A Study on the Use of Mobile-Specific HTML5 Webapi Calls on The

A Study on the Use of Mobile-Specific HTML5 Webapi Calls on The

POLITECNICO DI TORINO Corso di Laurea in Computer Engineering Tesi di Laurea A Study on the Use of Mobile-specific HTML5 WebAPI Calls on the Web Relatore prof. Antonio Lioy Francesco Marcantoni Marzo 2019 Alla mia famiglia Summary The growth of smartphones diffusion in the last decade and the pervasiveness of the web in the current lifestyle pose the attention on the privacy and security of the users. While it is well known how browser-related data accessed during navigation can be used to harm the privacy of the user, this work aims to fill the knowledge gap concerning mobile-specific information retrieved by web-pages when visited from a smartphone. In particular this study focuses on Firefox browser for Android devices. To detect the number of websites that have access to mobile-specific information we propose a crawler called FFAutoma- tor, consisting in a Python script, that exploits the possibility to remotely control an Android device from the computer to instrument the browser and scrape the information we need from them. The script is able to open a new instance of the browser, load a website and simulate the user interaction with it. It take cares of injecting touch events corresponding to gestures on the touchscreen. We designed this program to be robust and to run for long time in order to analyze as many websites as possible. Plus, it was developed to successfully handle issues that can come up during simulation of web-navigation and that can compromise the results. An example is an unwanted redirection from the current website to an external one. Detection is done using a proxy server to intercept http traffic coming to the phones and to inject JavaScript code that can log whenever a method is called or a property is read by the website and the contained frames. To allowed code to be run in pages it was necessary to turn off some policies that are enforced by the browser to prevent external JavaScript code to run in it. We then elaborate the logs obtained after having crawled, through the script described before, the first 200k most popular websites according to Alexa ranking. Results are analyzed in a quantitative way, showing the number of websites that exploit APIs retrieving mobile-specific data and which of them are the most used. We also study the source of the JavaScript files that contain those APIs to look at the number of websites that execute external files to gather data. Given that, we differentiate the calls originated from frames and external sources from the one requested by main page. In this study we propose also e mitigation technique, to protect who browse the web from smartphones without affecting the user-experience. This consists in an extension that can be installed in Firefox browser for Android that detects all mobile-specific APIs accessing data from the smartphone and allows also the users to choose to block this data retrieval or not. Plus the user can create custom rules that applies only to some chosen domains and than the default settings applying for all the other pages. The technique used to detect APIs in the extension, is the same exploited for scraping for websites. JavaScript code is injected from external sources loaded in the extension and, being the extension considered a trusted source by the websites, there is not any problem related to security policies. 4 Contents 1 Introduction 8 1.1 Problem statement.................................... 10 1.2 Contributions....................................... 10 1.2.1 Analysis on websites exploiting HTML5 WebAPIs.............. 10 1.2.2 Mitigation technique............................... 11 1.3 Overview......................................... 11 1.4 Environment description................................. 11 2 Related Work 13 2.1 Android smartphones.................................. 13 2.2 Mobile web-browsing................................... 14 2.3 Browser functionalities.................................. 14 2.3.1 Firefox browser architecture........................... 15 2.3.2 Vulnerabilities overview............................. 17 2.3.3 Usage of HTML5 API.............................. 17 2.4 Sensors access in Android mobile devices and related vulnerabilities........ 19 2.5 Browser extensions.................................... 19 3 Approach 21 3.1 HTML5 Mobile Functions selection........................... 21 3.2 JavaScript Calls Interception.............................. 22 3.2.1 Native code interception............................. 22 3.2.2 HTTP response interception.......................... 23 3.3 Injected Code....................................... 23 3.3.1 Hooking methods................................. 23 3.3.2 Hooking properties................................ 23 3.3.3 Getting source of the JavaScript file...................... 24 3.4 Proxy Server....................................... 24 3.4.1 Buffering prevention............................... 25 3.4.2 Injection...................................... 25 3.5 System calls interception................................. 26 3.6 Preliminary Tests..................................... 26 3.6.1 Results...................................... 28 3.6.2 Why Firefox................................... 28 5 4 Web Navigation Automation 29 4.1 Interfacing smartphones with the computer...................... 29 4.2 Instrumenting Touch Gestures.............................. 30 4.2.1 Interaction with the device........................... 30 4.2.2 Simulating navigation.............................. 32 4.3 Logs Structure...................................... 33 4.4 The Program....................................... 34 4.4.1 Structure..................................... 34 4.4.2 Visiting websites................................. 34 4.4.3 Logs saving.................................... 35 4.4.4 Number of gestures injected........................... 35 4.4.5 Cleaning the environment............................ 36 4.4.6 Files saving.................................... 37 4.5 Issues in automatic browsing.............................. 37 4.5.1 Redirection to external websites........................ 37 4.5.2 Permissions acceptance............................. 39 4.5.3 Malicious websites................................ 41 4.5.4 Unreachable websites............................... 42 4.5.5 Loading time................................... 42 4.5.6 Unhandled corner cases............................. 43 5 Results 44 5.1 Usage analysis...................................... 44 5.1.1 Correspondence with Android calls....................... 45 5.1.2 Distribution.................................... 45 5.2 Sources of the calls.................................... 49 5.2.1 iframes...................................... 49 5.2.2 Analysis of sources................................ 49 6 Extension 52 6.1 Why an extension.................................... 52 6.2 Architecture........................................ 54 6.2.1 Content script.................................. 54 6.2.2 Dynamic extension page............................. 55 6.2.3 Local storage................................... 55 6.3 Programmer manual................................... 55 6.3.1 Permissions.................................... 56 6.3.2 Per website customization............................ 57 6.3.3 Content script (injector.js)........................... 58 6.3.4 Injected code................................... 61 6.3.5 Extension pop-up................................. 63 6.4 User Manual....................................... 68 6.4.1 Installation guide................................. 68 6.4.2 User Interface................................... 69 6 7 Conclusion 71 7.1 Future works....................................... 71 A FFAutomator manuals 73 A.1 User manual........................................ 73 A.1.1 Prerequisites................................... 73 A.1.2 Input....................................... 73 A.1.3 Output...................................... 74 A.1.4 Google SafeBrowsing API............................ 75 A.2 Programmer manual................................... 75 A.2.1 Environment setup................................ 75 A.2.2 Main loop..................................... 77 A.2.3 Functions..................................... 79 Bibliography 92 7 Chapter 1 Introduction Usage of smartphones among population constantly increased in the last ten years. In the United States, almost the totality of mobile phone owners has a smartphone [1]. Among all the function- alities offered by those devices, one of the most employed is web browsing. For the first time, in 2016, internet traffic generated from mobile devices overcame the one produced by desktop com- puters worldwide [2] and in 2016 56% of traffic to top-sites in the United States came from mobile devices [3]. The main factors that influenced this trend are the improvements in communication technology (e.g. the introduction of fast mobile internet connections), the development of web browsers offering now features comparable to the desktop ones and the improvement in smart- phone usability (e.g. the implementation of practical gestures and the usage of bigger screens) [4]. Moreover, smartphones constantly monitor their status and are always aware of what is hap- pening around them. This is possible thanks to the capability of those devices of retrieving information from the surrounding environment (using, for example, the ambient light sensor or the microphone) and from their status, as speed or orientation (using for example gyroscope, accelerometer and GPS). While this characteristic

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    95 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us