
<access origin="http://example.com" /> <access origin="*" />
<allow-navigation href="http://example.com/*" />
XPToqAś�!Î�1L@gkR8fSl
21
Content Security Policy
Content Security Policy
HTML�!<meta>NB4ģ��ōŚ�1�KitKatŭAndroid 4.4Ů�Ť�.%iOS 7�Ť�ÎÛ����Crosswalk4ģ�1����Android 4.0�Ť�ÎÛªĿ�
<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com; style-src 'self' 'unsafe-inline'; media-src *">
XPToqAś�!Î�1L@gkR8fSl
• gap://_nTElŭiOS"UIWebViewŮ.%https://ssl.gstatic.comŭAndroid�ÚŊŮ4ŏª�• eval()ţô-9pj9pJAk_T4ĪĒ�
<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">
• CSS�JavaScript#®�>kIp","4ŏª�• eval()ţô�9pj9pJAk_T,ŏª�
22
iOS Application Transport Security (ATS)
iOS Application Transport Security (ATS)
iOS"æ�L@gkR8¾ę�ÏĆħ!ŎË�ÚŪ¤�21yË�ATS�Ā¢"ÀHTTPś�#ŏª�2��TLS 1.2�s�ÚŪ�Cordova�#<access>ŊĶ,� #<allow-navigation>ŊĶ4çË�1��ATSŎË4ōŚ�1Info.plist]69l�sý��2�ŎË�ŝģ�21�
iOS 10�Ť"çË!ÎÛ�1�+�tō".�!<access>ŊĶ�åÕ�2��
XPToqAś�!Î�1L@gkR8fSl
<access origin='*' allows-arbitrary-loads-in-media='true' allows-arbitrary-loads-in-web-content='true' allows-local-networking='true' />
allows-arbitrary-loads-in-media• true"À�AV Foundation Frameworkĸĥ�Œ)ř*eS87!Î��éĺ�ť�ŌŦ�21�
allows-arbitrary-loads-in-web-content• true"À�WebView/Ń321kA<JT!Î��éĺ�ť�ŌŦ�21�
allows-local-networking• true"À�nq?lXPToqA!�1kMqJ!Î��éĺ�ť�ŌŦ�21�
24
WebView"ŁÔÝ
ł£7P_SqT�Ń321iOS�Ĕ'�apOq"ÎÛ!�Æ�1Android�#HJRdEpcqXpT��1WebView�7P_SqT�2 �·ū��1�����Android 5/#�WebView�OS��0Ũ�2�Google Play Store4ś��ł£ħ!7P_SqT�21.�! ���
WebView"ŁÔÝ
iOS.%Android OS"ZqIip�H;7ŭ¬ĩWebF9T.0Ů
iPhone/iPad�#ĔŗħJdqK!w�{��Ŝ*�Android�#Ĵ¥ô�ZqIip4�t�
WebView!ŁÔÝ4æ�Android 4.3��"H;7#�Ĝ���Ŭ�ŭ20%Ů�
25
WebView"ŁÔÝ&"ÎÛ
Chromium4WebView����ģ��1.�!��FqU[qR8ňj9^jk��1
Crosswalk<pIp47_k!ķ)ř*���� Android 4�Ť�^j:G<pIp4þö!
�����ªĿ�
WebView"ŁÔÝ
27
Cordova!ţ�1ŁÔÝ"¿²
CVE-2015-5208 Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link.
CVE-2015-5207Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods.
CVE-2015-5204 CRLF injection vulnerability in the Apache Cordova File Transfer Plugin (cordova-plugin-file-transfer) for Android before 1.3.0 allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.
CVE-2015-8320 Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.
CVE-2015-5256 Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.
Cordova/_jB9p"ŁÔÝ
28
Google Play Store�"ÎÛ
ŁÔÝ"�1Cordova�ģ�/2��1À�Google Play Store!��Ţ�Ē�Ń321�
Google Play Store�"őùōzhttps://support.google.com/faqs/answer/6325474?hl=ja
ğ»#Cordova Android 4.1.1����/2�[PCqI#7P_nqUuª�
Cordova"ŁÔÝ�Ħġ�1�}×,ÎÛ�ÚŊ! 1�epRVpJ��4õ�� ÚŊ��1�
Cordova/_jB9p"ŁÔÝ
29
kZqJ<pIW7kpB
Y9^kPU7_k"7LPT]69lŭHTML/JavaScriptİŮ#X9R8^EqU!Ep[9l�2��MqJEqU"Ğà�ĭă�!Čĵ�21�ěģ ōŚ4�Ŧ�1�+�EepT"�Ŧ-ũŒ¤ŭþŝ¤Ů4Ì÷�1���ā(���
.0Ŝ5�Îı���#�\lUú!ü«¤4Ń�ÌŃú!Ù«�1�FqU[qR8ň"ü«¤_jB9p4�ģ�1�Ù«!��@q#�kfqTFqZqİ"É� Àâ/©0��ÚŊ��1�
Cordova/_jB9p"ŁÔÝ
Monaca!�ì��217LPTü«¤_jB9phttps://ja.monaca.io/enterprise.html
30
uŊ _jB9p"Ŧ¦
Cordova°�7_kRp_mqT" ��Cordova Core Plugins�³$21¾Ą_jB9p
4�'�®č���1�Ìŧ!#�ģ��� �EqU�±(2��(��ŁÔÝ"ĘÒ!
1ªĿÝ��1�
Cordova/_jB9p"ŁÔÝ
Mohamed Shehab et. al, Reducing Attack Surface on Cordova-Based Hybrid Mobile Apps, MobileDeLi 2014
PhoneGap"WebF9T!ëŘ�2���622
�"7_k!Î��"œĊŭ2014ÑŮ�#�
_jB9p"ķ)ř)�Ìŧ"�ģ!Ã�
Ţ��ŋ/2��1�
32
EqS9pB"çš
Cordova7_k"Ã¥#SPA¼��0�fZ9lWebF9T�Ĕ'�,JavaScript":;9T
�Ŭ��L@g7EqS8pBÎı���#HTML5°�"_jAR8J4ŝģ��1�
• hqGq� SqN"ZkSqHip
• ŝ� <JCq_�Ġ
• JavaScript9pI;AHip"¸ş
• API@q"ŝ� IJĠ
L@g7EqS8pB
33
<JCq_�Ġ
EpR@JT!Û��<JCq_�Ġ�ÚŊ��1��ŝ� ōŚ4Ń�"#¹ũ�
SPA]mqdoqA-Rp_mqT<pIp"èģ�ā(���
L@g7EqS8pB
<div onmouseover="${data1}">${data2}</div><a href="${data3}">link</a><iframe srcdoc="${data4}"></iframe>
Nishimura Muneaki et al, Y9^kPU7_kCqHip"ŁÔÝ!ţ�1�Ĉ 2015
tō"��#�'�"Áô!�"<JCq_�Ġ�ÚŊ
Z9pS8pB4FcqT�1]mqdoqA
-j9^jk
2-Way Binding4æ�,"• Angular 1• Angular 2
1-Way Binding4æ�,"• React
Rp_mqT<pIp• Handlebars• Mustache
<JCq_�Ġ4ł��Ìņ�1"#¹ũ��1�+�
]mqdoqA4èģ�1���ā(���
34
§ļÞ¿�U@gepTİ
• CordovaU@gepT– Security Guide– Whitelist Guide
• OWASP HTML5 Security Cheat Sheet
• Y9^kPU7_kCqHip"ŁÔÝ!ţ�1�Ĉ–ʼnąÊû et al, Į14¸Þ¿īÇãń]=qjdŭ2014Ů