Analyzing Android browser apps for file:// vulnerabilities

Daoyuan WU; Rocky K. C. CHANG

doi:10.1007/978-3-319-13257-0_20

Analyzing Android browser apps for file:// vulnerabilities

Daoyuan WU, Rocky K. C. CHANG

Research output: Book Chapters | Papers in Conference Proceedings › Book Chapter › Research › peer-review

9 Citations (Scopus)

Abstract

Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as File- Cross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.

Original language	English
Title of host publication	Information Security: 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014, Proceedings
Editors	Sherman S.M. CHOW, Jan CAMENISCH, Lucas C. K. HUI, Siu Ming YIU
Publisher	Springer, Cham
Pages	345-363
Number of pages	19
ISBN (Electronic)	9783319132570
ISBN (Print)	9783319132563
DOIs	https://doi.org/10.1007/978-3-319-13257-0_20
Publication status	Published - 20 Nov 2014
Externally published	Yes

Publication series

Name	Lecture Notes in Computer Science
Volume	8783
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Bibliographical note

Publisher Copyright:
© Springer International Publishing Switzerland 2014.

Access to Document

10.1007/978-3-319-13257-0_20

Cite this

WU, D., & CHANG, R. K. C. (2014). Analyzing Android browser apps for file:// vulnerabilities. In S. S. M. CHOW, J. CAMENISCH, L. C. K. HUI, & S. M. YIU (Eds.), Information Security: 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014, Proceedings (pp. 345-363). (Lecture Notes in Computer Science; Vol. 8783). Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_20

@inbook{9cd84281c72b437cb40add1393b183b0,

title = "Analyzing Android browser apps for file:// vulnerabilities",

abstract = "Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as File- Cross, that exploits the vulnerable file:// to obtain users{\textquoteright} private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23\%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.",

author = "Daoyuan WU and CHANG, \{Rocky K. C.\}",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2014.",

year = "2014",

month = nov,

day = "20",

doi = "10.1007/978-3-319-13257-0\_20",

language = "English",

isbn = "9783319132563",

series = "Lecture Notes in Computer Science",

publisher = "Springer, Cham",

pages = "345--363",

editor = "CHOW, \{Sherman S.M.\} and Jan CAMENISCH and HUI, \{Lucas C. K.\} and YIU, \{Siu Ming\}",

booktitle = "Information Security: 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014, Proceedings",

}

Analyzing Android browser apps for file:// vulnerabilities. / WU, Daoyuan; CHANG, Rocky K. C.
Information Security: 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014, Proceedings. ed. / Sherman S.M. CHOW; Jan CAMENISCH; Lucas C. K. HUI; Siu Ming YIU. Springer, Cham, 2014. p. 345-363 (Lecture Notes in Computer Science; Vol. 8783).

Research output: Book Chapters | Papers in Conference Proceedings › Book Chapter › Research › peer-review

TY - CHAP

T1 - Analyzing Android browser apps for file:// vulnerabilities

AU - WU, Daoyuan

AU - CHANG, Rocky K. C.

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2014.

PY - 2014/11/20

Y1 - 2014/11/20

N2 - Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as File- Cross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.

AB - Securing browsers in mobile devices is very challenging, because these browser apps usually provide browsing services to other apps in the same device. A malicious app installed in a device can potentially obtain sensitive information through a browser app. In this paper, we identify four types of attacks in Android, collectively known as File- Cross, that exploits the vulnerable file:// to obtain users’ private files, such as cookies, bookmarks, and browsing histories. We design an automated system to dynamically test 115 browser apps collected from Google Play and find that 64 of them are vulnerable to the attacks. Among them are the popular Firefox, Baidu and Maxthon browsers, and the more application-specific ones, including UC Browser HD for tablet users, Wikipedia Browser, and Kids Safe Browser. A detailed analysis of these browsers further shows that 26 browsers (23%) expose their browsing interfaces unintentionally. In response to our reports, the developers concerned promptly patched their browsers by forbidding file:// access to private file zones, disabling JavaScript execution in file:// URLs, or even blocking external file:// URLs. We employ the same system to validate the ten patches received from the developers and find one still failing to block the vulnerability.

UR - https://www.scopus.com/pages/publications/84921745200

U2 - 10.1007/978-3-319-13257-0_20

DO - 10.1007/978-3-319-13257-0_20

M3 - Book Chapter

AN - SCOPUS:84921745200

SN - 9783319132563

T3 - Lecture Notes in Computer Science

SP - 345

EP - 363

BT - Information Security: 17th International Conference, ISC 2014, Hong Kong, China, October 12-14, 2014, Proceedings

A2 - CHOW, Sherman S.M.

A2 - CAMENISCH, Jan

A2 - HUI, Lucas C. K.

A2 - YIU, Siu Ming

PB - Springer, Cham

ER -

Analyzing Android browser apps for file:// vulnerabilities

Abstract

Publication series

Bibliographical note

Access to Document

Other files and links

Fingerprint

Cite this