An Empirical Study of Web Resource Manipulation in Real-World Mobile
Total Page:16
File Type:pdf, Size:1020Kb
An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications Xiaohan Zhang, Yuan Zhang, Qianqian Mo, Hao Xia, Zhemin Yang, and Min Yang, Fudan University; Xiaofeng Wang, Indiana University, Bloomington; Long Lu, Northeastern University; Haixin Duan, Tsinghua University https://www.usenix.org/conference/usenixsecurity18/presentation/zhang-xiaohan This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications Xiaohan Zhang1,4, Yuan Zhang1,4, Qianqian Mo1,4, Hao Xia1,4, Zhemin Yang1,4, Min Yang1,2,3,4, Xiaofeng Wang5, Long Lu6, and Haixin Duan7 1School of Computer Science, Fudan University 2Shanghai Institute of Intelligent Electronics & Systems 3Shanghai Institute for Advanced Communication and Data Science 4Shanghai Key Laboratory of Data Science, Fudan University 5Indiana University Bloomington , 6Northeastern University , 7Tsinghua University Abstract built into a single app. For the convenience of such an integration, mainstream mobile platforms (including Mobile apps have become the main channel for access- Android and iOS) feature in-app Web browsers to run ing Web services. Both Android and iOS feature in- Web content. Examples of the browsers include Web- app Web browsers that support convenient Web service View [9] for Android and UIWebView/WKWebView for integration through a set of Web resource manipulation iOS [8, 10]. For simplicity of presentation, we call them APIs. Previous work have revealed the attack surfaces of WebViews throughout the paper. Web resource manipulation APIs and proposed several Based on WebViews, mobile systems further provide defense mechanisms. However, none of them provides app developers with Web resource manipulation APIs evidence that such attacks indeed happen in the real to customize browser behaviors and enrich Web app world, measures their impacts, and evaluates the pro- functionalities. For example, Android and iOS both have posed defensive techniques against real attacks. an API named evaluateJavascript that allows host apps This paper seeks to bridge this gap with a large-scale to inject JavaScript code into the Web pages and get empirical study on Web resource manipulation behaviors the result. However, these Web resource manipulation in real-world Android apps. To this end, we first define APIs lack origin-based access control, which means the problem as cross-principal manipulation (XPM) of application code can manipulate Web resources from all Web resources, and then design an automated tool named origins managed by the WebView through these APIs. XPMChecker to detect XPM behaviors in apps. Through For example, if a host app has a WebView which loads a study on 80,694 apps from Google Play, we find that “www.facebook.com”, then it can use evaluateJavascript 49.2% of manipulation cases are XPM, 4.8% of the API to run JavaScript in the Facebook Web pages and get apps have XPM behaviors, and more than 70% XPM user data from Facebook. As a result, this capability of behaviors aim at top Web sites. More alarmingly, we cross-origin manipulation would lead to severe security discover 21 apps with obvious malicious intents, such as and privacy threats to user data. stealing and abusing cookies, collecting user credentials Some previous work have discussed this kind of and impersonating legitimate parties. For the first time, threats in the context of integrating WebView to mobile we show the presence of XPM threats in real-world apps. apps. Luo et al. [32, 33] showed that malicious apps We also confirm the existence of such threats in iOS can attack WebView by injecting JavaScript code, apps. Our experiments show that popular Web service sniffing and hijacking Web navigation events [32], and providers are largely unaware of such threats. Our hijacking touch events at the Web pages [33]. Chen et measurement results contribute to better understanding al. [16] and Mohammed et al. [43] also demonstrated of such threats and the development of more effective OAuth protocol can be attacked by a malicious app. and usable countermeasures. Meanwhile, defensive mechanisms [41, 43, 20] have also been proposed to regulate the accesses from host 1 Introduction apps to Web resources. Despite the existing works, there lacks an empirical Nowadays, different Web services are usually integrated study to understand how severe this problem is in real- together to provide users with more flexible and powerful world. In fact, none of existing work provides evidences capabilities. These integrated services are mostly deliv- for the presence of such threats. Instead, they discuss ered to the mobile platform today, with multiple services the attacks conceptually. Furthermore, existing defensive USENIX Association 27th USENIX Security Symposium 1183 systems are evaluated with hand-crafted attack samples, XPM behaviors are necessary to improve the usability for without considering the special requirements in real- mobile users, some XPM behaviors implement OAuth world deployment. Overall speaking, lacking such an implicit flow in an unsafe way, and we confirm the Web empirical study may make us misunderstand the impact resource manipulation behaviors with obvious malicious of the problem and limit the practicalness of proposed intents for the first time in real-world Android apps solutions. and iOS apps. More specifically, we find apps can This paper seeks to perform a large-scale empirical abuse Web resource manipulation APIs to steal cookies, study on real-world apps to systematically understand collect user credentials and impersonate the identities the existence and impact of such threats. Since Android of legitimate parties, and a large number of users have apps are easy to be collected in a large volume and been affected. We also perform several experiments to Android platform dominates the mobile market, our test the awareness of such risks to service providers, empirical study is based on Android platform. and find that most Web service providers are unaware First, since not all manipulations cause security is- of these risks and can not effectively prevent users from sues, we need a clear definition about the threat in accessing sensitive pages in WebView. Finally, our Web resource manipulation. Inspired by the same- measurement results also actuate us to rethink existing origin policy in Web platforms, we define the threats defensive mechanisms and propose new suggestions for in Web resource manipulation as cross-principal future defense design. manipulation (XPM). In our definition, only manipu- In summary, we make the following contributions. lating code from a different principal to the manipulated • We define the threats in Web resource manipula- Web resource will be flagged as suspicious. tion as cross-principal manipulation (XPM), and Second, to allow measuring the Web resource manip- perform a large-scale study of such threats in real- ulation problem on a large scale, we further design a tool world apps. to automatically recognize XPM behaviors in real-world apps. The key challenges are that: there are multiple • We design an automatic tool which overcomes principals inside an app; there is no obvious way to several non-trivial challenges to identify cross- extract the principal of the manipulating code; it is hard principal manipulations in Android apps. to determine whether the principal of the manipulating code and that of the manipulated Web resource are the • We present new results and findings based on a same. Our proposed tool, named XPMChecker, features study of 80,694 apps. Our results provide strong several new techniques to automatically recognize XPMs evidences for the presence of XPM behaviors with in apps. Note that XPMChecker is not aimed to reliably obvious malicious intents in real-world apps, and detect all possible cross-principal manipulations. In- show that this problem is more severe than we think stead, it is designed for a large-scale measurement study. and exists in both Android and iOS. Our findings Thus, we do not consider a future attacker who tries to and evaluations on current defense mechanisms also evade XPMChecker. bring new insights for future defense design. Finally, we apply XPMChecker to analyze 80,694 apps from 48 categories in Google Play. Our evaluation 2 Web Resource Manipulation shows that XPMChecker achieves high precision and recall in recognizing XPM behaviors. To systematically This paper seeks to understand the threats of Web re- understand the threats of Web resource manipulation, source manipulation in real-world apps. Although this we conduct several experiments and studies from these kind of threats have been conceptually described in perspectives: the prevalence of the XPM behaviors, the existing work [32, 33, 43, 16], none of them system- breakdown of XPM behaviors, the awareness of such atically defines this problem. To support a large-scale risks to service providers and the implications to current measurement study, we need to clearly define the threats defenses. Our study leads to several insightful findings in Web resource manipulation. for the community to understand the impact of Web resource manipulation problem, confirms the threat of 2.1 Motivating Example XPM behaviors with real-world samples and calls into rethinking of existing defensive mechanisms. We use a motivating example